Prepare release v2.2.0

Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>

.dockerignore

@@ -1,3 +1,5 @@
 dist/
 !dist/traefik
 site/
+vendor/
+.idea/

.github/ISSUE_TEMPLATE.md

@@ -1,26 +1,31 @@
+<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
+
+### Do you want to request a *feature* or report a *bug*?
+
 <!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 
 The issue tracker is for reporting bugs and feature requests only.
 For end-user related support questions, please refer to one of the following:
 
-- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-- the Traefik community Slack channel: https://slack.traefik.io
+- the Traefik community forum: https://community.containo.us/
 
 -->
 
-
-### Do you want to request a *feature* or report a *bug*?
+Bug
 
 <!--
-If you intend to ask a support question: DO NOT FILE AN ISSUE.
+
+The configurations between 1.X and 2.X are NOT compatible.
+Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+
 -->
 
 ### What did you do?
 
 <!--
 
-HOW TO WRITE A GOOD ISSUE?
+HOW TO WRITE A GOOD BUG REPORT?
 
 - Respect the issue template as much as possible.
 - The title should be short and descriptive.
@@ -42,13 +47,12 @@ HOW TO WRITE A GOOD ISSUE?
 ### Output of `traefik version`: (_What version of Traefik are you using?_)
 
 <!--
+`latest` is not considered as a valid version.
+
 For the Traefik Docker image:
     docker run [IMAGE] version
     ex: docker run traefik version
 
-For the alpine Traefik Docker image:
-    docker run [IMAGE] traefik version
-    ex: docker run traefik traefik version
 -->
 
 ```
@@ -60,12 +64,13 @@ For the alpine Traefik Docker image:
 ```toml
 # (paste your configuration here)
 ```
+
 <!--
 Add more configuration information here.
 -->
 
 
-### If applicable, please paste the log output at DEBUG level (`--logLevel=DEBUG` switch)
+### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
 
 ```
 (paste your output here)

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -3,6 +3,9 @@ name: Bug report
 about: Create a report to help us improve
 
 ---
+<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
+
+### Do you want to request a *feature* or report a *bug*?
 
 <!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
@@ -10,16 +13,19 @@ DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 The issue tracker is for reporting bugs and feature requests only.
 For end-user related support questions, please refer to one of the following:
 
-- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-- the Traefik community Slack channel: https://slack.traefik.io
+- the Traefik community forum: https://community.containo.us/
 
 -->
 
-
-### Do you want to request a *feature* or report a *bug*?
-
 Bug
 
+<!--
+
+The configurations between 1.X and 2.X are NOT compatible.
+Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+
+-->
+
 ### What did you do?
 
 <!--
@@ -46,13 +52,12 @@ HOW TO WRITE A GOOD BUG REPORT?
 ### Output of `traefik version`: (_What version of Traefik are you using?_)
 
 <!--
+`latest` is not considered as a valid version.
+
 For the Traefik Docker image:
     docker run [IMAGE] version
     ex: docker run traefik version
 
-For the alpine Traefik Docker image:
-    docker run [IMAGE] traefik version
-    ex: docker run traefik traefik version
 -->
 
 ```
@@ -70,7 +75,7 @@ Add more configuration information here.
 -->
 
 
-### If applicable, please paste the log output in DEBUG level (`--logLevel=DEBUG` switch)
+### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
 
 ```
 (paste your output here)

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -3,6 +3,9 @@ name: Feature request
 about: Suggest an idea for this project
 
 ---
+<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
+
+### Do you want to request a *feature* or report a *bug*?
 
 <!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
@@ -10,14 +13,10 @@ DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 The issue tracker is for reporting bugs and feature requests only.
 For end-user related support questions, please refer to one of the following:
 
-- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
-- the Traefik community Slack channel: https://slack.traefik.io
+- the Traefik community forum: https://community.containo.us/
 
 -->
 
-
-### Do you want to request a *feature* or report a *bug*?
-
 Feature
 
 ### What did you expect to see?

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,18 +1,19 @@
 <!--
 PLEASE READ THIS MESSAGE.
 
-HOW TO WRITE A GOOD PULL REQUEST?
+Documentation fixes or enhancements:
+- for Traefik v1: use branch v1.7
+- for Traefik v2: use branch v2.2
 
-- Make it small.
-- Do only one thing.
-- Avoid re-formatting.
-- Make sure the code builds.
-- Make sure all tests pass.
-- Add tests.
-- Write useful descriptions and titles.
-- Address review comments in terms of additional commits.
-- Do not amend/squash existing ones unless the PR is trivial.
-- Read the contributing guide: https://github.com/containous/traefik/blob/master/CONTRIBUTING.md.
+Bug fixes:
+- for Traefik v1: use branch v1.7
+- for Traefik v2: use branch v2.2
+
+Enhancements:
+- for Traefik v1: we only accept bug fixes
+- for Traefik v2: use branch master
+
+HOW TO WRITE A GOOD PULL REQUEST? https://docs.traefik.io/contributing/submitting-pull-requests/
 
 -->
 

.gitignore

@@ -11,6 +11,8 @@
 /autogen/
 /traefik
 /traefik.toml
+/traefik.yml
 *.log
 *.exe
 cover.out
+vendor/

.golangci.toml

@@ -1,7 +1,8 @@
 [run]
-  deadline = "10m"
-  skip-files = [
-    "^old/.*",
+  timeout = "10m"
+  skip-files = []
+  skip-dirs = [
+    "pkg/provider/kubernetes/crd/generated/",
   ]
 
 [linters-settings]
@@ -25,6 +26,10 @@
   [linters-settings.misspell]
     locale = "US"
 
+  [linters-settings.funlen]
+    lines = 230 # default 60
+    statements = 120 # default 40
+
 [linters]
   enable-all = true
   disable = [
@@ -38,6 +43,12 @@
     "scopelint",
     "gochecknoinits",
     "gochecknoglobals",
+    "godox",
+    "gocognit",
+    "bodyclose", # Too many false-positive and panics.
+    "wsl", # Too strict
+    "gomnd", # Too strict
+    "stylecheck", # skip because report issues related to some generated files.
   ]
 
 [issues]
@@ -50,14 +61,8 @@
     "should have a package comment, unless it's in another file for this package",
   ]
  [[issues.exclude-rules]]
-    path = ".+_test.go"
-    linters = ["goconst"]
- [[issues.exclude-rules]]
-    path = "provider/label/internal/.+_test.go"
-    text = "U1000: field `(foo|fuu)` is unused"
- [[issues.exclude-rules]]
-    path = "middlewares/recovery/recovery.go"
-    text = "`logger` can be `github.com/containous/traefik/vendor/github.com/stretchr/testify/assert.TestingT`"
+    path = "(.+)_test.go"
+    linters = ["goconst", "funlen"]
  [[issues.exclude-rules]]
     path = "integration/.+_test.go"
     text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
@@ -68,23 +73,35 @@
     path = "integration/grpc_test.go"
     text = "Error return value of `closer` is not checked"
  [[issues.exclude-rules]]
-    path = "provider/kubernetes/builder_(endpoint|service)_test.go"
+    path = "pkg/h2c/h2c.go"
+    text = "Error return value of `rw.Write` is not checked"
+ [[issues.exclude-rules]]
+    path = "pkg/middlewares/recovery/recovery.go"
+    text = "`logger` can be `github.com/stretchr/testify/assert.TestingT`"
+ [[issues.exclude-rules]]
+    path = "pkg/provider/docker/builder_test.go"
     text = "(U1000: func )?`(.+)` is unused"
  [[issues.exclude-rules]]
-    path = "provider/docker/builder_test.go"
+    path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
     text = "(U1000: func )?`(.+)` is unused"
+ [[issues.exclude-rules]]
+    path = "pkg/config/parser/.+_test.go"
+    text = "U1000: field `(foo|fuu)` is unused"
+ [[issues.exclude-rules]]
+    path = "pkg/server/service/bufferpool.go"
+    text = "SA6002: argument should be pointer-like to avoid allocations"
  [[issues.exclude-rules]]
     path = "cmd/configuration.go"
     text = "string `traefik` has (\\d) occurrences, make it a constant"
  [[issues.exclude-rules]]
-    path = "h2c/h2c.go"
-    text = "Error return value of `rw.Write` is not checked"
- [[issues.exclude-rules]]
-    path = "server/service/bufferpool.go"
-    text = "SA6002: argument should be pointer-like to avoid allocations"
- [[issues.exclude-rules]] # FIXME must be fixed
-    path = "acme/.+.go"
-    text = "(assignment copies lock value to domainsCerts|literal copies lock value from)"
+    path = "pkg/server/middleware/middlewares.go"
+    text = "Function 'buildConstructor' is too long \\(\\d+ > 230\\)"
  [[issues.exclude-rules]] # FIXME must be fixed
     path = "cmd/context.go"
     text = "S1000: should use a simple channel send/receive instead of `select` with a single case"
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/haystack/logger.go"
+    linters = ["goprintffuncname"]
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/tracing.go"
+    text = "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"

.goreleaser.yml

@@ -11,7 +11,7 @@ builds:
     env:
       - CGO_ENABLED=0
     ldflags:
-      - -s -w -X github.com/containous/traefik/pkg/version.Version={{.Version}} -X github.com/containous/traefik/pkg/version.Codename={{.Env.CODENAME}}  -X github.com/containous/traefik/pkg/version.BuildDate={{.Date}}
+      - -s -w -X github.com/containous/traefik/v2/pkg/version.Version={{.Version}} -X github.com/containous/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/containous/traefik/v2/pkg/version.BuildDate={{.Date}}
 
     goos:
       - linux
@@ -34,22 +34,27 @@ builds:
         goarch: 386
       - goos: openbsd
         goarch: arm
+      - goos: openbsd
+        goarch: arm64
       - goos: freebsd
-        goarch: arm
+        goarch: arm64
 
 changelog:
   skip: true
 
-archive:
-  name_template: '{{ .ProjectName }}_v{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm
-    }}v{{ .Arm }}{{ end }}'
-  format: tar.gz
-  format_overrides:
-    - goos: windows
-      format: zip
-  files:
-    - LICENSE.md
-    - CHANGELOG.md
+archives:
+  - id: traefik
+    name_template: '{{ .ProjectName }}_v{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
+    format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - LICENSE.md
+      - CHANGELOG.md
+
+checksum:
+  name_template: "{{ .ProjectName }}_v{{ .Version }}_checksums.txt"
 
 release:
   disable: true

.semaphoreci/golang.sh

@@ -2,19 +2,19 @@
 
 set -e
 
-curl -O https://dl.google.com/go/go1.12.linux-amd64.tar.gz
+curl -O https://dl.google.com/go/go"${GO_VERSION}".linux-amd64.tar.gz
 
-tar -xvf go1.12.linux-amd64.tar.gz
-rm -rf go1.12.linux-amd64.tar.gz
+tar -xvf go"${GO_VERSION}".linux-amd64.tar.gz
+rm -rf go"${GO_VERSION}".linux-amd64.tar.gz
 
-sudo mkdir -p /usr/local/golang/1.12/go
-sudo mv go /usr/local/golang/1.12/
+sudo mkdir -p /usr/local/golang/"${GO_VERSION}"/go
+sudo mv go /usr/local/golang/"${GO_VERSION}"/
 
 sudo rm /usr/local/bin/go
-sudo chmod +x /usr/local/golang/1.12/go/bin/go
-sudo ln -s /usr/local/golang/1.12/go/bin/go /usr/local/bin/go
+sudo chmod +x /usr/local/golang/"${GO_VERSION}"/go/bin/go
+sudo ln -s /usr/local/golang/"${GO_VERSION}"/go/bin/go /usr/local/bin/go
 
-export GOROOT="/usr/local/golang/1.12/go"
-export GOTOOLDIR="/usr/local/golang/1.12/go/pkg/tool/linux_amd64"
+export GOROOT="/usr/local/golang/${GO_VERSION}/go"
+export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"
 
 go version

.semaphoreci/job2.sh

@@ -5,4 +5,4 @@ ci_retry make validate
 
 if [ -n "$SHOULD_TEST" ]; then ci_retry make test-unit; fi
 
-if [ -n "$SHOULD_TEST" ]; then make -j${N_MAKE_JOBS} crossbinary-default-parallel; fi
+if [ -n "$SHOULD_TEST" ]; then make -j"${N_MAKE_JOBS}" crossbinary-default-parallel; fi

.semaphoreci/setup.sh

@@ -1,16 +1,35 @@
-#!/usr/bin/env bash
-set -e
-
-export DOCKER_VERSION=17.03.1
-
+# For personnal CI
+# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/containous/
+# cd /home/runner/workspace/src/github.com/containous/traefik/
+for s in apache2 cassandra elasticsearch memcached mysql mongod postgresql sphinxsearch rethinkdb rabbitmq-server redis-server; do sudo service $s stop; done
+sudo swapoff -a
+sudo dd if=/dev/zero of=/swapfile bs=1M count=3072
+sudo mkswap /swapfile
+sudo swapon /swapfile
+sudo rm -rf /home/runner/.rbenv
+sudo rm -rf /usr/local/golang/{1.4.3,1.5.4,1.6.4,1.7.6,1.8.6,1.9.7,1.10.3,1.11}
+#export DOCKER_VERSION=18.06.3
 source .semaphoreci/vars
-
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R); fi
-
+if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
+echo ${SHOULD_TEST}
 if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
+echo ${TEMP_STORAGE}
+echo ${SHOULD_TEST}
+#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
+#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
+if [ -n "$SHOULD_TEST" ]; then docker version; fi
+export GO_VERSION=1.13
+if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
+#if [ "${GO_VERSION}" == '1.14' ]; then export GO_VERSION=1.14rc2; fi
+echo "Selected Go version: ${GO_VERSION}"
 
-if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
+if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi
+if [ -f "./.semaphoreci/golang.sh" ]; then export GOROOT="/usr/local/golang/${GO_VERSION}/go"; fi
+if [ -f "./.semaphoreci/golang.sh" ]; then export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"; fi
+go version
 
-if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
+if [ -f "./go.mod" ]; then export GO111MODULE=on; fi
+if [ -f "./go.mod" ]; then export GOPROXY=https://proxy.golang.org; fi
+if [ -f "./go.mod" ]; then go mod download; fi
 
-if [ -n "$SHOULD_TEST" ]; then  docker version; fi
+df

.semaphoreci/vars

@@ -10,7 +10,7 @@ else
   export VERSION=''
 fi
 
-export CODENAME=faisselle
+export CODENAME=chevrotin
 
 export N_MAKE_JOBS=2
 
@@ -24,8 +24,8 @@ function ci_retry {
     until [ $n -ge $NRETRY ]
     do
         "$@" && break
-        n=$[$n+1]
-        echo "$@ failed, attempt ${n}/${NRETRY}"
+        n=$((n+1))
+        echo "${*} failed, attempt ${n}/${NRETRY}"
         sleep $NSLEEP
     done
 
@@ -34,4 +34,3 @@ function ci_retry {
 }
 
 export -f ci_retry
-

.travis.yml

@@ -9,9 +9,10 @@ services:
 
 env:
   global:
-    - REPO: $TRAVIS_REPO_SLUG
-    - VERSION: $TRAVIS_TAG
-    - CODENAME: faisselle
+    - REPO=$TRAVIS_REPO_SLUG
+    - VERSION=$TRAVIS_TAG
+    - CODENAME=chevrotin
+    - GO111MODULE=on
 
 script:
 - echo "Skipping tests... (Tests are executed on SemaphoreCI)"
@@ -24,11 +25,11 @@ before_deploy:
       sudo -E apt-get -yq update;
       sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
       docker version;
-      make image;
+      make build-image;
       if [ "$TRAVIS_TAG" ]; then
         make release-packages;
       fi;
-      curl -sfL https://raw.githubusercontent.com/containous/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" v1.7.0
+      curl -sfL https://raw.githubusercontent.com/containous/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
       structor -o containous -r traefik --dockerfile-url="https://raw.githubusercontent.com/containous/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/containous/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/containous/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug;
     fi
 
@@ -38,7 +39,6 @@ deploy:
     file: dist/traefik*
     skip_cleanup: true
     file_glob: true
-    draft: true
     on:
       repo: containous/traefik
       tags: true

CONTRIBUTING.md

@@ -1,3 +1,4 @@
 # Contributing
 
-See https://docs.traefik.io.
+- https://docs.traefik.io/contributing/submitting-pull-requests/
+- https://docs.traefik.io/contributing/submitting-issues/

Gopkg.toml

@@ -1,282 +0,0 @@
-# Gopkg.toml example
-#
-# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
-# for detailed Gopkg.toml documentation.
-#
-# required = ["github.com/user/thing/cmd/thing"]
-# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
-#
-# [[constraint]]
-#   name = "github.com/user/project"
-#   version = "1.0.0"
-#
-# [[constraint]]
-#   name = "github.com/user/project2"
-#   branch = "dev"
-#   source = "github.com/myfork/project2"
-#
-# [[override]]
-#  name = "github.com/x/y"
-#  version = "2.4.0"
-
-required = [
-  "k8s.io/code-generator/cmd/client-gen",
-  "k8s.io/code-generator/cmd/deepcopy-gen",
-  "k8s.io/code-generator/cmd/defaulter-gen",
-  "k8s.io/code-generator/cmd/lister-gen",
-  "k8s.io/code-generator/cmd/informer-gen",
-]
-
-[prune]
-  non-go = true
-  go-tests = true
-  unused-packages = true
-  [[prune.project]]
-    name = "k8s.io/code-generator"
-    non-go = false
-    unused-packages = false
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/ArthurHlt/go-eureka-client"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/BurntSushi/toml"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/BurntSushi/ty"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/NYTimes/gziphandler"
-
-[[constraint]]
-  branch = "containous-fork"
-  name = "github.com/abbot/go-http-auth"
-  source = "github.com/containous/go-http-auth"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/armon/go-proxyproto"
-
-[[constraint]]
-  name = "github.com/aws/aws-sdk-go"
-  version = "1.13.11"
-
-[[constraint]]
-  name = "github.com/cenkalti/backoff"
-  version = "2.1.1"
-
-[[constraint]]
-  name = "github.com/containous/flaeg"
-  version = "1.4.1"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/containous/mux"
-
-[[constraint]]
-  branch = "containous-fork"
-  name = "github.com/containous/alice"
-
-[[constraint]]
-  name = "github.com/containous/staert"
-  version = "3.1.2"
-
-#[[constraint]]
-#  name = "github.com/containous/traefik-extra-service-fabric"
-#  version = "1.3.0"
-
-[[constraint]]
-  name = "github.com/coreos/go-systemd"
-  version = "14.0.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/docker/leadership"
-  source = "github.com/containous/leadership"
-
-[[constraint]]
-  name = "github.com/eapache/channels"
-  version = "1.1.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/elazarl/go-bindata-assetfs"
-
-[[constraint]]
-  branch = "fork-containous"
-  name = "github.com/go-check/check"
-  source = "github.com/containous/check"
-
-[[override]]
-  branch = "fork-containous"
-  name = "github.com/go-check/check"
-  source = "github.com/containous/check"
-
-[[constraint]]
-  name = "github.com/go-kit/kit"
-  version = "0.7.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/gorilla/websocket"
-
-[[constraint]]
-  name = "github.com/hashicorp/consul"
-  version = "1.0.6"
-
-[[constraint]]
-  name = "github.com/influxdata/influxdb"
-  version = "1.3.7"
-
-#[[constraint]]
-#  branch = "master"
-#  name = "github.com/jjcollinge/servicefabric"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/abronan/valkeyrie"
-
-[[constraint]]
-  name = "github.com/mesosphere/mesos-dns"
-  source = "https://github.com/containous/mesos-dns.git"
-
-[[constraint]]
-  name = "github.com/opentracing/opentracing-go"
-  version = "1.0.2"
-
-[[constraint]]
-  branch = "containous-fork"
-  name = "github.com/rancher/go-rancher-metadata"
-  source = "github.com/containous/go-rancher-metadata"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/ryanuber/go-glob"
-
-[[constraint]]
-  name = "github.com/satori/go.uuid"
-  version = "1.1.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/stvp/go-udp-testing"
-
-[[constraint]]
-  name = "github.com/stretchr/testify"
-  version = "1.2.1"
-
-[[constraint]]
-  name = "github.com/uber/jaeger-client-go"
-  version = "2.15.0"
-
-[[constraint]]
-  name = "github.com/uber/jaeger-lib"
-  version = "1.3.0"
-
-[[constraint]]
-  branch = "v1"
-  name = "github.com/unrolled/secure"
-
-[[constraint]]
-  name = "github.com/vdemeester/shakers"
-  version = "0.1.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/vulcand/oxy"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/go-acme/lego"
-#  version = "2.4.0"
-
-[[constraint]]
-  name = "google.golang.org/grpc"
-  version = "1.5.2"
-
-[[constraint]]
-  name = "gopkg.in/fsnotify.v1"
-  source = "github.com/fsnotify/fsnotify"
-  version = "1.4.2"
-
-[[constraint]]
-  name = "k8s.io/client-go"
-  version = "8.0.0" # 8.0.0
-
-[[constraint]]
-  name = "k8s.io/code-generator"
-  version = "kubernetes-1.11.7"
-
-[[constraint]]
-  name = "k8s.io/api"
-  version = "kubernetes-1.11.7" # "kubernetes-1.11.7"
-
-[[constraint]]
-  name = "k8s.io/apimachinery"
-  version = "kubernetes-1.11.7" # "kubernetes-1.11.7"
-
-[[override]]
-  name = "github.com/json-iterator/go"
-  version = "1.1.6"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/libkermit/docker"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/libkermit/docker-check"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/libkermit/compose"
-
-[[constraint]]
- name = "github.com/docker/docker"
- revision = "7848b8beb9d38a98a78b75f78e05f8d2255f9dfe"
-
-[[override]]
- name = "github.com/docker/docker"
- revision = "7848b8beb9d38a98a78b75f78e05f8d2255f9dfe"
-
-[[override]]
- name = "github.com/docker/cli"
- revision = "6b63d7b96a41055baddc3fa71f381c7f60bd5d8e"
-
-[[override]]
- name = "github.com/docker/distribution"
- revision = "edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c"
-
-[[override]]
-  branch = "master"
-  name = "github.com/docker/libcompose"
-
-[[override]]
-  name = "github.com/Nvveen/Gotty"
-  revision = "a8b993ba6abdb0e0c12b0125c603323a71c7790c"
-  source = "github.com/ijc25/Gotty"
-
-[[override]]
-  # ALWAYS keep this override
-  name = "github.com/mailgun/timetools"
-  revision = "7e6055773c5137efbeb3bd2410d705fe10ab6bfd"
-
-[[override]]
-  version = "v1.1.1"
-  name = "github.com/miekg/dns"
-
-[[constraint]]
-  name = "github.com/patrickmn/go-cache"
-  version = "2.1.0"
-
-[[constraint]]
-  name = "gopkg.in/DataDog/dd-trace-go.v1"
-  version = "1.7.0"
-
-[[constraint]]
-  name = "github.com/instana/go-sensor"
-  version = "1.4.12"

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2018 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -1,4 +1,22 @@
-.PHONY: all docs docs-serve clear-static
+.PHONY: all docs docs-serve
+
+SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/')
+
+TAG_NAME := $(shell git tag -l --contains HEAD)
+SHA := $(shell git rev-parse HEAD)
+VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
+VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))
+
+BIND_DIR := "dist"
+
+GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
+TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
+
+REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
+TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
+
+INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
+DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
 
 TRAEFIK_ENVS := \
 	-e OS_ARCH_ARG \
@@ -11,125 +29,110 @@ TRAEFIK_ENVS := \
 	-e CI \
 	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.
 
-SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/')
-
-TAG_NAME := $(shell git tag -l --contains HEAD)
-SHA := $(shell git rev-parse HEAD)
-VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
-VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))
-
-BIND_DIR := "dist"
 TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/containous/traefik/$(BIND_DIR)"
-
-GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
-TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
-REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
-TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
-INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
-
-DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
-DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) -it $(DOCKER_RUN_OPTS)
-DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) -i $(DOCKER_RUN_OPTS)
+DOCKER_NON_INTERACTIVE ?= false
+DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)
 
-print-%: ; @echo $*=$($*)
+PRE_TARGET ?= build-dev-image
 
 default: binary
 
-all: generate-webui build ## validate all checks, build linux binary, run all tests\ncross non-linux binaries
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh
-
-binary: generate-webui build ## build the linux binary
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate binary
-
-crossbinary-default: generate-webui build
-	$(DOCKER_RUN_TRAEFIK_NOTTY) ./script/make.sh generate crossbinary-default
-
-crossbinary-default-parallel:
-	$(MAKE) generate-webui
-	$(MAKE) build crossbinary-default
-
-test: build ## run the unit and integration tests
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-unit binary test-integration
-
-test-unit: build ## run the unit tests
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-unit
-
-test-integration: build ## run the integration tests
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate binary test-integration
-	TEST_HOST=1 ./script/make.sh test-integration
-
-validate: build  ## validate code, vendor
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate validate-lint validate-misspell validate-vendor
-
-build: dist
+## Build Dev Docker image
+build-dev-image: dist
 	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
 
-build-no-cache: dist
+## Build Dev Docker image without cache
+build-dev-image-no-cache: dist
 	docker build --no-cache -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
 
-shell: build ## start a shell inside the build env
-	$(DOCKER_RUN_TRAEFIK) /bin/bash
-
-image-dirty: binary ## build a docker traefik image
-	docker build -t $(TRAEFIK_IMAGE) .
-
-image: clear-static binary ## clean up static directory and build a docker traefik image
-	docker build -t $(TRAEFIK_IMAGE) .
-
-docs:
-	make -C ./docs docs
-
-docs-serve:
-	make -C ./docs docs-serve
-
+## Create the "dist" directory
 dist:
 	mkdir dist
 
-run-dev:
-	go generate
-	go build ./cmd/traefik
-	./traefik
-
-clear-static:
-	rm -rf static
-
-build-webui:
+## Build WebUI Docker image
+build-webui-image:
 	docker build -t traefik-webui -f webui/Dockerfile webui
 
-generate-webui: build-webui
+## Generate WebUI
+generate-webui: build-webui-image
 	if [ ! -d "static" ]; then \
 		mkdir -p static; \
-		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build; \
+		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build:nc; \
 		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ../static; \
 		echo 'For more informations show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
 	fi
 
-generate-crd:
-	./script/update-generated-crd-code.sh
+## Build the linux binary
+binary: generate-webui $(PRE_TARGET)
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
 
-lint:
-	script/validate-lint
+## Build the binary for the standard plaforms (linux, darwin, windows)
+crossbinary-default: generate-webui build-dev-image
+	$(DOCKER_RUN_TRAEFIK_NOTTY) ./script/make.sh generate crossbinary-default
 
-fmt:
-	gofmt -s -l -w $(SRCS)
+## Build the binary for the standard plaforms (linux, darwin, windows) in parallel
+crossbinary-default-parallel:
+	$(MAKE) generate-webui
+	$(MAKE) build-dev-image crossbinary-default
 
+## Run the unit and integration tests
+test: build-dev-image
+	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-unit binary test-integration
+
+## Run the unit tests
+test-unit: $(PRE_TARGET)
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate test-unit
+
+## Pull all images for integration tests
 pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
 
-dep-ensure:
-	dep ensure -v
-	./script/prune-dep.sh
+## Run the integration tests
+test-integration: $(PRE_TARGET)
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
+	TEST_HOST=1 ./script/make.sh test-integration
 
-dep-prune:
-	./script/prune-dep.sh
+## Validate code and docs
+validate-files: $(PRE_TARGET)
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
+	bash $(CURDIR)/script/validate-shell-script.sh
 
-help: ## this help
-	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+## Validate code, docs, and vendor
+validate: $(PRE_TARGET)
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
+	bash $(CURDIR)/script/validate-shell-script.sh
 
-release-packages: generate-webui build
+## Clean up static directory and build a Docker Traefik image
+build-image: binary
+	rm -rf static
+	docker build -t $(TRAEFIK_IMAGE) .
+
+## Build a Docker Traefik image
+build-image-dirty: binary
+	docker build -t $(TRAEFIK_IMAGE) .
+
+## Start a shell inside the build env
+shell: build-dev-image
+	$(DOCKER_RUN_TRAEFIK) /bin/bash
+
+## Build documentation site
+docs:
+	make -C ./docs docs
+
+## Serve the documentation site localy
+docs-serve:
+	make -C ./docs docs-serve
+
+## Generate CRD clientset
+generate-crd:
+	./script/update-generated-crd-code.sh
+
+## Create packages for the release
+release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(DOCKER_RUN_TRAEFIK_NOTTY) goreleaser release --skip-publish
+	$(DOCKER_RUN_TRAEFIK_NOTTY) goreleaser release --skip-publish --timeout="60m"
 	$(DOCKER_RUN_TRAEFIK_NOTTY) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \
@@ -138,3 +141,12 @@ release-packages: generate-webui build
 		--exclude .github \
 		--exclude dist .
 	$(DOCKER_RUN_TRAEFIK_NOTTY) chown -R $(shell id -u):$(shell id -g) dist/
+
+## Format the Code
+fmt:
+	gofmt -s -l -w $(SRCS)
+
+run-dev:
+	go generate
+	GO111MODULE=on go build ./cmd/traefik
+	./traefik

README.md

@@ -5,14 +5,14 @@
 
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
-[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](http://goreportcard.com/report/containous/traefik)
+[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](https://goreportcard.com/report/containous/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
-[![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
+[![Join the community support forum at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
 
 
-Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
+Traefik (pronounced _traffic_) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
 Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
 Pointing Traefik at your orchestrator should be the _only_ configuration step you need.
 
@@ -33,7 +33,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo
 
 ---
 
-:construction: As stated in the [1.7 release note](https://blog.containo.us/traefik-1-7-yet-another-slice-of-awesomeness-2a9c99737889#782d), a significant update is in progress on the [master](https://github.com/containous/traefik/tree/master) branch. This branch will remain in constant evolution and prone to change with little notice, so use it for test purposes only.
+:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/).
 
 ## Overview
 
@@ -69,44 +69,34 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 ## Supported Backends
 
-- [Docker](https://docs.traefik.io/configuration/backends/docker) / [Swarm mode](https://docs.traefik.io/configuration/backends/docker#docker-swarm-mode)
-- [Kubernetes](https://docs.traefik.io/configuration/backends/kubernetes)
-- [Mesos](https://docs.traefik.io/configuration/backends/mesos) / [Marathon](https://docs.traefik.io/configuration/backends/marathon)
-- [Rancher](https://docs.traefik.io/configuration/backends/rancher) (API, Metadata)
-- [Azure Service Fabric](https://docs.traefik.io/configuration/backends/servicefabric)
-- [Consul Catalog](https://docs.traefik.io/configuration/backends/consulcatalog)
-- [Consul](https://docs.traefik.io/configuration/backends/consul) / [Etcd](https://docs.traefik.io/configuration/backends/etcd) / [Zookeeper](https://docs.traefik.io/configuration/backends/zookeeper) / [BoltDB](https://docs.traefik.io/configuration/backends/boltdb)
-- [Eureka](https://docs.traefik.io/configuration/backends/eureka)
-- [Amazon ECS](https://docs.traefik.io/configuration/backends/ecs)
-- [Amazon DynamoDB](https://docs.traefik.io/configuration/backends/dynamodb)
-- [File](https://docs.traefik.io/configuration/backends/file)
-- [Rest](https://docs.traefik.io/configuration/backends/rest)
+- [Docker](https://docs.traefik.io/providers/docker/) / [Swarm mode](https://docs.traefik.io/providers/docker/)
+- [Kubernetes](https://docs.traefik.io/providers/kubernetes-crd/)
+- [Marathon](https://docs.traefik.io/providers/marathon/)
+- [Rancher](https://docs.traefik.io/providers/rancher/) (Metadata)
+- [File](https://docs.traefik.io/providers/file/)
 
 ## Quickstart
 
-To get your hands on Traefik, you can use the [5-Minute Quickstart](http://docs.traefik.io/#the-traefik-quickstart-using-docker) in our documentation (you will need Docker).
-
-Alternatively, if you don't want to install anything on your computer, you can try Traefik online in this great [Katacoda tutorial](https://www.katacoda.com/courses/traefik/deploy-load-balancer) that shows how to load balance requests between multiple Docker containers. 
-
-If you are looking for a more comprehensive and real use-case example, you can also check [Play-With-Docker](http://training.play-with-docker.com/traefik-load-balancing/) to see how to load balance between multiple nodes.
+To get your hands on Traefik, you can use the [5-Minute Quickstart](https://docs.traefik.io/getting-started/quick-start/) in our documentation (you will need Docker).
 
 ## Web UI
 
 You can access the simple HTML frontend of Traefik.
 
-![Web UI Providers](docs/content/assets/img/dashboard-main.png)
-![Web UI Health](docs/content/assets/img/dashboard-health.png)
+![Web UI Providers](docs/content/assets/img/webui-dashboard.png)
 
 ## Documentation
 
-You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
+You can find the complete documentation of Traefik v2 at [https://docs.traefik.io](https://docs.traefik.io).
+
+If you are using Traefik v1, you can find the complete documentation at [https://docs.traefik.io/v1.7/](https://docs.traefik.io/v1.7/).
+
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
 ## Support
 
 To get community support, you can:
-- join the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
-- use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
+- join the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
 
 If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
 
@@ -132,19 +122,11 @@ git clone https://github.com/containous/traefik
 
 ## Introductory Videos
 
-Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at GopherCon 2017.
-You will learn Traefik basics in less than 10 minutes.
-
-[![Traefik GopherCon 2017](https://img.youtube.com/vi/RgudiksfL-k/0.jpg)](https://www.youtube.com/watch?v=RgudiksfL-k)
-
-Here is a talk given by [Ed Robinson](https://github.com/errm) at [ContainerCamp UK](https://container.camp) conference.
-You will learn fundamental Traefik features and see some demos with Kubernetes.
-
-[![Traefik ContainerCamp UK](https://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I)
+You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us).
 
 ## Maintainers
 
-[Information about process and maintainers](MAINTAINER.md)
+[Information about process and maintainers](docs/content/contributing/maintainers.md)
 
 ## Contributing
 
@@ -156,16 +138,16 @@ By participating in this project, you agree to abide by its terms.
 ## Release Cycle
 
 - We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
-- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0)
-- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only)
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
 
-Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out)
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).
 
-We use [Semantic Versioning](http://semver.org/)
+We use [Semantic Versioning](https://semver.org/).
 
-## Mailing lists
+## Mailing Lists
 
-- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news)
+- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news).
 - Security announcements: mail at security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
 
 ## Credits
@@ -174,5 +156,5 @@ Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on t
 
 Traefik's logo is licensed under the Creative Commons 3.0 Attributions license.
 
-Traefik's logo was inspired by the gopher stickers made by Takuya Ueda (https://twitter.com/tenntenn).
-The original Go gopher was designed by Renee French (http://reneefrench.blogspot.com/).
+Traefik's logo was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
+The original Go gopher was designed by [Renee French](https://reneefrench.blogspot.com/).

build.Dockerfile

@@ -1,34 +1,37 @@
-FROM golang:1.12-alpine
+FROM golang:1.14-alpine
 
 RUN apk --update upgrade \
-&& apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar \
-&& rm -rf /var/cache/apk/*
-
-# Download golangci-lint and misspell binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.15.0 \
-    && go get github.com/client9/misspell/cmd/misspell
-
-# Download goreleaser binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh
+    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
+    && update-ca-certificates \
+    && rm -rf /var/cache/apk/*
 
 # Which docker version to test on
-ARG DOCKER_VERSION=17.03.2
-ARG DEP_VERSION=0.5.0
+ARG DOCKER_VERSION=18.09.7
+
+# Download docker
+RUN mkdir -p /usr/local/bin \
+    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
+    | tar -xzC /usr/local/bin --transform 's#^.+/##x'
 
 # Download go-bindata binary to bin folder in $GOPATH
 RUN mkdir -p /usr/local/bin \
     && curl -fsSL -o /usr/local/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata \
     && chmod +x /usr/local/bin/go-bindata
 
-# Download dep binary to bin folder in $GOPATH
-RUN mkdir -p /usr/local/bin \
-    && curl -fsSL -o /usr/local/bin/dep https://github.com/golang/dep/releases/download/v${DEP_VERSION}/dep-linux-amd64 \
-    && chmod +x /usr/local/bin/dep
+# Download golangci-lint binary to bin folder in $GOPATH
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.23.8
 
-# Download docker
-RUN mkdir -p /usr/local/bin \
-    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}-ce.tgz \
-    | tar -xzC /usr/local/bin --transform 's#^.+/##x'
+# Download misspell binary to bin folder in $GOPATH
+RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
+
+# Download goreleaser binary to bin folder in $GOPATH
+RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh
 
 WORKDIR /go/src/github.com/containous/traefik
+
+# Download go modules
+COPY go.mod .
+COPY go.sum .
+RUN GO111MODULE=on GOPROXY=https://proxy.golang.org go mod download
+
 COPY . /go/src/github.com/containous/traefik

cmd/configuration.go

@@ -3,39 +3,27 @@ package cmd
 import (
 	"time"
 
-	"github.com/containous/flaeg/parse"
-	"github.com/containous/traefik/pkg/config/static"
-	"github.com/containous/traefik/pkg/middlewares/accesslog"
-	"github.com/containous/traefik/pkg/ping"
-	"github.com/containous/traefik/pkg/provider/docker"
-	"github.com/containous/traefik/pkg/provider/file"
-	"github.com/containous/traefik/pkg/provider/kubernetes/ingress"
-	"github.com/containous/traefik/pkg/provider/marathon"
-	"github.com/containous/traefik/pkg/provider/rest"
-	"github.com/containous/traefik/pkg/tracing/datadog"
-	"github.com/containous/traefik/pkg/tracing/instana"
-	"github.com/containous/traefik/pkg/tracing/jaeger"
-	"github.com/containous/traefik/pkg/tracing/zipkin"
-	"github.com/containous/traefik/pkg/types"
-	jaegercli "github.com/uber/jaeger-client-go"
+	"github.com/containous/traefik/v2/pkg/config/static"
+	"github.com/containous/traefik/v2/pkg/types"
 )
 
-// TraefikConfiguration holds GlobalConfiguration and other stuff
-type TraefikConfiguration struct {
-	static.Configuration `mapstructure:",squash" export:"true"`
-	ConfigFile           string `short:"c" description:"Configuration file to use (TOML)." export:"true"`
+// TraefikCmdConfiguration wraps the static configuration and extra parameters.
+type TraefikCmdConfiguration struct {
+	static.Configuration `export:"true"`
+	// ConfigFile is the path to the configuration file.
+	ConfigFile string `description:"Configuration file to use. If specified all other flags are ignored." export:"true"`
 }
 
-// NewTraefikConfiguration creates a TraefikConfiguration with default values
-func NewTraefikConfiguration() *TraefikConfiguration {
-	return &TraefikConfiguration{
+// NewTraefikConfiguration creates a TraefikCmdConfiguration with default values.
+func NewTraefikConfiguration() *TraefikCmdConfiguration {
+	return &TraefikCmdConfiguration{
 		Configuration: static.Configuration{
 			Global: &static.Global{
 				CheckNewVersion: true,
 			},
 			EntryPoints: make(static.EntryPoints),
 			Providers: &static.Providers{
-				ProvidersThrottleDuration: parse.Duration(2 * time.Second),
+				ProvidersThrottleDuration: types.Duration(2 * time.Second),
 			},
 			ServersTransport: &static.ServersTransport{
 				MaxIdleConnsPerHost: 200,
@@ -44,153 +32,3 @@ func NewTraefikConfiguration() *TraefikConfiguration {
 		ConfigFile: "",
 	}
 }
-
-// NewTraefikDefaultPointersConfiguration creates a TraefikConfiguration with pointers default values
-func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
-	// default File
-	var defaultFile file.Provider
-	defaultFile.Watch = true
-	defaultFile.Filename = "" // needs equivalent to  viper.ConfigFileUsed()
-
-	// default Ping
-	var defaultPing = ping.Handler{
-		EntryPoint: "traefik",
-	}
-
-	// default TraefikLog
-	defaultTraefikLog := types.TraefikLog{
-		Format:   "common",
-		FilePath: "",
-	}
-
-	// default AccessLog
-	defaultAccessLog := types.AccessLog{
-		Format:   accesslog.CommonFormat,
-		FilePath: "",
-		Filters:  &types.AccessLogFilters{},
-		Fields: &types.AccessLogFields{
-			DefaultMode: types.AccessLogKeep,
-			Headers: &types.FieldHeaders{
-				DefaultMode: types.AccessLogKeep,
-			},
-		},
-	}
-
-	// default Tracing
-	defaultTracing := static.Tracing{
-		Backend:       "jaeger",
-		ServiceName:   "traefik",
-		SpanNameLimit: 0,
-		Jaeger: &jaeger.Config{
-			SamplingServerURL:      "http://localhost:5778/sampling",
-			SamplingType:           "const",
-			SamplingParam:          1.0,
-			LocalAgentHostPort:     "127.0.0.1:6831",
-			Propagation:            "jaeger",
-			Gen128Bit:              false,
-			TraceContextHeaderName: jaegercli.TraceContextHeaderName,
-		},
-		Zipkin: &zipkin.Config{
-			HTTPEndpoint: "http://localhost:9411/api/v1/spans",
-			SameSpan:     false,
-			ID128Bit:     true,
-			Debug:        false,
-			SampleRate:   1.0,
-		},
-		DataDog: &datadog.Config{
-			LocalAgentHostPort: "localhost:8126",
-			GlobalTag:          "",
-			Debug:              false,
-			PrioritySampling:   false,
-		},
-		Instana: &instana.Config{
-			LocalAgentHost: "localhost",
-			LocalAgentPort: 42699,
-			LogLevel:       "info",
-		},
-	}
-
-	// default ApiConfiguration
-	defaultAPI := static.API{
-		EntryPoint: "traefik",
-		Dashboard:  true,
-	}
-	defaultAPI.Statistics = &types.Statistics{
-		RecentErrors: 10,
-	}
-
-	// default Metrics
-	defaultMetrics := types.Metrics{
-		Prometheus: &types.Prometheus{
-			Buckets:    types.Buckets{0.1, 0.3, 1.2, 5},
-			EntryPoint: static.DefaultInternalEntryPointName,
-		},
-		Datadog: &types.Datadog{
-			Address:      "localhost:8125",
-			PushInterval: "10s",
-		},
-		StatsD: &types.Statsd{
-			Address:      "localhost:8125",
-			PushInterval: "10s",
-		},
-		InfluxDB: &types.InfluxDB{
-			Address:      "localhost:8089",
-			Protocol:     "udp",
-			PushInterval: "10s",
-		},
-	}
-
-	defaultResolver := types.HostResolverConfig{
-		CnameFlattening: false,
-		ResolvConfig:    "/etc/resolv.conf",
-		ResolvDepth:     5,
-	}
-
-	var defaultDocker docker.Provider
-	defaultDocker.Watch = true
-	defaultDocker.ExposedByDefault = true
-	defaultDocker.Endpoint = "unix:///var/run/docker.sock"
-	defaultDocker.SwarmMode = false
-	defaultDocker.SwarmModeRefreshSeconds = 15
-	defaultDocker.DefaultRule = docker.DefaultTemplateRule
-
-	// default Rest
-	var defaultRest rest.Provider
-	defaultRest.EntryPoint = static.DefaultInternalEntryPointName
-
-	// default Marathon
-	var defaultMarathon marathon.Provider
-	defaultMarathon.Watch = true
-	defaultMarathon.Endpoint = "http://127.0.0.1:8080"
-	defaultMarathon.ExposedByDefault = true
-	defaultMarathon.DialerTimeout = parse.Duration(5 * time.Second)
-	defaultMarathon.ResponseHeaderTimeout = parse.Duration(60 * time.Second)
-	defaultMarathon.TLSHandshakeTimeout = parse.Duration(5 * time.Second)
-	defaultMarathon.KeepAlive = parse.Duration(10 * time.Second)
-	defaultMarathon.DefaultRule = marathon.DefaultTemplateRule
-
-	// default Kubernetes
-	var defaultKubernetes ingress.Provider
-	defaultKubernetes.Watch = true
-
-	defaultProviders := static.Providers{
-		File:       &defaultFile,
-		Docker:     &defaultDocker,
-		Rest:       &defaultRest,
-		Marathon:   &defaultMarathon,
-		Kubernetes: &defaultKubernetes,
-	}
-
-	return &TraefikConfiguration{
-		Configuration: static.Configuration{
-			Providers:    &defaultProviders,
-			Log:          &defaultTraefikLog,
-			AccessLog:    &defaultAccessLog,
-			Ping:         &defaultPing,
-			API:          &defaultAPI,
-			Metrics:      &defaultMetrics,
-			Tracing:      &defaultTracing,
-			HostResolver: &defaultResolver,
-		},
-	}
-}

cmd/healthcheck/healthcheck.go

@@ -7,34 +7,34 @@ import (
 	"os"
 	"time"
 
-	"github.com/containous/flaeg"
-	"github.com/containous/traefik/cmd"
-	"github.com/containous/traefik/pkg/config/static"
+	"github.com/containous/traefik/v2/pkg/cli"
+	"github.com/containous/traefik/v2/pkg/config/static"
 )
 
-// NewCmd builds a new HealthCheck command
-func NewCmd(traefikConfiguration *cmd.TraefikConfiguration, traefikPointersConfiguration *cmd.TraefikConfiguration) *flaeg.Command {
-	return &flaeg.Command{
-		Name:                  "healthcheck",
-		Description:           `Calls traefik /ping to check health (web provider must be enabled)`,
-		Config:                traefikConfiguration,
-		DefaultPointersConfig: traefikPointersConfiguration,
-		Run:                   runCmd(traefikConfiguration),
-		Metadata: map[string]string{
-			"parseAllSources": "true",
-		},
+// NewCmd builds a new HealthCheck command.
+func NewCmd(traefikConfiguration *static.Configuration, loaders []cli.ResourceLoader) *cli.Command {
+	return &cli.Command{
+		Name:          "healthcheck",
+		Description:   `Calls Traefik /ping endpoint (disabled by default) to check the health of Traefik.`,
+		Configuration: traefikConfiguration,
+		Run:           runCmd(traefikConfiguration),
+		Resources:     loaders,
 	}
 }
 
-func runCmd(traefikConfiguration *cmd.TraefikConfiguration) func() error {
-	return func() error {
-		traefikConfiguration.Configuration.SetEffectiveConfiguration(traefikConfiguration.ConfigFile)
+func runCmd(traefikConfiguration *static.Configuration) func(_ []string) error {
+	return func(_ []string) error {
+		traefikConfiguration.SetEffectiveConfiguration()
 
-		resp, errPing := Do(traefikConfiguration.Configuration)
+		resp, errPing := Do(*traefikConfiguration)
+		if resp != nil {
+			resp.Body.Close()
+		}
 		if errPing != nil {
 			fmt.Printf("Error calling healthcheck: %s\n", errPing)
 			os.Exit(1)
 		}
+
 		if resp.StatusCode != http.StatusOK {
 			fmt.Printf("Bad healthcheck status: %s\n", resp.Status)
 			os.Exit(1)
@@ -50,9 +50,15 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 	if staticConfiguration.Ping == nil {
 		return nil, errors.New("please enable `ping` to use health check")
 	}
-	pingEntryPoint, ok := staticConfiguration.EntryPoints[staticConfiguration.Ping.EntryPoint]
+
+	ep := staticConfiguration.Ping.EntryPoint
+	if ep == "" {
+		ep = "traefik"
+	}
+
+	pingEntryPoint, ok := staticConfiguration.EntryPoints[ep]
 	if !ok {
-		return nil, errors.New("missing `ping` entrypoint")
+		return nil, fmt.Errorf("ping: missing %s entry point", ep)
 	}
 
 	client := &http.Client{Timeout: 5 * time.Second}
@@ -69,5 +75,5 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 
 	path := "/"
 
-	return client.Head(protocol + "://" + pingEntryPoint.Address + path + "ping")
+	return client.Head(protocol + "://" + pingEntryPoint.GetAddress() + path + "ping")
 }

cmd/storeconfig/storeconfig.go

@@ -1,150 +0,0 @@
-package storeconfig
-
-import (
-	"encoding/json"
-	"fmt"
-	stdlog "log"
-
-	"github.com/containous/flaeg"
-	"github.com/containous/staert"
-	"github.com/containous/traefik/cmd"
-)
-
-// NewCmd builds a new StoreConfig command
-func NewCmd(traefikConfiguration *cmd.TraefikConfiguration, traefikPointersConfiguration *cmd.TraefikConfiguration) *flaeg.Command {
-	return &flaeg.Command{
-		Name:                  "storeconfig",
-		Description:           `Stores the static traefik configuration into a Key-value stores. Traefik will not start.`,
-		Config:                traefikConfiguration,
-		DefaultPointersConfig: traefikPointersConfiguration,
-		HideHelp:              true, // TODO storeconfig
-		Metadata: map[string]string{
-			"parseAllSources": "true",
-		},
-	}
-}
-
-// Run store config in KV
-func Run(kv *staert.KvSource, traefikConfiguration *cmd.TraefikConfiguration) func() error {
-	return func() error {
-		if kv == nil {
-			return fmt.Errorf("error using command storeconfig, no Key-value store defined")
-		}
-
-		fileConfig := traefikConfiguration.Providers.File
-		if fileConfig != nil {
-			traefikConfiguration.Providers.File = nil
-			if len(fileConfig.Filename) == 0 && len(fileConfig.Directory) == 0 {
-				fileConfig.Filename = traefikConfiguration.ConfigFile
-			}
-		}
-
-		jsonConf, err := json.Marshal(traefikConfiguration.Configuration)
-		if err != nil {
-			return err
-		}
-		stdlog.Printf("Storing configuration: %s\n", jsonConf)
-
-		err = kv.StoreConfig(traefikConfiguration.Configuration)
-		if err != nil {
-			return err
-		}
-
-		if fileConfig != nil {
-			jsonConf, err = json.Marshal(fileConfig)
-			if err != nil {
-				return err
-			}
-
-			stdlog.Printf("Storing file configuration: %s\n", jsonConf)
-			config, err := fileConfig.BuildConfiguration()
-			if err != nil {
-				return err
-			}
-
-			stdlog.Print("Writing config to KV")
-			err = kv.StoreConfig(config)
-			if err != nil {
-				return err
-			}
-		}
-
-		// if traefikConfiguration.Configuration.ACME != nil {
-		// 	account := &acme.Account{}
-		//
-		// 	accountInitialized, err := keyExists(kv, traefikConfiguration.Configuration.ACME.Storage)
-		// 	if err != nil && err != store.ErrKeyNotFound {
-		// 		return err
-		// 	}
-		//
-		// 	// Check to see if ACME account object is already in kv store
-		// 	if traefikConfiguration.Configuration.ACME.OverrideCertificates || !accountInitialized {
-		//
-		// 		// Stores the ACME Account into the KV Store
-		// 		// Certificates in KV Stores will be overridden
-		// 		meta := cluster.NewMetadata(account)
-		// 		err = meta.Marshall()
-		// 		if err != nil {
-		// 			return err
-		// 		}
-		//
-		// 		source := staert.KvSource{
-		// 			Store:  kv,
-		// 			Prefix: traefikConfiguration.Configuration.ACME.Storage,
-		// 		}
-		//
-		// 		err = source.StoreConfig(meta)
-		// 		if err != nil {
-		// 			return err
-		// 		}
-		// 	}
-		// }
-		return nil
-	}
-}
-
-// func keyExists(source *staert.KvSource, key string) (bool, error) {
-// 	list, err := source.List(key, nil)
-// 	if err != nil {
-// 		return false, err
-// 	}
-//
-// 	return len(list) > 0, nil
-// }
-
-// CreateKvSource creates KvSource
-// TLS support is enable for Consul and Etcd backends
-func CreateKvSource(traefikConfiguration *cmd.TraefikConfiguration) (*staert.KvSource, error) {
-	var kv *staert.KvSource
-	// var kvStore store.Store
-	var err error
-
-	// TODO kv store
-	// switch {
-	// case traefikConfiguration.Providers.Consul != nil:
-	// 	kvStore, err = traefikConfiguration.Providers.Consul.CreateStore()
-	// 	kv = &staert.KvSource{
-	// 		Store:  kvStore,
-	// 		Prefix: traefikConfiguration.Providers.Consul.Prefix,
-	// 	}
-	// case traefikConfiguration.Providers.Etcd != nil:
-	// 	kvStore, err = traefikConfiguration.Providers.Etcd.CreateStore()
-	// 	kv = &staert.KvSource{
-	// 		Store:  kvStore,
-	// 		Prefix: traefikConfiguration.Providers.Etcd.Prefix,
-	// 	}
-	// case traefikConfiguration.Providers.Zookeeper != nil:
-	// 	kvStore, err = traefikConfiguration.Providers.Zookeeper.CreateStore()
-	// 	kv = &staert.KvSource{
-	// 		Store:  kvStore,
-	// 		Prefix: traefikConfiguration.Providers.Zookeeper.Prefix,
-	// 	}
-	// case traefikConfiguration.Providers.Boltdb != nil:
-	// 	kvStore, err = traefikConfiguration.Providers.Boltdb.CreateStore()
-	// 	kv = &staert.KvSource{
-	// 		Store:  kvStore,
-	// 		Prefix: traefikConfiguration.Providers.Boltdb.Prefix,
-	// 	}
-	// }
-	return kv, err
-}

cmd/traefik/traefik.go

@@ -3,207 +3,92 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"fmt"
-	fmtlog "log"
+	stdlog "log"
 	"net/http"
 	"os"
 	"path/filepath"
-	"reflect"
+	"sort"
 	"strings"
 	"time"
 
-	"github.com/cenkalti/backoff"
-	"github.com/containous/flaeg"
-	"github.com/containous/staert"
-	"github.com/containous/traefik/autogen/genstatic"
-	"github.com/containous/traefik/cmd"
-	"github.com/containous/traefik/cmd/healthcheck"
-	"github.com/containous/traefik/cmd/storeconfig"
-	cmdVersion "github.com/containous/traefik/cmd/version"
-	"github.com/containous/traefik/pkg/collector"
-	"github.com/containous/traefik/pkg/config"
-	"github.com/containous/traefik/pkg/config/static"
-	"github.com/containous/traefik/pkg/job"
-	"github.com/containous/traefik/pkg/log"
-	"github.com/containous/traefik/pkg/provider/aggregator"
-	"github.com/containous/traefik/pkg/provider/kubernetes/k8s"
-	"github.com/containous/traefik/pkg/safe"
-	"github.com/containous/traefik/pkg/server"
-	"github.com/containous/traefik/pkg/server/router"
-	traefiktls "github.com/containous/traefik/pkg/tls"
-	"github.com/containous/traefik/pkg/types"
-	"github.com/containous/traefik/pkg/version"
+	"github.com/containous/traefik/v2/autogen/genstatic"
+	"github.com/containous/traefik/v2/cmd"
+	"github.com/containous/traefik/v2/cmd/healthcheck"
+	cmdVersion "github.com/containous/traefik/v2/cmd/version"
+	"github.com/containous/traefik/v2/pkg/cli"
+	"github.com/containous/traefik/v2/pkg/collector"
+	"github.com/containous/traefik/v2/pkg/config/dynamic"
+	"github.com/containous/traefik/v2/pkg/config/static"
+	"github.com/containous/traefik/v2/pkg/log"
+	"github.com/containous/traefik/v2/pkg/metrics"
+	"github.com/containous/traefik/v2/pkg/middlewares/accesslog"
+	"github.com/containous/traefik/v2/pkg/provider/acme"
+	"github.com/containous/traefik/v2/pkg/provider/aggregator"
+	"github.com/containous/traefik/v2/pkg/provider/traefik"
+	"github.com/containous/traefik/v2/pkg/safe"
+	"github.com/containous/traefik/v2/pkg/server"
+	"github.com/containous/traefik/v2/pkg/server/middleware"
+	"github.com/containous/traefik/v2/pkg/server/service"
+	traefiktls "github.com/containous/traefik/v2/pkg/tls"
+	"github.com/containous/traefik/v2/pkg/types"
+	"github.com/containous/traefik/v2/pkg/version"
 	"github.com/coreos/go-systemd/daemon"
 	assetfs "github.com/elazarl/go-bindata-assetfs"
-	"github.com/ogier/pflag"
 	"github.com/sirupsen/logrus"
 	"github.com/vulcand/oxy/roundrobin"
 )
 
-func init() {
-	goDebug := os.Getenv("GODEBUG")
-	if len(goDebug) > 0 {
-		goDebug += ","
-	}
-	os.Setenv("GODEBUG", goDebug+"tls13=1")
-}
-
-// sliceOfStrings is the parser for []string
-type sliceOfStrings []string
-
-// String is the method to format the flag's value, part of the flag.Value interface.
-// The String method's output will be used in diagnostics.
-func (s *sliceOfStrings) String() string {
-	return strings.Join(*s, ",")
-}
-
-// Set is the method to set the flag value, part of the flag.Value interface.
-// Set's argument is a string to be parsed to set the flag.
-// It's a comma-separated list, so we split it.
-func (s *sliceOfStrings) Set(value string) error {
-	parts := strings.Split(value, ",")
-	if len(parts) == 0 {
-		return fmt.Errorf("bad []string format: %s", value)
-	}
-	for _, entrypoint := range parts {
-		*s = append(*s, entrypoint)
-	}
-	return nil
-}
-
-// Get return the []string
-func (s *sliceOfStrings) Get() interface{} {
-	return *s
-}
-
-// SetValue sets the []string with val
-func (s *sliceOfStrings) SetValue(val interface{}) {
-	*s = val.([]string)
-}
-
-// Type is type of the struct
-func (s *sliceOfStrings) Type() string {
-	return "sliceOfStrings"
-}
-
 func main() {
 	// traefik config inits
-	traefikConfiguration := cmd.NewTraefikConfiguration()
-	traefikPointersConfiguration := cmd.NewTraefikDefaultPointersConfiguration()
+	tConfig := cmd.NewTraefikConfiguration()
 
-	// traefik Command init
-	traefikCmd := &flaeg.Command{
+	loaders := []cli.ResourceLoader{&cli.FileLoader{}, &cli.FlagLoader{}, &cli.EnvLoader{}}
+
+	cmdTraefik := &cli.Command{
 		Name: "traefik",
-		Description: `traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
+		Description: `Traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
 Complete documentation is available at https://traefik.io`,
-		Config:                traefikConfiguration,
-		DefaultPointersConfig: traefikPointersConfiguration,
-		Run: func() error {
-			return runCmd(&traefikConfiguration.Configuration, traefikConfiguration.ConfigFile)
+		Configuration: tConfig,
+		Resources:     loaders,
+		Run: func(_ []string) error {
+			return runCmd(&tConfig.Configuration)
 		},
 	}
 
-	// storeconfig Command init
-	storeConfigCmd := storeconfig.NewCmd(traefikConfiguration, traefikPointersConfiguration)
-
-	// init flaeg source
-	f := flaeg.New(traefikCmd, os.Args[1:])
-	// add custom parsers
-	f.AddParser(reflect.TypeOf(static.EntryPoints{}), &static.EntryPoints{})
-
-	f.AddParser(reflect.SliceOf(reflect.TypeOf("")), &sliceOfStrings{})
-	f.AddParser(reflect.TypeOf(traefiktls.FilesOrContents{}), &traefiktls.FilesOrContents{})
-	f.AddParser(reflect.TypeOf(types.Constraints{}), &types.Constraints{})
-	f.AddParser(reflect.TypeOf(k8s.Namespaces{}), &k8s.Namespaces{})
-	f.AddParser(reflect.TypeOf([]types.Domain{}), &types.Domains{})
-	f.AddParser(reflect.TypeOf(types.DNSResolvers{}), &types.DNSResolvers{})
-	f.AddParser(reflect.TypeOf(types.Buckets{}), &types.Buckets{})
-
-	f.AddParser(reflect.TypeOf(types.StatusCodes{}), &types.StatusCodes{})
-	f.AddParser(reflect.TypeOf(types.FieldNames{}), &types.FieldNames{})
-	f.AddParser(reflect.TypeOf(types.FieldHeaderNames{}), &types.FieldHeaderNames{})
-
-	// add commands
-	f.AddCommand(cmdVersion.NewCmd())
-	f.AddCommand(storeConfigCmd)
-	f.AddCommand(healthcheck.NewCmd(traefikConfiguration, traefikPointersConfiguration))
-
-	usedCmd, err := f.GetCommand()
+	err := cmdTraefik.AddCommand(healthcheck.NewCmd(&tConfig.Configuration, loaders))
 	if err != nil {
-		fmtlog.Println(err)
+		stdlog.Println(err)
 		os.Exit(1)
 	}
 
-	if _, err := f.Parse(usedCmd); err != nil {
-		if err == pflag.ErrHelp {
-			os.Exit(0)
-		}
-		fmtlog.Printf("Error parsing command: %s\n", err)
-		os.Exit(1)
-	}
-
-	// staert init
-	s := staert.NewStaert(traefikCmd)
-	// init TOML source
-	toml := staert.NewTomlSource("traefik", []string{traefikConfiguration.ConfigFile, "/etc/traefik/", "$HOME/.traefik/", "."})
-
-	// add sources to staert
-	s.AddSource(toml)
-	s.AddSource(f)
-	if _, err := s.LoadConfig(); err != nil {
-		fmtlog.Printf("Error reading TOML config file %s : %s\n", toml.ConfigFileUsed(), err)
-		os.Exit(1)
-	}
-
-	traefikConfiguration.ConfigFile = toml.ConfigFileUsed()
-
-	kv, err := storeconfig.CreateKvSource(traefikConfiguration)
+	err = cmdTraefik.AddCommand(cmdVersion.NewCmd())
 	if err != nil {
-		fmtlog.Printf("Error creating kv store: %s\n", err)
-		os.Exit(1)
-	}
-	storeConfigCmd.Run = storeconfig.Run(kv, traefikConfiguration)
-
-	// if a KV Store is enable and no sub-command called in args
-	if kv != nil && usedCmd == traefikCmd {
-		s.AddSource(kv)
-		operation := func() error {
-			_, err := s.LoadConfig()
-			return err
-		}
-		notify := func(err error, time time.Duration) {
-			log.WithoutContext().Errorf("Load config error: %+v, retrying in %s", err, time)
-		}
-		err := backoff.RetryNotify(safe.OperationWithRecover(operation), job.NewBackOff(backoff.NewExponentialBackOff()), notify)
-		if err != nil {
-			fmtlog.Printf("Error loading configuration: %s\n", err)
-			os.Exit(1)
-		}
-	}
-
-	if err := s.Run(); err != nil {
-		fmtlog.Printf("Error running traefik: %s\n", err)
+		stdlog.Println(err)
 		os.Exit(1)
 	}
 
-	os.Exit(0)
+	err = cli.Execute(cmdTraefik)
+	if err != nil {
+		stdlog.Println(err)
+		logrus.Exit(1)
+	}
+
+	logrus.Exit(0)
 }
 
-func runCmd(staticConfiguration *static.Configuration, configFile string) error {
+func runCmd(staticConfiguration *static.Configuration) error {
 	configureLogging(staticConfiguration)
 
-	if len(configFile) > 0 {
-		log.WithoutContext().Infof("Using TOML configuration file %s", configFile)
-	}
-
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
 	if err := roundrobin.SetDefaultWeight(0); err != nil {
-		log.WithoutContext().Errorf("Could not set roundrobin default weight: %v", err)
+		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
 	}
 
-	staticConfiguration.SetEffectiveConfiguration(configFile)
-	staticConfiguration.ValidateConfiguration()
+	staticConfiguration.SetEffectiveConfiguration()
+	if err := staticConfiguration.ValidateConfiguration(); err != nil {
+		return err
+	}
 
 	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
 
@@ -225,46 +110,11 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error
 
 	stats(staticConfiguration)
 
-	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
-
-	acmeProvider, err := staticConfiguration.InitACMEProvider()
+	svr, err := setupServer(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().Errorf("Unable to initialize ACME provider: %v", err)
-	} else if acmeProvider != nil {
-		if err := providerAggregator.AddProvider(acmeProvider); err != nil {
-			log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
-			acmeProvider = nil
-		}
+		return err
 	}
 
-	serverEntryPointsTCP := make(server.TCPEntryPoints)
-	for entryPointName, config := range staticConfiguration.EntryPoints {
-		ctx := log.With(context.Background(), log.Str(log.EntryPointName, entryPointName))
-		serverEntryPointsTCP[entryPointName], err = server.NewTCPEntryPoint(ctx, config)
-		if err != nil {
-			return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
-		}
-		serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProvider)
-
-	}
-
-	tlsManager := traefiktls.NewManager()
-
-	if acmeProvider != nil {
-		acmeProvider.SetTLSManager(tlsManager)
-		if acmeProvider.TLSChallenge != nil &&
-			acmeProvider.HTTPChallenge == nil &&
-			acmeProvider.DNSChallenge == nil {
-			tlsManager.TLSAlpnGetter = acmeProvider.GetTLSALPNCertificate
-		}
-	}
-
-	svr := server.NewServer(*staticConfiguration, providerAggregator, serverEntryPointsTCP, tlsManager)
-
-	if acmeProvider != nil && acmeProvider.OnHostRule {
-		acmeProvider.SetConfigListenerChan(make(chan config.Configuration))
-		svr.AddListener(acmeProvider.ListenConfiguration)
-	}
 	ctx := cmd.ContextWithSignal(context.Background())
 
 	if staticConfiguration.Ping != nil {
@@ -289,7 +139,11 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error
 		safe.Go(func() {
 			tick := time.Tick(t)
 			for range tick {
-				_, errHealthCheck := healthcheck.Do(*staticConfiguration)
+				resp, errHealthCheck := healthcheck.Do(*staticConfiguration)
+				if resp != nil {
+					_ = resp.Body.Close()
+				}
+
 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
 					if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
 						log.WithoutContext().Error("Fail to tick watchdog")
@@ -303,28 +157,228 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error
 
 	svr.Wait()
 	log.WithoutContext().Info("Shutting down")
-	logrus.Exit(0)
 	return nil
 }
 
+func setupServer(staticConfiguration *static.Configuration) (*server.Server, error) {
+	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
+
+	// adds internal provider
+	err := providerAggregator.AddProvider(traefik.New(*staticConfiguration))
+	if err != nil {
+		return nil, err
+	}
+
+	tlsManager := traefiktls.NewManager()
+
+	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
+
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
+	if err != nil {
+		return nil, err
+	}
+
+	serverEntryPointsUDP, err := server.NewUDPEntryPoints(staticConfiguration.EntryPoints)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx := context.Background()
+	routinesPool := safe.NewPool(ctx)
+
+	metricsRegistry := registerMetricClients(staticConfiguration.Metrics)
+	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry)
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder)
+
+	var defaultEntryPoints []string
+	for name, cfg := range staticConfiguration.EntryPoints {
+		protocol, err := cfg.GetProtocol()
+		if err != nil {
+			// Should never happen because Traefik should not start if protocol is invalid.
+			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+		}
+
+		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
+			defaultEntryPoints = append(defaultEntryPoints, name)
+		}
+	}
+
+	sort.Strings(defaultEntryPoints)
+
+	watcher := server.NewConfigurationWatcher(
+		routinesPool,
+		providerAggregator,
+		time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration),
+		defaultEntryPoints,
+	)
+
+	watcher.AddListener(func(conf dynamic.Configuration) {
+		ctx := context.Background()
+		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
+	})
+
+	watcher.AddListener(func(_ dynamic.Configuration) {
+		metricsRegistry.ConfigReloadsCounter().Add(1)
+		metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
+	})
+
+	watcher.AddListener(switchRouter(routerFactory, acmeProviders, serverEntryPointsTCP, serverEntryPointsUDP))
+
+	watcher.AddListener(func(conf dynamic.Configuration) {
+		if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
+			var eps []string
+			for key := range serverEntryPointsTCP {
+				eps = append(eps, key)
+			}
+
+			metrics.OnConfigurationUpdate(conf, eps)
+		}
+	})
+
+	resolverNames := map[string]struct{}{}
+	for _, p := range acmeProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		watcher.AddListener(p.ListenConfiguration)
+	}
+
+	watcher.AddListener(func(config dynamic.Configuration) {
+		for rtName, rt := range config.HTTP.Routers {
+			if rt.TLS == nil || rt.TLS.CertResolver == "" {
+				continue
+			}
+
+			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
+				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+			}
+		}
+	})
+
+	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog), nil
+}
+
+func switchRouter(routerFactory *server.RouterFactory, acmeProviders []*acme.Provider, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints) func(conf dynamic.Configuration) {
+	return func(conf dynamic.Configuration) {
+		routers, udpRouters := routerFactory.CreateRouters(conf)
+		for entryPointName, rt := range routers {
+			for _, p := range acmeProviders {
+				if p != nil && p.HTTPChallenge != nil && p.HTTPChallenge.EntryPoint == entryPointName {
+					rt.HTTPHandler(p.CreateHandler(rt.GetHTTPHandler()))
+					break
+				}
+			}
+		}
+		serverEntryPointsTCP.Switch(routers)
+		serverEntryPointsUDP.Switch(udpRouters)
+	}
+}
+
+// initACMEProvider creates an acme provider from the ACME part of globalConfiguration
+func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
+	challengeStore := acme.NewLocalChallengeStore()
+	localStores := map[string]*acme.LocalStore{}
+
+	var resolvers []*acme.Provider
+	for name, resolver := range c.CertificatesResolvers {
+		if resolver.ACME != nil {
+			if localStores[resolver.ACME.Storage] == nil {
+				localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
+			}
+
+			p := &acme.Provider{
+				Configuration:  resolver.ACME,
+				Store:          localStores[resolver.ACME.Storage],
+				ChallengeStore: challengeStore,
+				ResolverName:   name,
+			}
+
+			if err := providerAggregator.AddProvider(p); err != nil {
+				log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
+				continue
+			}
+
+			p.SetTLSManager(tlsManager)
+
+			if p.TLSChallenge != nil {
+				tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
+			}
+
+			p.SetConfigListenerChan(make(chan dynamic.Configuration))
+
+			resolvers = append(resolvers, p)
+		}
+	}
+	return resolvers
+}
+
+func registerMetricClients(metricsConfig *types.Metrics) metrics.Registry {
+	if metricsConfig == nil {
+		return metrics.NewVoidRegistry()
+	}
+
+	var registries []metrics.Registry
+
+	if metricsConfig.Prometheus != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
+		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
+		if prometheusRegister != nil {
+			registries = append(registries, prometheusRegister)
+			log.FromContext(ctx).Debug("Configured Prometheus metrics")
+		}
+	}
+
+	if metricsConfig.Datadog != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
+		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
+		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
+			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
+	}
+
+	if metricsConfig.StatsD != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
+		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
+		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
+			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
+	}
+
+	if metricsConfig.InfluxDB != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
+		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
+		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
+			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
+	}
+
+	return metrics.NewMultiRegistry(registries)
+}
+
+func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
+	if conf == nil {
+		return nil
+	}
+
+	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
+	if err != nil {
+		log.WithoutContext().Warnf("Unable to create access logger : %v", err)
+		return nil
+	}
+
+	return accessLoggerMiddleware
+}
+
 func configureLogging(staticConfiguration *static.Configuration) {
 	// configure default log flags
-	fmtlog.SetFlags(fmtlog.Lshortfile | fmtlog.LstdFlags)
+	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
 
 	// configure log level
 	// an explicitly defined log level always has precedence. if none is
 	// given and debug mode is disabled, the default is ERROR, and DEBUG
 	// otherwise.
-	var levelStr string
-	if staticConfiguration.Log != nil {
-		levelStr = strings.ToLower(staticConfiguration.Log.LogLevel)
-	}
-	if levelStr == "" {
-		levelStr = "error"
-		if staticConfiguration.Global.Debug {
-			levelStr = "debug"
-		}
+	levelStr := "error"
+	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
+		levelStr = strings.ToLower(staticConfiguration.Log.Level)
 	}
+
 	level, err := logrus.ParseLevel(levelStr)
 	if err != nil {
 		log.WithoutContext().Errorf("Error getting level: %v", err)
@@ -375,27 +429,19 @@ func checkNewVersion() {
 }
 
 func stats(staticConfiguration *static.Configuration) {
-	if staticConfiguration.Global.SendAnonymousUsage == nil {
-		log.WithoutContext().Error(`
-You haven't specify the sendAnonymousUsage option, it will be enable by default.
-`)
-		sendAnonymousUsage := true
-		staticConfiguration.Global.SendAnonymousUsage = &sendAnonymousUsage
-	}
+	logger := log.WithoutContext()
 
-	if *staticConfiguration.Global.SendAnonymousUsage {
-		log.WithoutContext().Info(`
-Stats collection is enabled.
-Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.
-Help us improve Traefik by leaving this feature on :)
-More details on: https://docs.traefik.io/basics/#collected-data
-`)
+	if staticConfiguration.Global.SendAnonymousUsage {
+		logger.Info(`Stats collection is enabled.`)
+		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
+		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
+		logger.Info(`More details on: https://docs.traefik.io/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
-		log.WithoutContext().Info(`
+		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://docs.traefik.io/basics/#collected-data
+More details on: https://docs.traefik.io/contributing/data-collection/
 `)
 	}
 }

cmd/version/version.go

@@ -7,8 +7,8 @@ import (
 	"runtime"
 	"text/template"
 
-	"github.com/containous/flaeg"
-	"github.com/containous/traefik/pkg/version"
+	"github.com/containous/traefik/v2/pkg/cli"
+	"github.com/containous/traefik/v2/pkg/version"
 )
 
 var versionTemplate = `Version:      {{.Version}}
@@ -18,19 +18,17 @@ Built:        {{.BuildTime}}
 OS/Arch:      {{.Os}}/{{.Arch}}`
 
 // NewCmd builds a new Version command
-func NewCmd() *flaeg.Command {
-	return &flaeg.Command{
-		Name:                  "version",
-		Description:           `Print version`,
-		Config:                struct{}{},
-		DefaultPointersConfig: struct{}{},
-		Run: func() error {
+func NewCmd() *cli.Command {
+	return &cli.Command{
+		Name:          "version",
+		Description:   `Shows the current Traefik version.`,
+		Configuration: nil,
+		Run: func(_ []string) error {
 			if err := GetPrint(os.Stdout); err != nil {
 				return err
 			}
 			fmt.Print("\n")
 			return nil
-
 		},
 	}
 }

contrib/scripts/dumpcerts.sh

@@ -1,171 +0,0 @@
-#!/usr/bin/env bash
-# Copyright (c) 2017 Brian 'redbeard' Harrington <redbeard@dead-city.org>
-#
-# dumpcerts.sh - A simple utility to explode a Traefik acme.json file into a
-#                directory of certificates and a private key
-#
-# Usage - dumpcerts.sh /etc/traefik/acme.json /etc/ssl/
-#
-# Dependencies -
-#   util-linux
-#   openssl
-#   jq
-# The MIT License (MIT)
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-# Exit codes:
-# 1 - A component is missing or could not be read
-# 2 - There was a problem reading acme.json
-# 4 - The destination certificate directory does not exist
-# 8 - Missing private key
-
-set -o errexit
-set -o pipefail
-set -o nounset
-
-USAGE="$(basename "$0") <path to acme> <destination cert directory>"
-
-# Platform variations
-case "$(uname)" in
-	'Linux')
-		# On Linux, -d should always work. --decode does not work with Alpine's busybox-binary
-		CMD_DECODE_BASE64="base64 -d"
-		;;
-	*)
-		# Max OS-X supports --decode and -D, but --decode may be supported by other platforms as well.
-		CMD_DECODE_BASE64="base64 --decode"
-		;;
-esac
-
-# Allow us to exit on a missing jq binary
-exit_jq() {
-	echo "
-You must have the binary 'jq' to use this.
-jq is available at: https://stedolan.github.io/jq/download/
-
-${USAGE}" >&2
-	exit 1
-}
-
-bad_acme() {
-	echo "
-There was a problem parsing your acme.json file.
-
-${USAGE}" >&2
-	exit 2
-}
-
-if [ $# -ne 2 ]; then
-	echo "
-Insufficient number of parameters.
-
-${USAGE}" >&2
-	exit 1
-fi
-
-readonly acmefile="${1}"
-readonly certdir="${2%/}"
-
-if [ ! -r "${acmefile}" ]; then
-	echo "
-There was a problem reading from '${acmefile}'
-We need to read this file to explode the JSON bundle... exiting.
-
-${USAGE}" >&2
-	exit 2
-fi
-
-
-if [ ! -d "${certdir}" ]; then
-	echo "
-Path ${certdir} does not seem to be a directory
-We need a directory in which to explode the JSON bundle... exiting.
-
-${USAGE}" >&2
-	exit 4
-fi
-
-jq=$(command -v jq) || exit_jq
-
-priv=$(${jq} -e -r '.Account.PrivateKey' "${acmefile}") || bad_acme
-
-if [ ! -n "${priv}" ]; then
-	echo "
-There didn't seem to be a private key in ${acmefile}.
-Please ensure that there is a key in this file and try again." >&2
-	exit 8
-fi
-
-# If they do not exist, create the needed subdirectories for our assets
-# and place each in a variable for later use, normalizing the path
-mkdir -p "${certdir}"/{certs,private}
-
-pdir="${certdir}/private/"
-cdir="${certdir}/certs/"
-
-# Save the existing umask, change the default mode to 600, then
-# after writing the private key switch it back to the default
-oldumask=$(umask)
-umask 177
-trap 'umask ${oldumask}' EXIT
-
-# traefik stores the private key in stripped base64 format but the certificates
-# bundled as a base64 object without stripping headers.  This normalizes the
-# headers and formatting.
-#
-# In testing this out it was a balance between the following mechanisms:
-# gawk:
-#  echo ${priv} | awk 'BEGIN {print "-----BEGIN RSA PRIVATE KEY-----"}
-#     {gsub(/.{64}/,"&\n")}1
-#     END {print "-----END RSA PRIVATE KEY-----"}' > "${pdir}/letsencrypt.key"
-#
-# openssl:
-# echo -e "-----BEGIN RSA PRIVATE KEY-----\n${priv}\n-----END RSA PRIVATE KEY-----" \
-#   | openssl rsa -inform pem -out "${pdir}/letsencrypt.key"
-#
-# and sed:
-# echo "-----BEGIN RSA PRIVATE KEY-----" > "${pdir}/letsencrypt.key"
-# echo ${priv} | sed -E 's/(.{64})/\1\n/g' >> "${pdir}/letsencrypt.key"
-# sed -i '$ d' "${pdir}/letsencrypt.key"
-# echo "-----END RSA PRIVATE KEY-----" >> "${pdir}/letsencrypt.key"
-# openssl rsa -noout -in "${pdir}/letsencrypt.key" -check  # To check if the key is valid
-
-# In the end, openssl was chosen because most users will need this script
-# *because* of openssl combined with the fact that it will refuse to write the
-# key if it does not parse out correctly. The other mechanisms were left as
-# comments so that the user can choose the mechanism most appropriate to them.
-echo -e "-----BEGIN RSA PRIVATE KEY-----\n${priv}\n-----END RSA PRIVATE KEY-----" \
-   | openssl rsa -inform pem -out "${pdir}/letsencrypt.key"
-
-# Process the certificates for each of the domains in acme.json
-domains=$(jq -r '.Certificates[].Domain.Main' ${acmefile}) || bad_acme
-for domain in $domains; do
-	# Traefik stores a cert bundle for each domain.  Within this cert
-	# bundle there is both proper the certificate and the Let's Encrypt CA
-	echo "Extracting cert bundle for ${domain}"
-	cert=$(jq -e -r --arg domain "$domain" '.Certificates[] |
-         	select (.Domain.Main == $domain )| .Certificate' ${acmefile}) || bad_acme
-	echo "${cert}" | ${CMD_DECODE_BASE64} > "${cdir}/${domain}.crt"
-
-	echo "Extracting private key for ${domain}"
-	key=$(jq -e -r --arg domain "$domain" '.Certificates[] |
-		select (.Domain.Main == $domain )| .Key' ${acmefile}) || bad_acme
-	echo "${key}" | ${CMD_DECODE_BASE64} > "${pdir}/${domain}.key"
-done

docs/.markdownlint.json

@@ -3,7 +3,10 @@
     "MD007": { "indent": 4 },
     "MD009": false,
     "MD013": false,
+    "MD024": false,
     "MD026": false,
     "MD033": false,
-    "MD034": false
+    "MD034": false,
+    "MD036": false,
+    "MD046": false
 }

docs/check.Dockerfile

@@ -1,9 +1,6 @@
 
-FROM alpine:3.9 as alpine
+FROM alpine:3.10 as alpine
 
-# The "build-dependencies" virtual package provides build tools for html-proofer installation.
-# It compile ruby-nokogiri, because alpine native version is always out of date
-# This virtual package is cleaned at the end.
 RUN apk --no-cache --no-progress add \
     libcurl \
     ruby \
@@ -11,21 +8,21 @@ RUN apk --no-cache --no-progress add \
     ruby-etc \
     ruby-ffi \
     ruby-json \
-  && apk add --no-cache --virtual build-dependencies \
-    build-base \
-    libcurl \
-    libxml2-dev \
-    libxslt-dev \
-    ruby-dev \
-  && gem install --no-document html-proofer -v 3.10.2 \
-  && apk del build-dependencies
+    ruby-nokogiri
+RUN gem install html-proofer --version 3.13.0 --no-document -- --use-system-libraries
 
 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \
     git \
     nodejs \
-    npm \
-  && npm install markdownlint@0.12.0 markdownlint-cli@0.13.0 --global
+    npm
+
+# To handle 'not get uid/gid'
+RUN npm config set unsafe-perm true
+
+RUN npm install --global \
+    markdownlint@0.17.2 \
+    markdownlint-cli@0.19.0
 
 # Finally the shell tools we need for later
 # tini helps to terminate properly all the parallelized tasks when sending CTRL-C

docs/content/assets/styles/extra.css

@@ -34,6 +34,10 @@ h3 {
     font-weight: bold !important;
 }
 
+.md-typeset h5 {
+    text-transform: none;
+}
+
 figcaption {
     text-align: center;
     font-size: 0.8em;

docs/content/contributing/building-testing.md

@@ -16,6 +16,8 @@ For changes to its dependencies, the `dep` dependency management tool is require
 Run make with the `binary` target.
 This will create binaries for the Linux platform in the `dist` folder.
 
+In case when you run build on CI, you may probably want to run docker in non-interactive mode. To achieve that define `DOCKER_NON_INTERACTIVE=true` environment variable.
+
 ```bash
 $ make binary
 docker build -t traefik-webui -f webui/Dockerfile webui
@@ -28,7 +30,7 @@ Successfully tagged traefik-webui:latest
 [...]
 docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
 Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.12-alpine
+Step 1/10 : FROM golang:1.14-alpine
  ---> f4bfb3d22bda
 [...]
 Successfully built 5c3c1a911277
@@ -43,29 +45,46 @@ $ ls dist/
 traefik*
 ```
 
+The following targets can be executed outside Docker by setting the variable `PRE_TARGET` to an empty string (we don't recommend that):
+
+- `test-unit`
+- `test-integration`
+- `validate`
+- `binary` (the webUI is still generated by using Docker)
+
+ex:
+
+```bash
+PRE_TARGET= make test-unit
+```
+
 ### Method 2: Using `go`
 
-You need `go` v1.9+.
+Requirements:
+
+- `go` v1.14+
+- environment variable `GO111MODULE=on`
+- [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
 
 !!! tip "Source Directory"
- 
+
     It is recommended that you clone Traefik into the `~/go/src/github.com/containous/traefik` directory.
     This is the official golang workspace hierarchy that will allow dependencies to be properly resolved.
 
 !!! note "Environment"
 
     Set your `GOPATH` and `PATH` variable to be set to `~/go` via:
-    
+
     ```bash
     export GOPATH=~/go
     export PATH=$PATH:$GOPATH/bin
     ```
- 
+
     For convenience, add `GOPATH` and `PATH` to your `.bashrc` or `.bash_profile`
-    
+
     Verify your environment is setup properly by running `$ go env`.
     Depending on your OS and environment, you should see an output similar to:
-    
+
     ```bash
     GOARCH="amd64"
     GOBIN=""
@@ -81,53 +100,32 @@ You need `go` v1.9+.
 #### Build Traefik
 
 Once you've set up your go environment and cloned the source repository, you can build Traefik.
-Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process).
+
+Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).
 
 ```bash
 cd ~/go/src/github.com/containous/traefik
 
 # Get go-bindata. (Important: the ellipses are required.)
-go get github.com/containous/go-bindata/...
+GO111MODULE=off go get github.com/containous/go-bindata/...
+```
 
-# Let's build
+```bash
+# Generate UI static files
+rm -rf static/ autogen/; make generate-webui
 
-# generate
-# (required to merge non-code components into the final binary, such as the web dashboard and the provider's templates)
+# required to merge non-code components into the final binary,
+# such as the web dashboard/UI
 go generate
+```
 
+```bash
 # Standard go build
 go build ./cmd/traefik
 ```
 
 You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
 
-### Updating the templates
-
-If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.
-
-### Setting up dependency management
-
-The [dep](https://github.com/golang/dep) command is not required for building;
-however, it is necessary if you need to update the dependencies (i.e., add, update, or remove third-party packages).
-
-You need [dep](https://github.com/golang/dep) >= 0.5.0.
-
-If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively).
-
-A following `make dep-prune` run should be triggered to trim down the size of the vendor folder.
-The final result must be committed into VCS.
-
-Here's a full example using dep to add a new dependency:
-
-```bash
-# install the new main dependency github.com/foo/bar and minimize vendor size
-$ dep ensure -add github.com/foo/bar
-# generate (Only required to integrate other components such as web dashboard)
-$ go generate
-# Standard go build
-$ go build ./cmd/traefik
-```
-
 ## Testing
 
 ### Method 1: `Docker` and `make`

docs/content/contributing/data-collection.md

@@ -8,23 +8,25 @@ Understanding How Traefik is Being Used
 Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.  
 For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us so we can benefit from your experience and use cases.
 
-!!! warning
-    During the alpha stage only, leaving this option unset will not prevent Traefik from running but will generate an error log indicating that it enables data collection by default.
-
-??? example "Enabling Data Collection with TOML"
-
-    ```toml
-    [Global]
-        # Send anonymous usage data
-        sendAnonymousUsage = true
-    ```
-
-??? example "Enabling Data Collection with the CLI"
-
-    ```bash
-    ./traefik --sendAnonymousUsage=true
+!!! example "Enabling Data Collection"
+    
+    ```toml tab="File (TOML)"
+    [global]
+      # Send anonymous usage data
+      sendAnonymousUsage = true
     ```
     
+    ```yaml tab="File (YAML)"
+    global:
+      # Send anonymous usage data
+      sendAnonymousUsage: true
+    ```
+    
+    ```bash tab="CLI"
+    # Send anonymous usage data
+    --global.sendAnonymousUsage
+    ```
+
 ## Collected Data
 
 This feature comes from the public proposal [here](https://github.com/containous/traefik/issues/2369).
@@ -40,72 +42,51 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
 - a hash of the configuration
 - an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).
 
-!!! note
-    We do not collect the dynamic configuration information (routers & services).
-    We do not collect these data to run advertising programs.
-    We do not sell these data to third-parties.
+!!! info
+    
+    - We do not collect the dynamic configuration information (routers & services).
+    - We do not collect this data to run advertising programs.
+    - We do not sell this data to third-parties.
 
 ### Example of Collected Data
 
-??? example "Original configuration"
+```toml tab="Original configuration"
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
 
-    ```toml
-    [entrypoints]
-        [entrypoints.web]
-           address = ":80"
-    
-    [api]
-    
-    [Docker]
-      endpoint = "tcp://10.10.10.10:2375"
-      domain = "foo.bir"
-      exposedByDefault = true
-      swarmMode = true
-    
-      [Docker.TLS]
-        ca = "dockerCA"
-        cert = "dockerCert"
-        key = "dockerKey"
-        insecureSkipVerify = true
-    
-    [ECS]
-      domain = "foo.bar"
-      exposedByDefault = true
-      clusters = ["foo-bar"]
-      region = "us-west-2"
-      accessKeyID = "AccessKeyID"
-      secretAccessKey = "SecretAccessKey"
-    ```
+[api]
 
-??? example "Resulting Obfuscated Configuration"
+[providers.docker]
+  endpoint = "tcp://10.10.10.10:2375"
+  exposedByDefault = true
+  swarmMode = true
 
-    ```toml
-    [entrypoints]
-        [entrypoints.web]
-           address = ":80"
-    
-    [api]
-    
-    [Docker]
-      endpoint = "xxxx"
-      domain = "xxxx"
-      exposedByDefault = true
-      swarmMode = true
-    
-      [Docker.TLS]
-        ca = "xxxx"
-        cert = "xxxx"
-        key = "xxxx"
-        insecureSkipVerify = false
-    
-    [ECS]
-      domain = "xxxx"
-      exposedByDefault = true
-      clusters = []
-      region = "us-west-2"
-      accessKeyID = "xxxx"
-      secretAccessKey = "xxxx"
-    ```
+  [providers.docker.TLS]
+    ca = "dockerCA"
+    cert = "dockerCert"
+    key = "dockerKey"
+    insecureSkipVerify = true
+```
+
+```toml tab="Resulting Obfuscated Configuration"
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
+
+[api]
+
+[providers.docker]
+  endpoint = "xxxx"
+  exposedByDefault = true
+  swarmMode = true
+
+  [providers.docker.TLS]
+    ca = "xxxx"
+    cert = "xxxx"
+    key = "xxxx"
+    insecureSkipVerify = false
+```
 
 ## The Code for Data Collection
 

docs/content/contributing/documentation.md

@@ -10,7 +10,7 @@ Let's see how.
 
 ### General
 
-This [documentation](http://docs.traefik.io/) is built with [mkdocs](http://mkdocs.org/).
+This [documentation](https://docs.traefik.io/) is built with [mkdocs](https://mkdocs.org/).
 
 ### Method 1: `Docker` and `make`
 

docs/content/contributing/maintainers.md

@@ -15,7 +15,7 @@
 * Michaël Matur [@mmatur](https://github.com/mmatur)
 * Gérald Croës [@geraldcroes](https://github.com/geraldcroes)
 * Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou)
-* Damien Duportal [@dduportal](https://github.com/dduportal)
+* Mathieu Lonjaret [@mpl](https://github.com/mpl)
 
 ## Contributions Daily Meeting
 
@@ -27,7 +27,7 @@
 * Modifying an issue or a pull request (labels, assignees, milestone) is only possible:
     * During the Contributions Daily Meeting
     * By an assigned maintainer
-    * In case of emergency, if a change proposal is approved by 2 other maintainers (on Slack, Discord, etc)
+    * In case of emergency, if a change proposal is approved by 2 other maintainers (on Slack, Discord, Discourse, etc)
 
 ## PR review process:
 

docs/content/contributing/submitting-issues.md

@@ -11,11 +11,10 @@ To save us some time and get quicker feedback, be sure to follow the guide lines
 !!! important "Getting Help Vs Reporting an Issue"
 
     The issue tracker is not a general support forum, but a place to report bugs and asks for new features.
-    
+
     For end-user related support questions, try using first:
-    
-    - the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
-    - [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
+
+    - the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
 
 ## Issue Title
 

docs/content/contributing/submitting-pull-requests.md

@@ -3,11 +3,11 @@
 A Quick Guide for Efficient Contributions
 {: .subtitle }
 
-So you've decide to improve Traefik? 
+So you've decided to improve Traefik? 
 Thank You! 
 Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.
 
-Let's go though the classic pitfalls to make sure everything is right. 
+Let's go through the classic pitfalls to make sure everything is right. 
 
 ## Title
 
@@ -36,10 +36,10 @@ Help the readers focus on what matters, and help them understand the structure o
 - Add tests.
 - Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
 
-!!! note "third-party dependencies"
+!!! note "Third-Party Dependencies"
 
     If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
 
 !!! tip "10 Tips for Better Pull Requests"
 
-    We enjoyed this article, maybe you will too! [10 tips for better pull requests](http://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).
+    We enjoyed this article, maybe you will too! [10 tips for better pull requests](https://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).

docs/content/contributing/submitting-security-issues.md

@@ -0,0 +1,16 @@
+# Security
+
+## Security Advisories
+
+We strongly advise you to join our mailing list to be aware of the latest announcements from our security team.
+You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+
+## CVE
+
+Reported vulnerabilities can be found on 
+[cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
+
+## Report a Vulnerability
+
+We want to keep Traefik safe for everyone.
+If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).

docs/content/contributing/thank-you.md

@@ -8,3 +8,20 @@ and wouldn't have become what it is today without the help of our [many contribu
 not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.
 
 So once again, thank you for your invaluable help on making Traefik such a good product.
+
+!!! question "Where to Go Next?"
+    If you want to:
+
+    - Propose and idea, request a feature a report a bug,
+      read the page [Submitting Issues](./submitting-issues.md).
+    - Discover how to make an efficient contribution,
+      read the page [Submitting Pull Requests](./submitting-pull-requests.md).
+    - Learn how to build and test Traefik,
+      the page [Building and Testing](./building-testing.md) is for you.
+    - Contribute to the documentation,
+      read the related page [Documentation](./documentation.md).
+    - Understand how do we learn about Traefik usage,
+      read the [Data Collection](./data-collection.md) page.
+    - Spread the love about Traefik, please check the [Advocating](./advocating.md) page.
+    - Learn about who are the maintainers and how they work on the project,
+      read the [Maintainers](./maintainers.md) page.

docs/content/getting-started/concepts.md

@@ -5,7 +5,8 @@ Everything You Need to Know
 
 ## Edge Router
 
-Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request: it knows all the logic and every rule that determine which services handle which requests (based on the [path](../../routing/routers/#rule), the [host](../../routing/routers/#rule), [headers](../../routing/routers/#rule), [and so on](../../routing/routers/#rule) ...).
+Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request:
+it knows all the logic and every rule that determine which services handle which requests (based on the [path](../routing/routers/index.md#rule), the [host](../routing/routers/index.md#rule), [headers](../routing/routers/index.md#rule), [and so on](../routing/routers/index.md#rule) ...).
 
 ![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png)
 
@@ -13,20 +14,20 @@ Traefik is an _Edge Router_, it means that it's the door to your platform, and t
 
 Where traditionally edge routers (or reverse proxies) need a configuration file that contains every possible route to your services, Traefik gets them from the services themselves.
 
-Deploying your services, you attach information that tell Traefik the characteristics of the requests the services can handle.
+Deploying your services, you attach information that tells Traefik the characteristics of the requests the services can handle.
 
 ![Decentralized Configuration](../assets/img/traefik-concepts-2.png)
 
 It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
-The opposite is true: when you remove a service from your infrastructure, the route will disapear accordingly.
+The opposite is true: when you remove a service from your infrastructure, the route will disappear accordingly.
 
 You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.
 
-!!! note "Many different rules"
+!!! info "Many different rules"
 
     In the example above, we used the request [path](../routing/routers/index.md#rule) to determine which service was in charge, but of course you can use many other different [rules](../routing/routers/index.md#rule).
 
-!!! note "Updating the requests"
+!!! info "Updating the requests"
 
     In the [middleware](../middlewares/overview.md) section, you can learn about how to update the requests before forwarding them to the services.
 

docs/content/getting-started/configuration-overview.md

@@ -1,4 +1,4 @@
-# Configuration Overview
+# Configuration Introduction
 
 How the Magic Happens
 {: .subtitle }
@@ -6,54 +6,57 @@ How the Magic Happens
 ![Configuration](../assets/img/static-dynamic-configuration.png)
 
 Configuration in Traefik can refer to two different things:
-   
+
 - The fully dynamic routing configuration (referred to as the _dynamic configuration_)
 - The startup configuration (referred to as the _static configuration_)
 
-Elements in the _static configuration_ set up connections to [providers](../../providers/overview/) and define the [entrypoints](../../routing/entrypoints/) Traefik will listen to (these elements don't change often).
+Elements in the _static configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).
 
 The _dynamic configuration_ contains everything that defines how the requests are handled by your system.
-This configuration can change and is seamlessly hot-reloaded, without any request interuption or connection loss.    
+This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.    
+
+!!! warning "Incompatible Configuration"
+    Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now.
+    If you are running v2, please ensure you are using a v2 configuration.
 
 ## The Dynamic Configuration 
 
-Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): wether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).
+Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file.
+
+Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../routing/overview.md).
+
+!!! info ""
 
-!!! Note 
-   
     In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
     
-!!! Note
+!!! info "HTTPS Certificates also belong to the dynamic configuration."
     
-    HTTPS Certificates also belong to the dynamic configuration. You can add / update / remove them without restarting your Traefik instance. 
+    You can add / update / remove them without restarting your Traefik instance. 
  
 ## The Static Configuration
 
-There are three different locations where you can define static configuration options in Traefik:
+There are three different, **mutually exclusive** (e.g. you can use only one at the same time), ways to define static configuration options in Traefik:
 
-- In a key-value store
-- In the command-line arguments
-- In a configuration file
+1. In a configuration file
+1. In the command-line arguments
+1. As environment variables
 
-If you don't provide a value for a given option, default values apply.
+These ways are evaluated in the order listed above.
 
-!!! important "Precedence Order"
-
-    The following precedence order applies for configuration options: key-value > command-line > configuration file.
+If no value was provided for a given option, a default value applies.
+Moreover, if an option has sub-options, and any of these sub-options is not specified, a default value will apply as well.
     
-    It means that arguments override configuration file, and key-value store overrides arguments.
-    
-!!! important "Default Values"
-
-    Some root options are enablers: they set default values for all their children. 
-    
-    For example, the `--providers.docker` option enables the docker provider.
-    Once positioned, this option sets (and resets) all the default values under the root `providers.docker`.
-    If you define child options using a lesser precedence configuration source, they will be overwritten by the default values.  
+For example, the `--providers.docker` option is enough by itself to enable the docker provider, even though sub-options like `--providers.docker.endpoint` exist.
+Once positioned, this option sets (and resets) all the default values of the sub-options of `--providers.docker`.
     
 ### Configuration File
 
-At startup, Traefik searches for a file named `traefik.toml` in `/etc/traefik/`, `$HOME/.traefik/`, and `.` (_the working directory_).
+At startup, Traefik searches for a file named `traefik.toml` (or `traefik.yml` or `traefik.yaml`) in:
+
+- `/etc/traefik/`
+- `$XDG_CONFIG_HOME/`
+- `$HOME/.config/`
+- `.` (_the working directory_).
 
 You can override this using the `configFile` argument.
 
@@ -63,16 +66,22 @@ traefik --configFile=foo/bar/myconfigfile.toml
 
 ### Arguments
 
-Use `traefik --help` to get the list of the available arguments.
+To get the list of all available arguments:
 
-### Key-Value Stores
+```bash
+traefik --help
 
-Traefik supports several Key-value stores:
+# or
 
-- [Consul](https://consul.io)
-- [etcd](https://coreos.com/etcd/)
-- [ZooKeeper](https://zookeeper.apache.org/)
-- [boltdb](https://github.com/boltdb/bolt)
+docker run traefik[:version] --help
+# ex: docker run traefik:2.1 --help
+```
+
+All available arguments can also be found [here](../reference/static-configuration/cli.md).
+
+### Environment Variables
+
+All available environment variables can be found [here](../reference/static-configuration/env.md)
 
 ## Available Configuration Options
 

docs/content/getting-started/install-traefik.md

@@ -0,0 +1,139 @@
+# Install Traefik
+
+You can install Traefik with the following flavors:
+
+* [Use the official Docker image](./#use-the-official-docker-image)
+* [Use the Helm Chart](./#use-the-helm-chart)
+* [Use the binary distribution](./#use-the-binary-distribution)
+* [Compile your binary from the sources](./#compile-your-binary-from-the-sources)
+
+## Use the Official Docker Image
+
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.2/traefik.sample.toml):
+
+```bash
+docker run -d -p 8080:8080 -p 80:80 \
+    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.2
+```
+
+For more details, go to the [Docker provider documentation](../providers/docker.md)
+
+!!! tip
+
+    * Prefer a fixed version than the latest that could be an unexpected version.
+    ex: `traefik:v2.1.4`
+    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
+    * Any orchestrator using docker images can fetch the official Traefik docker image.
+
+## Use the Helm Chart
+
+!!! warning
+    
+    The Traefik Chart from 
+    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://docs.traefik.io/v1.7).
+
+Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/containous/traefik-helm-chart>.
+
+Ensure that the following requirements are met:
+
+* Kubernetes 1.14+
+* Helm version 3.x is [installed](https://helm.sh/docs/intro/install/)
+
+Add Traefik's chart repository to Helm:
+
+```bash
+helm repo add traefik https://containous.github.io/traefik-helm-chart
+```
+
+You can update the chart repository by running:
+
+```bash
+helm repo update
+```
+
+And install it with the `helm` command line:
+
+```bash
+helm install traefik traefik/traefik
+```
+
+!!! tip "Helm Features"
+    
+    All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
+    For instance, installing the chart in a dedicated namespace:
+
+    ```bash tab="Install in a Dedicated Namespace"
+    kubectl create ns traefik-v2
+    # Install in the namespace "traefik-v2"
+    helm install --namespace=traefik-v2 \
+        traefik traefik/traefik
+    ```
+
+??? example "Installing with Custom Values"
+    
+    You can customize the installation by specifying custom values,
+    as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
+    {: #helm-custom-values }
+    
+    The values are not (yet) documented, but are self-explanatory:
+    you can look at the [default `values.yaml`](https://github.com/containous/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
+    
+    Example of installation with logging set to `DEBUG`:
+    
+    ```bash tab="Using Helm CLI"
+    helm install --namespace=traefik-v2 \
+        --set="logs.loglevel=DEBUG" \
+        traefik traefik/traefik
+    ```
+    
+    ```yml tab="With a custom values file"
+    # File custom-values.yml
+    ## Install with "helm install --values=./custom-values.yml traefik traefik/traefik
+    logs:
+        loglevel: DEBUG
+    ```
+
+## Use the Binary Distribution
+
+Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page.
+
+??? info "Check the integrity of the downloaded file"
+
+    ```bash tab="Linux"
+    # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
+    sha256sum ./traefik_${traefik_version}_linux_${arch}.tar.gz
+    ```
+
+    ```bash tab="macOS"
+    # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
+    shasum -a256 ./traefik_${traefik_version}_darwin_amd64.tar.gz
+    ```
+
+    ```powershell tab="Windows PowerShell"
+    # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
+    Get-FileHash ./traefik_${traefik_version}_windows_${arch}.zip -Algorithm SHA256
+    ```
+
+??? info "Extract the downloaded archive"
+
+    ```bash tab="Linux"
+    tar -zxvf traefik_${traefik_version}_linux_${arch}.tar.gz
+    ```
+
+    ```bash tab="macOS"
+    tar -zxvf ./traefik_${traefik_version}_darwin_amd64.tar.gz
+    ```
+
+    ```powershell tab="Windows PowerShell"
+    Expand-Archive traefik_${traefik_version}_windows_${arch}.zip
+    ```
+
+And run it:
+
+```bash
+./traefik --help
+```
+
+## Compile your Binary from the Sources
+
+All the details are available in the [Contributing Guide](../contributing/building-testing.md)

docs/content/getting-started/quick-start.md

@@ -5,9 +5,6 @@ A Simple Use Case Using Docker
 
 ![quickstart-diagram](../assets/img/quickstart-diagram.png)
 
-!!! tip 
-    To save some time, you can clone [Traefik's repository](https://github.com/containous/traefik).
-
 ## Launch Traefik With the Docker Provider
 
 Create a `docker-compose.yml` file where you will define a `reverse-proxy` service that uses the official Traefik image:
@@ -17,13 +14,18 @@ version: '3'
 
 services:
   reverse-proxy:
-    image: traefik # The official Traefik docker image
-    command: --api --docker # Enables the web UI and tells Traefik to listen to docker
+    # The official v2 Traefik docker image
+    image: traefik:v2.2
+    # Enables the web UI and tells Traefik to listen to docker
+    command: --api.insecure=true --providers.docker
     ports:
-      - "80:80"     # The HTTP port
-      - "8080:8080" # The Web UI (enabled by --api)
+      # The HTTP port
+      - "80:80"
+      # The Web UI (enabled by --api.insecure=true)
+      - "8080:8080"
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock
 ```
 
 **That's it. Now you can launch Traefik!**
@@ -45,9 +47,10 @@ Edit your `docker-compose.yml` file and add the following at the end of your fil
 ```yaml
 # ...
   whoami:
-    image: containous/whoami # A container that exposes an API to show its IP address
+    # A container that exposes an API to show its IP address
+    image: containous/whoami
     labels:
-      - "traefik.router.rule=Host:whoami.docker.localhost"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
 ```
 
 The above defines `whoami`: a simple web service that outputs information about the machine it is deployed on (its IP address, host, and so on).
@@ -84,7 +87,7 @@ docker-compose up -d --scale whoami=2
 
 Go back to your browser ([http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata)) and see that Traefik has automatically detected the new instance of the container.
 
-Finally, see that Traefik load-balances between the two instances of your services by running twice the following command:
+Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:
 
 ```shell
 curl -H Host:whoami.docker.localhost http://127.0.0.1

docs/content/glossary.md

@@ -9,8 +9,8 @@ Where Every Technical Word finds its Definition`
 - [ ] Routers
 - [ ] Middleware
 - [ ] Service
-- [ ] Static Configuration
-- [ ] Dynamic Configuration
+- [ ] [Static configuration](getting-started/configuration-overview.md#the-static-configuration)
+- [ ] [Dynamic configuration](getting-started/configuration-overview.md#the-dynamic-configuration)
 - [ ] ACME
 - [ ] TraefikEE
 - [ ] Tracing

docs/content/https-tls/acme.md

@@ -1,333 +0,0 @@
-# ACME
-
-Automatic HTTPS
-{: .subtitle }
-
-You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.
-
-!!! warning "Let's Encrypt and Rate Limiting"
-    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
-
-## Configuration Examples
-
-??? example "Enabling ACME"
-
-    ```toml
-    [entrypoints]
-      [entrypoints.web]
-         address = ":80"
-    
-      [entrypoints.http-tls]
-         address = ":443"
-    
-    [acme] # every router with TLS enabled will now be able to use ACME for its certificates
-       email = "your-email@your-domain.org"
-       storage = "acme.json"
-       onHostRule = true # dynamic generation based on the Host() & HostSNI() matchers
-       [acme.httpChallenge]
-          entryPoint = "web" # used during the challenge
-    ```
-
-??? example "Configuring Wildcard Certificates"
-
-    ```toml
-    [entrypoints]
-      [entrypoints.web]
-        address = ":80"
-
-      [entrypoints.http-tls]
-        address = ":443"
-
-    [acme]
-      email = "your-email@your-domain.org"
-      storage = "acme.json"
-      [acme.dnsChallenge]
-        provider = "xxx"
-
-      [[acme.domains]]
-        main = "*.mydomain.com"
-        sans = ["mydomain.com"]
-    ```
-
-!!! note "Configuration Reference"
-
-    There are many available options for ACME. For a quick glance at what's possible, browse the [configuration reference](../reference/acme.md).
-
-## The Different ACME Challenges
-
-### `tlsChallenge`
-
-Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
-
-As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encrypt through port 443.
-
-??? example "Configuring the `tlsChallenge`"
-
-    ```toml
-    [acme]
-       [acme.tlsChallenge]
-    ```
-    
-### `httpChallenge`
-
-Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
-
-As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
-
-??? example "Using an EntryPoint Called http for the `httpChallenge`"
-
-    ```toml
-    [acme]
-       # ...
-       [acme.httpChallenge]
-          entryPoint = "http"
-    ```
-
-!!! note
-    Redirection is fully compatible with the `HTTP-01` challenge.
-
-### `dnsChallenge`
-
-Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
-
-??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
-
-    ```toml
-    [acme]
-       # ...
-       [acme.dnsChallenge]
-          provider = "digitalocean"
-          delayBeforeCheck = 0
-    # ...
-    ```
-
-    !!! important
-        A `provider` is mandatory.
-
-#### `providers`
- 
-Here is a list of supported `providers`, that can automate the DNS verification,
-along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
-Do not hesitate to complete it. 
-
-| Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       | Wildcard & Root Domain Support |
-|-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
-| [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | Not tested yet                 |
-| [Alibaba Cloud](https://www.vultr.com)                      | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | Not tested yet                 |
-| [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | Not tested yet                 |
-| [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | Not tested yet                 |
-| [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | Not tested yet                 |
-| [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | YES                            |
-| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key`                                               | YES                            |
-| [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | Not tested yet                 |
-| [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | YES                            |
-| [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | YES                            |
-| [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | YES                            |
-| [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | Not tested yet                 |
-| [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | Not tested yet                 |
-| [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | YES                            |
-| [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | YES                            |
-| [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | Not tested yet                 |
-| External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | YES                            |
-| [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | YES                            |
-| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | YES                            |
-| [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | Not tested yet                 |
-| [Gandi v5](http://doc.livedns.gandi.net)                    | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | YES                            |
-| [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | Not tested yet                 |
-| [GoDaddy](https://godaddy.com/domains)                      | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | Not tested yet                 |
-| [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                        | YES                            |
-| [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | Not tested yet                 |
-| HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                              | YES                            |
-| [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | Not tested yet                 |
-| [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | YES                            |
-| [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | Not tested yet                 |
-| [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | Not tested yet                 |
-| [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | Not tested yet                 |
-| manual                                                      | -              | none, but you need to run Traefik interactively, turn on `acmeLogging` to see instructions and press <kbd>Enter</kbd>.                      | YES                            |
-| [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | YES                            |
-| [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | YES                            |
-| [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | Not tested yet                 |
-| [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | Not tested yet                 |
-| [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | Not tested yet                 |
-| [Ns1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | Not tested yet                 |
-| [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | Not tested yet                 |
-| [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | YES                            |
-| [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | YES                            |
-| [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | YES                            |
-| [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | Not tested yet                 |
-| [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | Not tested yet                 |
-| [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | Not tested yet                 |
-| [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | YES                            |
-| [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | Not tested yet                 |
-| [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | YES                            |
-| [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | Not tested yet                 |
-| [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | YES                            |
-| [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | Not tested yet                 |
-| [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | YES                            |
-| [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | Not tested yet                 |
-| [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | YES                            |
-
-[^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
-[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application)
-[^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
-
-!!! note "`delayBeforeCheck`"
-    By default, the `provider` verifies the TXT record _before_ letting ACME verify.
-    You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
-    This option is useful when internal networks block external DNS queries.
-
-#### `resolvers`
-
-Use custom DNS servers to resolve the FQDN authority.
-
-```toml
-[acme]
-   # ...
-   [acme.dnsChallenge]
-      # ...
-      resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
-```
-
-#### Wildcard Domains
-
-[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
-As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
-
-```toml
-[acme]
-   # ...
-   [[acme.domains]]
-      main = "*.local1.com"
-      sans = ["local1.com"]
-
-# ...
-```
-
-!!! note "Double Wildcard Certificates"
-    It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
-
-Due to an ACME limitation it is not possible to define wildcards in SANs (alternative domains).
-Thus, the wildcard domain has to be defined as a main domain.
-
-Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
-In this case the generated DNS TXT record for both domains is the same.
-Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant,
-it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the `DNS-01` challenge fail.
-
-The Traefik ACME client library [LEGO](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue.
-The [Supported `provider` table](#providers) indicates if they allow generating certificates for a wildcard domain and its root domain.
-
-## Known Domains, SANs
-
-You can set SANs (alternative domains) for each main domain.
-Every domain must have A/AAAA records pointing to Traefik.
-Each domain & SAN will lead to a certificate request.
-
-```toml
-[acme]
-   # ...
-   [[acme.domains]]
-      main = "local1.com"
-      sans = ["test1.local1.com", "test2.local1.com"]
-   [[acme.domains]]
-      main = "local2.com"
-   [[acme.domains]]
-      main = "*.local3.com"
-      sans = ["local3.com", "test1.test1.local3.com"]
-# ...
-```
-
-!!! important
-    The certificates for the domains listed in `acme.domains` are negotiated at Traefik startup only.
-
-!!! note
-    Wildcard certificates can only be verified through a `DNS-01` challenge.
-
-## `caServer`
-
-??? example "Using the Let's Encrypt staging server"
-
-    ```toml
-    [acme]
-       # ...
-       caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
-       # ...
-    ```
-
-## `onHostRule`
-
-Enable certificate generation on [routers](../routing/routers/index.md) `Host` & `HostSNI` rules.
-
-This will request a certificate from Let's Encrypt for each router with a Host rule.
-
-```toml
-[acme]
-   # ...
-   onHostRule = true
-   # ...
-```
-
-!!! note "Multiple Hosts in a Rule"
-    The rule `Host(test1.traefik.io,test2.traefik.io)` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`.
-
-!!! warning
-    `onHostRule` option can not be used to generate wildcard certificates. Refer to [wildcard generation](#wildcard-domains) for further information.
-
-## `storage`
-
-The `storage` option sets the location where your ACME certificates are saved to.
-
-```toml
-[acme]
-   # ...
-   storage = "acme.json"
-   # ...
-```
-
-The value can refer to two kinds of storage:
-
-- a JSON file
-- a KV store entry
-
-### In a File
-
-ACME certificates can be stored in a JSON file that needs to have a `600` file mode .
-
-In Docker you can mount either the JSON file, or the folder containing it:
-
-```bash
-docker run -v "/my/host/acme.json:acme.json" traefik
-```
-
-```bash
-docker run -v "/my/host/acme:/etc/traefik/acme" traefik
-```
-
-!!! warning
-    For concurrency reason, this file cannot be shared across multiple instances of Traefik. Use a key value store entry instead.
-
-### In a a Key Value Store Entry
-
-ACME certificates can be stored in a key-value store entry.
-
-```toml
-storage = "traefik/acme/account"
-```
-
-!!! note "Storage Size"
-
-    Because key-value stores have limited entry size, the certificates list is compressed _before_ it is saved.
-    For example, it is possible to store up to _approximately_ 100 ACME certificates in Consul.
-
-## Fallbacks
-
-If Let's Encrypt is not reachable, the following certificates will apply:
-
-  1. Previously generated ACME certificates (before downtime)
-  1. Expired ACME certificates
-  1. Provided certificates
-
-!!! note
-    For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.

docs/content/https-tls/overview.md

@@ -1,145 +0,0 @@
-# HTTPS & TLS
-
-Traefik supports HTTPS & TLS, and is able to accept new certificates / updates over time (without being restarted).
-TLS is enabled at the [router](../routing/routers/index.md) level, but some options are configured in dedicated sections (`tlsOptions` & `tlsStores`) described in this section.
-
-## Configuration Example
-
-??? example "Configuring a Default Certificate"
-
-    ```toml
-    [tlsStores]
-     [tlsStores.default]
-       [tlsStores.default.defaultCertificate]
-         certFile = "path/to/cert.crt"
-         keyFile  = "path/to/cert.key"
-    ```
-
-??? example "Configuring a Minimum TLS Version"
-
-    ```toml
-    [tlsOptions]
-      [tlsOptions.default]
-        minVersion = "VersionTLS12"
-    ```
-
-??? example "Defining Certificates"
-
-    ```toml
-    [[tls]]
-      [tls.certificate]
-         certFile = "/path/to/domain.cert"
-         keyFile = "/path/to/domain.key"
-
-    [[tls]]
-      [tls.certificate]
-         certFile = "/path/to/other-domain.cert"
-         keyFile = "/path/to/other-domain.key"
-    ```
-
-!!! important "File Provider Only"
-    
-    In the above example, we've used the [file provider](../providers/file.md) to handle the TLS configuration (tlsStores, tlsOptions, and TLS certificates).
-    In its current alpha version, it is the only available method to configure these elements.
-    Of course, these options are hot reloaded and can be updated at runtime (they belong to the [dynamic configuration](../getting-started/configuration-overview.md)).
-
-## Configuration Options
-
-### Dynamic Certificates
-
-To add / remove TLS certificates while Traefik is running, the [file provider](../providers/file.md) supports Dynamic TLS certificates in its `[[tls]]` section.
-
-!!! example "Defining Certificates"
-
-    ```toml
-    [[tls]]
-      stores = ["default"]
-      [tls.certificate]
-         certFile = "/path/to/domain.cert"
-         keyFile = "/path/to/domain.key"
-
-    [[tls]]
-      stores = ["default"]
-      [tls.certificate]
-         certFile = "/path/to/other-domain.cert"
-         keyFile = "/path/to/other-domain.key"
-    ```
-
-    ??? note "Stores"
-
-        During the alpha version, the stores option will be ignored and be automatically set to ["default"].
-
-### Mutual Authentication
-
-Traefik supports both optional and non optional (defaut value) mutual authentication.
-
-- When `optional = false`, Traefik accepts connections only from client presenting a certificate signed by a CA listed in `ClientCA.files`.
-- When `optional = true`, Traefik authorizes connections from client presenting a certificate signed by an unknown CA.
-
-!!! example "Non Optional Mutual Authentication"
-
-    In the following example, both `snitest.com` and `snitest.org` will require client certificates.
-
-    ```toml
-    [tlsOptions]
-       [tlsOptions.default]
-          [tlsOptions.default.ClientCA]
-            files = ["tests/clientca1.crt", "tests/clientca2.crt"]
-            optional = false
-    ```
-
-    ??? note "ClientCA.files"
-
-        You can use a file per `CA:s`, or a single file containing multiple `CA:s` (in `PEM` format).
-
-        `ClientCA.files` is not optional: every client will have to present a valid certificate. (This requirement will apply to every server certificate declared in the entrypoint.)
-
-### Minimum TLS Version
-
-!!! example "Min TLS version & [cipherSuites](https://godoc.org/crypto/tls#pkg-constants)"
-
-    ```toml
-    [tlsOptions]
-      [tlsOptions.default]
-          minVersion = "VersionTLS12"
-          cipherSuites = [
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_RSA_WITH_AES_256_GCM_SHA384"
-          ]
-    ```
-
-### Strict SNI Checking
-
-With strict SNI checking, Traefik won't allow connections without a matching certificate.
-
-!!! example "Strict SNI"
-
-    ```toml
-    [tlsOptions]
-      [tlsOptions.default]
-        sniStrict = true
-    ```
-
-### Default Certificate
-
-Traefik can use a default certificate for connections without a SNI, or without a matching domain.
-
-If no default certificate is provided, Traefik generates and uses a self-signed certificate.
-
-!!! example "Setting a Default Certificate"
-
-    ```toml
-    [tlsStores]
-     [tlsStores.default]
-       [tlsStores.default.defaultCertificate]
-         certFile = "path/to/cert.crt"
-         keyFile  = "path/to/cert.key"
-    ```
-
-    ??? note "Only One Default Certificate"
-
-        There can only be one `defaultCertificate` per tlsOptions.
-
-    ??? note "Default TLS Store"
-
-        During the alpha version, there is only one globally available TLS Store (`default`).

docs/content/https/acme.md

@@ -0,0 +1,486 @@
+# Let's Encrypt
+
+Automatic HTTPS
+{: .subtitle }
+
+You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.
+
+!!! warning "Let's Encrypt and Rate Limiting"
+    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
+
+    Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
+    when experimenting to avoid hitting this limit too fast.
+    
+## Certificate Resolvers
+
+Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration), 
+which are responsible for retrieving certificates from an ACME server.
+
+Then, each ["router"](../routing/routers/index.md) is configured to enable TLS,
+and is associated to a certificate resolver through the [`tls.certresolver` configuration option](../routing/routers/index.md#certresolver).
+
+Certificates are requested for domain names retrieved from the router's [dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration).
+
+You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).
+
+!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
+??? note "Configuration Reference"
+    
+    There are many available options for ACME.
+    For a quick glance at what's possible, browse the configuration reference:
+    
+    ```toml tab="File (TOML)"
+    --8<-- "content/https/ref-acme.toml"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    --8<-- "content/https/ref-acme.yaml"
+    ```
+    
+    ```bash tab="CLI"
+    --8<-- "content/https/ref-acme.txt"
+    ```
+
+## Domain Definition
+
+Certificate resolvers request certificates for a set of the domain names 
+inferred from routers, with the following logic:
+
+- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
+  then the certificate resolver uses the `main` (and optionally `sans`) option of `tls.domains` to know the domain names for this router.
+
+- If no [`tls.domains`](../routing/routers/index.md#domains) option is set, 
+  then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule), 
+  by checking the `Host()` matchers. 
+  Please note that [multiple `Host()` matchers can be used](../routing/routers/index.md#certresolver)) for specifying multiple domain names for this router.
+
+Please note that:
+
+- When multiple domain names are inferred from a given router,
+  only **one** certificate is requested with the first domain name as the main domain,
+  and the other domains as ["SANs" (Subject Alternative Name)](https://en.wikipedia.org/wiki/Subject_Alternative_Name).
+
+- As [ACME V2 supports "wildcard domains"](#wildcard-domains),
+  any router can provide a [wildcard domain](https://en.wikipedia.org/wiki/Wildcard_certificate) name, as "main" domain or as "SAN" domain.
+
+Please check the [configuration examples below](#configuration-examples) for more details.
+
+## Configuration Examples
+
+??? example "Enabling ACME"
+    
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+    
+      [entryPoints.websecure]
+        address = ":443"
+    
+    [certificatesResolvers.myresolver.acme]
+      email = "your-email@example.com"
+      storage = "acme.json"
+      [certificatesResolvers.myresolver.acme.httpChallenge]
+        # used during the challenge
+        entryPoint = "web"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+    
+      websecure:
+        address: ":443"
+    
+    certificatesResolvers:
+      myresolver:
+        acme:
+          email: your-email@example.com
+          storage: acme.json
+          httpChallenge:
+            # used during the challenge
+            entryPoint: web
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
+    # ...
+    --certificatesResolvers.myresolver.acme.email=your-email@example.com
+    --certificatesResolvers.myresolver.acme.storage=acme.json
+    # used during the challenge
+    --certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
+    ```
+
+!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
+??? example "Single Domain from Router's Rule Example"
+    
+    * A certificate for the domain `example.com` is requested:
+
+    --8<-- "content/https/include-acme-single-domain-example.md"
+
+??? example "Multiple Domains from Router's Rule Example"
+ 
+    * A certificate for the domains `example.com` (main) and `blog.example.org`
+      is requested:
+    
+    --8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
+    
+??? example "Multiple Domains from Router's `tls.domain` Example"
+
+    * A certificate for the domains `example.com` (main) and `*.example.org` (SAN)
+      is requested:
+      
+    --8<-- "content/https/include-acme-multiple-domains-example.md"
+
+## Automatic Renewals
+
+Traefik automatically tracks the expiry date of ACME certificates it generates.
+
+If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.
+
+!!! info ""
+    Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
+
+## Using LetsEncrypt with Kubernetes
+
+When using LetsEncrypt with kubernetes, there are some known caveats with both the [ingress](../providers/kubernetes-ingress.md) and [crd](../providers/kubernetes-crd.md) providers.
+
+!!! info ""
+    If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.
+
+## The Different ACME Challenges
+
+!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
+### `tlsChallenge`
+
+Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
+
+As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
+when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encrypt through port 443.
+
+??? example "Configuring the `tlsChallenge`"
+
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.tlsChallenge]
+    ```
+
+    ```yaml tab="File (YAML)"
+    certificatesResolvers:
+      myresolver:
+        acme:
+          # ...
+          tlsChallenge: {}
+    ```
+    
+    ```bash tab="CLI"
+    # ...
+    --certificatesResolvers.myresolver.acme.tlsChallenge=true
+    ```
+
+### `httpChallenge`
+
+Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
+
+As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
+when using the `HTTP-01` challenge, `certificatesResolvers.myresolver.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
+
+??? example "Using an EntryPoint Called web for the `httpChallenge`"
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+      
+      [entryPoints.websecure]
+        address = ":443"
+    
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.httpChallenge]
+        entryPoint = "web"
+    ```
+
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+    
+      websecure:
+        address: ":443"
+    
+    certificatesResolvers:
+      myresolver:
+        acme:
+          # ...
+          httpChallenge:
+            entryPoint: web
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
+    # ...
+    --certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
+    ```
+
+!!! info ""
+    Redirection is fully compatible with the `HTTP-01` challenge.
+
+### `dnsChallenge`
+
+Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
+
+??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
+
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.dnsChallenge]
+        provider = "digitalocean"
+        delayBeforeCheck = 0
+    # ...
+    ```
+    
+    ```yaml tab="File (YAML)"
+    certificatesResolvers:
+      myresolver:
+        acme:
+          # ...
+          dnsChallenge:
+            provider: digitalocean
+            delayBeforeCheck: 0
+        # ...
+    ```
+    
+    ```bash tab="CLI"
+    # ...
+    --certificatesResolvers.myresolver.acme.dnsChallenge.provider=digitalocean
+    --certificatesResolvers.myresolver.acme.dnsChallenge.delayBeforeCheck=0
+    # ...
+    ```
+
+    !!! important
+        A `provider` is mandatory.
+
+#### `providers`
+ 
+Here is a list of supported `providers`, that can automate the DNS verification,
+along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
+Do not hesitate to complete it.
+
+Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
+For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
+
+| Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       |                                                                             |
+|-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
+| [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
+| [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
+| [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
+| [Autodns](https://www.internetx.com/domains/autodns/)       | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
+| [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
+| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
+| [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
+| [Checkdomain](https://www.checkdomain.de/)                  | `checkdomain`  | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
+| [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
+| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
+| [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
+| [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
+| [Constellix](https://constellix.com)                        | `constellix`   | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)   |
+| [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
+| [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
+| [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
+| [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)       |
+| [Domain Offensive (do.de)](https://www.do.de/)              | `dode`         | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)         |
+| [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)    |
+| [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)      |
+| [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)          |
+| [Dynu](https://www.dynu.com)                                | `dynu`         | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)         |
+| [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)      |
+| External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
+| [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)     |
+| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/fastdns)      |
+| [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)        |
+| [Gandi v5](http://doc.livedns.gandi.net)                    | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)      |
+| [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)       |
+| [GoDaddy](https://godaddy.com/)                             | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)      |
+| [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)       |
+| [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
+| HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
+| [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
+| [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
+| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
+| [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
+| [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
+| [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4)     |
+| [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
+| manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
+| [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
+| [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
+| [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
+| [Namesilo](https://www.namesilo.com/)                       | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)     |
+| [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
+| [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
+| [Ns1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
+| [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
+| [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
+| [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)    |
+| [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)  |
+| [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)         |
+| [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)    |
+| [reg.ru](https://www.reg.ru)                                | `regru`        | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)        |
+| [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)      |
+| [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
+| [RimuHosting](https://rimuhosting.com)                      | `rimuhosting`  | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)  |
+| [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)  |
+| [Scaleway](https://www.scaleway.com)                        | `scaleway`     | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)     |
+| [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
+| [Servercow](https://servercow.de)                           | `servercow`    | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)    |
+| [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
+| [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
+| [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
+| [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
+| [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)       |
+| [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)        |
+| [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
+| [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
+
+[^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
+[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application)
+[^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
+[^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
+[^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
+
+!!! info "`delayBeforeCheck`"
+    By default, the `provider` verifies the TXT record _before_ letting ACME verify.
+    You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
+    This option is useful when internal networks block external DNS queries.
+
+#### `resolvers`
+
+Use custom DNS servers to resolve the FQDN authority.
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+```
+
+```bash tab="CLI"
+# ...
+--certificatesResolvers.myresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
+```
+
+#### Wildcard Domains
+
+[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
+As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
+
+## More Configuration
+
+### `caServer`
+
+_Required, Default="https://acme-v02.api.letsencrypt.org/directory"_
+
+The CA server to use:
+
+- Let's Encrypt production server: https://acme-v02.api.letsencrypt.org/directory
+- Let's Encrypt staging server: https://acme-staging-v02.api.letsencrypt.org/directory
+
+??? example "Using the Let's Encrypt staging server"
+
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
+      # ...
+    ```
+    
+    ```yaml tab="File (YAML)"
+    certificatesResolvers:
+      myresolver:
+        acme:
+          # ...
+          caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+          # ...
+    ```
+
+    ```bash tab="CLI"
+    # ...
+    --certificatesResolvers.myresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+    # ...
+    ```
+
+### `storage`
+
+_Required, Default="acme.json"_
+
+The `storage` option sets the location where your ACME certificates are saved to.
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  storage = "acme.json"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      storage: acme.json
+      # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesResolvers.myresolver.acme.storage=acme.json
+# ...
+```
+
+ACME certificates are stored in a JSON file that needs to have a `600` file mode.
+
+In Docker you can mount either the JSON file, or the folder containing it:
+
+```bash
+docker run -v "/my/host/acme.json:/acme.json" traefik
+```
+
+```bash
+docker run -v "/my/host/acme:/etc/traefik/acme" traefik
+```
+
+!!! warning
+    For concurrency reason, this file cannot be shared across multiple instances of Traefik.
+
+## Fallback
+
+If Let's Encrypt is not reachable, the following certificates will apply:
+
+  1. Previously generated ACME certificates (before downtime)
+  1. Expired ACME certificates
+  1. Provided certificates
+
+!!! important
+    For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.

docs/content/https/include-acme-multiple-domains-example.md

@@ -0,0 +1,91 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.routers.blog.tls.domains[0].main=example.org
+    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`example.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certResolver: myresolver
+    domains:
+    - main: example.org
+      sans:
+      - *.example.org
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
+  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "Host(`example.com`) && Path(`/blog`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver" # From static configuration
+      [[http.routers.blog.tls.domains]]
+        main = "example.org"
+        sans = ["*.example.org"]
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`example.com`) && Path(`/blog`)"
+      tls:
+        certResolver: myresolver
+        domains:
+          - main: "example.org"
+            sans:
+              - "*.example.org"
+```

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: (Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certresolver: myresolver
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
+      tls:
+        certResolver: myresolver
+```

docs/content/https/include-acme-single-domain-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`example.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certresolver: myresolver
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+  rule = "Host(`example.com`) && Path(`/blog`)"
+  [http.routers.blog.tls]
+    certResolver = "myresolver"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`example.com`) && Path(`/blog`)"
+      tls:
+        certResolver: myresolver
+```

docs/content/https/overview.md

@@ -0,0 +1,16 @@
+# HTTPS & TLS
+
+Overview
+{: .subtitle }
+
+Traefik supports HTTPS & TLS, which concerns roughly two parts of the configuration:
+routers, and the TLS connection (and its underlying certificates).
+
+When a router has to handle HTTPS traffic,
+it should be specified with a `tls` field of the router definition.
+See the TLS section of the [routers documentation](../routing/routers/index.md#tls).
+
+The next sections of this documentation explain how to configure the TLS connection itself.
+That is to say, how to obtain [TLS certificates](./tls.md#certificates-definition):
+either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
+And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).

docs/content/https/ref-acme.toml

@@ -0,0 +1,89 @@
+# Enable ACME (Let's Encrypt): automatic SSL.
+[certificatesResolvers.myresolver.acme]
+
+  # Email address used for registration.
+  #
+  # Required
+  #
+  email = "test@example.com"
+
+  # File or key used for certificates storage.
+  #
+  # Required
+  #
+  storage = "acme.json"
+
+  # CA server to use.
+  # Uncomment the line to use Let's Encrypt's staging server,
+  # leave commented to go to prod.
+  #
+  # Optional
+  # Default: "https://acme-v02.api.letsencrypt.org/directory"
+  #
+  # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
+
+  # KeyType to use.
+  #
+  # Optional
+  # Default: "RSA4096"
+  #
+  # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
+  #
+  # keyType = "RSA4096"
+
+  # Use a TLS-ALPN-01 ACME challenge.
+  #
+  # Optional (but recommended)
+  #
+  [certificatesResolvers.myresolver.acme.tlsChallenge]
+
+  # Use a HTTP-01 ACME challenge.
+  #
+  # Optional
+  #
+  # [certificatesResolvers.myresolver.acme.httpChallenge]
+
+    # EntryPoint to use for the HTTP-01 challenges.
+    #
+    # Required
+    #
+    # entryPoint = "web"
+
+  # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
+  # Note: mandatory for wildcard certificate generation.
+  #
+  # Optional
+  #
+  # [certificatesResolvers.myresolver.acme.dnsChallenge]
+
+    # DNS provider used.
+    #
+    # Required
+    #
+    # provider = "digitalocean"
+
+    # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
+    # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
+    # Useful if internal networks block external DNS queries.
+    #
+    # Optional
+    # Default: 0
+    #
+    # delayBeforeCheck = 0
+
+    # Use following DNS servers to resolve the FQDN authority.
+    #
+    # Optional
+    # Default: empty
+    #
+    # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
+
+    # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
+    #
+    # NOT RECOMMENDED:
+    # Increase the risk of reaching Let's Encrypt's rate limits.
+    #
+    # Optional
+    # Default: false
+    #
+    # disablePropagationCheck = true

docs/content/https/ref-acme.txt

@@ -0,0 +1,88 @@
+# Enable ACME (Let's Encrypt): automatic SSL.
+
+# Email address used for registration.
+#
+# Required
+#
+--certificatesResolvers.myresolver.acme.email=test@example.com
+
+# File or key used for certificates storage.
+#
+# Required
+#
+--certificatesResolvers.myresolver.acme.storage=acme.json
+
+# CA server to use.
+# Uncomment the line to use Let's Encrypt's staging server,
+# leave commented to go to prod.
+#
+# Optional
+# Default: "https://acme-v02.api.letsencrypt.org/directory"
+#
+--certificatesResolvers.myresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+
+# KeyType to use.
+#
+# Optional
+# Default: "RSA4096"
+#
+# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
+#
+--certificatesResolvers.myresolver.acme.keyType=RSA4096
+
+# Use a TLS-ALPN-01 ACME challenge.
+#
+# Optional (but recommended)
+#
+--certificatesResolvers.myresolver.acme.tlsChallenge=true
+
+# Use a HTTP-01 ACME challenge.
+#
+# Optional
+#
+--certificatesResolvers.myresolver.acme.httpChallenge=true
+
+# EntryPoint to use for the HTTP-01 challenges.
+#
+# Required
+#
+--certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
+
+# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
+# Note: mandatory for wildcard certificate generation.
+#
+# Optional
+#
+--certificatesResolvers.myresolver.acme.dnsChallenge=true
+
+# DNS provider used.
+#
+# Required
+#
+--certificatesResolvers.myresolver.acme.dnsChallenge.provider=digitalocean
+
+# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
+# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
+# Useful if internal networks block external DNS queries.
+#
+# Optional
+# Default: 0
+#
+--certificatesResolvers.myresolver.acme.dnsChallenge.delayBeforeCheck=0
+
+# Use following DNS servers to resolve the FQDN authority.
+#
+# Optional
+# Default: empty
+#
+--certificatesResolvers.myresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
+
+# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
+#
+# NOT RECOMMENDED:
+# Increase the risk of reaching Let's Encrypt's rate limits.
+#
+# Optional
+# Default: false
+#
+--certificatesResolvers.myresolver.acme.dnsChallenge.disablePropagationCheck=true

docs/content/https/ref-acme.yaml

@@ -0,0 +1,93 @@
+certificatesResolvers:
+  myresolver:
+    # Enable ACME (Let's Encrypt): automatic SSL.
+    acme:
+
+      # Email address used for registration.
+      #
+      # Required
+      #
+      email: "test@example.com"
+
+      # File or key used for certificates storage.
+      #
+      # Required
+      #
+      storage: "acme.json"
+
+      # CA server to use.
+      # Uncomment the line to use Let's Encrypt's staging server,
+      # leave commented to go to prod.
+      #
+      # Optional
+      # Default: "https://acme-v02.api.letsencrypt.org/directory"
+      #
+      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+
+      # KeyType to use.
+      #
+      # Optional
+      # Default: "RSA4096"
+      #
+      # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
+      #
+      # keyType: RSA4096
+
+      # Use a TLS-ALPN-01 ACME challenge.
+      #
+      # Optional (but recommended)
+      #
+      tlsChallenge:
+
+      # Use a HTTP-01 ACME challenge.
+      #
+      # Optional
+      #
+      # httpChallenge:
+
+        # EntryPoint to use for the HTTP-01 challenges.
+        #
+        # Required
+        #
+        # entryPoint: web
+
+      # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
+      # Note: mandatory for wildcard certificate generation.
+      #
+      # Optional
+      #
+      # dnsChallenge:
+
+        # DNS provider used.
+        #
+        # Required
+        #
+        # provider: digitalocean
+
+        # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
+        # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
+        # Useful if internal networks block external DNS queries.
+        #
+        # Optional
+        # Default: 0
+        #
+        # delayBeforeCheck: 0
+
+        # Use following DNS servers to resolve the FQDN authority.
+        #
+        # Optional
+        # Default: empty
+        #
+        # resolvers
+        # - "1.1.1.1:53"
+        # - "8.8.8.8:53"
+
+        # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
+        #
+        # NOT RECOMMENDED:
+        # Increase the risk of reaching Let's Encrypt's rate limits.
+        #
+        # Optional
+        # Default: false
+        #
+        # disablePropagationCheck: true

docs/content/https/tls.md

@@ -0,0 +1,434 @@
+# TLS
+
+Transport Layer Security
+{: .subtitle }
+
+## Certificates Definition
+
+### Automated
+
+See the [Let's Encrypt](./acme.md) page.
+
+### User defined
+
+To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[[tls.certificates]]
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"
+
+[[tls.certificates]]
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  certificates:
+    - certFile: /path/to/domain.cert
+      keyFile: /path/to/domain.key
+    - certFile: /path/to/other-domain.cert
+      keyFile: /path/to/other-domain.key
+```
+
+!!! important "Restriction"
+
+    In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
+    It is the only available method to configure the certificates (as well as the options and the stores).
+    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
+
+## Certificates Stores
+
+In Traefik, certificates are grouped together in certificates stores, which are defined as such:
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.stores]
+  [tls.stores.default]
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  stores:
+    default: {}
+```
+
+!!! important "Restriction"
+
+    Any store definition other than the default one (named `default`) will be ignored,
+    and there is thefore only one globally available TLS store.
+
+In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[[tls.certificates]]
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"
+  stores = ["default"]
+
+[[tls.certificates]]
+  # Note that since no store is defined,
+  # the certificate below will be stored in the `default` store.
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  certificates:
+    - certFile: /path/to/domain.cert
+      keyFile: /path/to/domain.key
+      stores:
+        - default
+    # Note that since no store is defined,
+    # the certificate below will be stored in the `default` store.
+    - certFile: /path/to/other-domain.cert
+      keyFile: /path/to/other-domain.key
+```
+
+!!! important "Restriction"
+
+    The `stores` list will actually be ignored and automatically set to `["default"]`.
+
+### Default Certificate
+
+Traefik can use a default certificate for connections without a SNI, or without a matching domain.
+This default certificate should be defined in a TLS store:
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.stores]
+  [tls.stores.default]
+    [tls.stores.default.defaultCertificate]
+      certFile = "path/to/cert.crt"
+      keyFile  = "path/to/cert.key"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: path/to/cert.crt
+        keyFile: path/to/cert.key
+```
+
+If no default certificate is provided, Traefik generates and uses a self-signed certificate.
+
+## TLS Options
+
+The TLS options allow one to configure some parameters of the TLS connection.
+
+### Minimum TLS Version
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    minVersion = "VersionTLS12"
+
+  [tls.options.mintls13]
+    minVersion = "VersionTLS13"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+
+    mintls13:
+      minVersion: VersionTLS13
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  minVersion: VersionTLS12
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: mintls13
+  namespace: default
+
+spec:
+  minVersion: VersionTLS13
+```
+
+### Maximum TLS Version
+
+We discourages the use of this setting to disable TLS1.3.
+
+The right approach is to update the clients to support TLS1.3.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    maxVersion = "VersionTLS13"
+
+  [tls.options.maxtls12]
+    maxVersion = "VersionTLS12"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      maxVersion: VersionTLS13
+
+    maxtls12:
+      maxVersion: VersionTLS12
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS13
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: maxtls12
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS12
+```
+
+### Cipher Suites
+
+See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+    ]
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      cipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  cipherSuites:
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+```
+
+!!! important "TLS 1.3"
+
+    Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa. (<https://tools.ietf.org/html/rfc8446>)  
+    With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).
+    <https://golang.org/doc/go1.12#tls_1_3>
+
+### Curve Preferences
+
+This option allows to set the preferred elliptic curves in a specific order.
+
+The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used.
+
+See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    curvePreferences = ["CurveP521", "CurveP384"]
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  curvePreferences:
+    - CurveP521
+    - CurveP384
+```
+
+### Strict SNI Checking
+
+With strict SNI checking, Traefik won't allow connections from clients connections
+that do not specify a server_name extension.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    sniStrict = true
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      sniStrict: true
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  sniStrict: true
+```
+
+### Prefer Server Cipher Suites
+
+This option allows the server to choose its most preferred cipher suite instead of the client's.
+Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    preferServerCipherSuites = true
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      preferServerCipherSuites: true
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  preferServerCipherSuites: true
+```
+
+### Client Authentication (mTLS)
+
+Traefik supports mutual authentication, through the `clientAuth` section.
+
+For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `clientAuth.caFiles`.
+ 
+The `clientAuth.clientAuthType` option governs the behaviour as follows:
+
+- `NoClientCert`: disregards any client certificate.
+- `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
+- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles`.
+- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles`. Otherwise proceeds without any certificate.
+- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`. 
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    [tls.options.default.clientAuth]
+      # in PEM format. each file can contain multiple CAs.
+      caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
+      clientAuthType = "RequireAndVerifyClientCert"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      clientAuth:
+        # in PEM format. each file can contain multiple CAs.
+        caFiles:
+          - tests/clientca1.crt
+          - tests/clientca2.crt
+        clientAuthType: RequireAndVerifyClientCert
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  clientAuth:
+    secretNames:
+      - secretCA
+    clientAuthType: RequireAndVerifyClientCert
+```

docs/content/includes/more-on-command-line.md

@@ -1 +0,0 @@
-To learn more about configuration options in the command line, refer to the [configuration overview](../getting-started/configuration-overview.md)

docs/content/includes/more-on-configuration-file.md

@@ -1 +0,0 @@
-To learn more about the configuration file, refer to [configuration overview](../getting-started/configuration-overview.md)

docs/content/includes/more-on-entrypoints.md

@@ -1,2 +0,0 @@
-!!! info "More On Entrypoints"
-    Learn more about entrypoints and their configuration options in the dedicated section.

docs/content/includes/more-on-key-value-store.md

@@ -1 +0,0 @@
-To learn more about configuration in key-value stores, refer to the [configuration overview](../getting-started/configuration-overview.md)

docs/content/includes/more-on-routers.md

@@ -1,2 +0,0 @@
-!!! info "More On Routers"
-    Learn more about routers and their configuration options in the [dedicated section](../routing/routers/index.md).

docs/content/index.md

@@ -18,6 +18,11 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
 
 -- The Traefik Maintainer Team 
 
-!!! Note
+!!! info
 
-    If you're a businness running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. 
+    Join our user friendly and active [Community Forum](https://community.containo.us) to discuss, learn, and connect with the traefik community.
+    
+    If you're a business running critical services behind Traefik,
+    know that [Containous](https://containo.us), the company that sponsors Traefik's development,
+    can provide [commercial support](https://info.containo.us/commercial-services)
+    and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik.

docs/content/middlewares/addprefix.md

@@ -9,37 +9,59 @@ The AddPrefix middleware updates the URL Path of the request before forwarding i
 
 ## Configuration Examples
 
-??? example "File -- Prefixing with /foo"
+```yaml tab="Docker"
+# Prefixing with /foo
+labels:
+  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+```
 
-    ```toml
-    [http.middlewares]
-      [http.middlewares.add-foo.AddPrefix]
-         prefix = "/foo"
-    ```
+```yaml tab="Kubernetes"
+# Prefixing with /foo
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: add-foo
+spec:
+  addPrefix:
+    prefix: /foo
+```
 
-??? example "Docker -- Prefixing with /bar"
+```yaml tab="Consul Catalog"
+# Prefixing with /foo
+- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+```
 
-    ```yaml
-    a-container:
-      image: a-container-image 
-        labels:
-          - "traefik.http.middlewares.add-bar.addprefix.prefix=/bar"
-    ```
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.add-foo.addprefix.prefix": "/foo"
+}
+```
 
-??? example "Kubernetes -- Prefixing with /bar"
+```yaml tab="Rancher"
+# Prefixing with /foo
+labels:
+  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+```
 
-    ```yaml
-    apiVersion: traefik.containo.us/v1alpha1
-    kind: Middleware
-    metadata:
-      name: addprefix
-    spec:
-      addprefix:
-        prefix: /bar
-    ```
+```toml tab="File (TOML)"
+# Prefixing with /foo
+[http.middlewares]
+  [http.middlewares.add-foo.addPrefix]
+    prefix = "/foo"
+```
+
+```yaml tab="File (YAML)"
+# Prefixing with /foo
+http:
+  middlewares:
+    add-foo:
+      addPrefix:
+        prefix: "/foo"
+```
 
 ## Configuration Options
 
-### prefix
+### `prefix`
 
-`prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`).
+`prefix` is the string to add before the current path in the requested URL.
+It should include the leading slash (`/`).

docs/content/middlewares/basicauth.md

@@ -9,75 +9,369 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
 
 ## Configuration Examples
 
-??? example "File -- Declaring the user list"
+```yaml tab="Docker"
+# Declaring the user list
+#
+# Note: all dollar signs in the hash need to be doubled for escaping.
+# To create user:password pair, it's possible to use this command:
+# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
 
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-auth.basicauth]
-      users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
-      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
-    ```
+```yaml tab="Kubernetes"
+# Declaring the user list
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    secret: secretName
+```
 
-??? example "Docker -- Using an external file for the authorized users"
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
 
-    ```yml
-    a-container:
-          image: a-container-image 
-            labels:
-              - "traefik.http.middlewares.declared-users-only.basicauth.usersFile=path-to-file.ext",
-    ```
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```
+
+```yaml tab="File (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
 
 ## Configuration Options
 
 ### General
 
-Passwords must be encoded using MD5, SHA1, or BCrypt.
+Passwords must be hashed using MD5, SHA1, or BCrypt.
 
 !!! tip 
-   
+
     Use `htpasswd` to generate the passwords.
 
-### users
+### `users`
 
-The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
+The `users` option is an array of authorized users. Each user will be declared using the `name:hashed-password` format.
 
-!!! Note
+!!! note ""
     
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
-### usersFile
+```yaml tab="Docker"
+# Declaring the user list
+#
+# Note: all dollar signs in the hash need to be doubled for escaping.
+# To create a user:password pair, the following command can be used:
+# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="Kubernetes"
+# Declaring the user list
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    secret: authsecret
+
+---
+# Note: in a kubernetes secret the string (e.g. generated by htpasswd) must be base64-encoded first.
+# To create an encoded user:password pair, the following command can be used:
+# htpasswd -nb user password | openssl base64
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```yaml tab="Consul Catalog"
+# Declaring the user list
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    users = [
+      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+    ]
+```
+
+```yaml tab="File (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+### `usersFile`
 
 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
 
-The file content is a list of `name:encoded-password`.
+The file content is a list of `name:hashed-password`.
+
+!!! note ""
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        usersFile: "/path/to/my/usersfile"
+```
 
 ??? example "A file containing test/test and test2/test2"
 
-    ```
+    ```txt
     test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
     test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
     ```
 
-!!! Note
-    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-
-### realm
+### `realm`
 
 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 
 
-### headerField
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
 
-You can customize the header field for the authenticated user using the `headerField`option.
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    realm: MyRealm
+```
 
-??? example "File -- Passing Authenticated Users to Services Via Headers"
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
 
-    ```toml
-      [http.middlewares.my-auth.basicauth]
-        usersFile = "path-to-file.ext"
-        headerField = "X-WebAuth-User" # header for the authenticated user
-    ```
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.realm": "MyRealm"
+}
+```
 
-### removeHeader
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    realm = "MyRealm"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        realm: "MyRealm"
+```
+
+### `headerField`
+
+You can define a header field to store the authenticated user using the `headerField`option.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: my-auth
+spec:
+  basicAuth:
+    # ...
+    headerField: X-WebAuth-User
+```
+
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.my-auth.basicauth.headerField": "X-WebAuth-User"
+}
+```
+
+```toml tab="File (TOML)"
+[http.middlewares.my-auth.basicAuth]
+  # ...
+  headerField = "X-WebAuth-User"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    my-auth:
+      basicAuth:
+        # ...
+        headerField: "X-WebAuth-User"
+```
+
+### `removeHeader`
 
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    removeHeader: true
+```
+
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    removeHeader = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        removeHeader: true
+```

docs/content/middlewares/buffering.md

@@ -13,56 +13,305 @@ This can help services deal with large data (multipart/form-data for example), a
 
 ## Configuration Examples
 
-??? example "File -- Sets the maximum request body to 2Mb"
-    
-    ```toml
-    [http.middlewares]
-      [http.middlewares.2Mb-limit.buffering]
-          maxRequestBodyBytes = 250000
-    ``` 
+```yaml tab="Docker"
+# Sets the maximum request body to 2Mb
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
 
-??? example "Docker -- Buffers 1Mb of the request in memory, then writes to disk"
+```yaml tab="Kubernetes"
+# Sets the maximum request body to 2Mb
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    maxRequestBodyBytes: 2000000
+```
 
-    ```yaml
-    a-container:
-      image: a-container-image 
-        labels:
-          - "traefik.http.middlewares.1Mb-memory.buffering.memRequestBodyBytes=125000",
-    ```
+```yaml tab="Consul Catalog"
+# Sets the maximum request body to 2Mb
+- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+# Sets the maximum request body to 2Mb
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+# Sets the maximum request body to 2Mb
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxRequestBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+# Sets the maximum request body to 2Mb
+http:
+  middlewares:
+    limit:
+      buffering:
+        maxRequestBodyBytes: 2000000
+```
 
 ## Configuration Options
 
-### maxRequestBodyBytes
+### `maxRequestBodyBytes`
 
 With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
 
-If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response.
+If the request exceeds the allowed size, it is not forwarded to the service and the client gets a `413 (Request Entity Too Large)` response.
 
-### memRequestBodyBytes
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
 
-You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. 
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    maxRequestBodyBytes: 2000000
+```
 
-### maxResponseBodyBytes
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxRequestBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        maxRequestBodyBytes: 2000000
+```
+
+### `memRequestBodyBytes`
+
+You can configure a threshold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. 
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    memRequestBodyBytes: 2000000
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.memRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    memRequestBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        memRequestBodyBytes: 2000000
+```
+
+### `maxResponseBodyBytes`
 
 With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
 
 If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
 
-### memResponseBodyBytes
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
 
-You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. 
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    maxResponseBodyBytes: 2000000
+```
 
-### retryExpression
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxResponseBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        maxResponseBodyBytes: 2000000
+```
+
+### `memResponseBodyBytes`
+
+You can configure a threshold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. 
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    memResponseBodyBytes: 2000000
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.memResponseBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    memResponseBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        memResponseBodyBytes: 2000000
+```
+
+### `retryExpression`
 
 You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
 
-!!! example "Retries once in case of a network error"
+??? example "Retries once in case of a network error"
     
-    ```
-    retryExpression = "IsNetworkError() && Attempts() < 2"
+    ```yaml tab="Docker"
+    labels:
+      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
     ```
     
-Available functions for the retry expression are:
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: limit
+    spec:
+      buffering:
+        retryExpression: "IsNetworkError() && Attempts() < 2"
+    ```
+    
+    ```yaml tab="Consul Catalog"
+    - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
+    ```
+        
+    ```json tab="Marathon"
+    "labels": {
+      "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"
+    }
+    ```
+    
+    ```yaml tab="Rancher"
+    labels:
+      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
+    ```
+    
+    ```toml tab="File (TOML)"
+    [http.middlewares]
+      [http.middlewares.limit.buffering]
+        retryExpression = "IsNetworkError() && Attempts() < 2"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    http:
+      middlewares:
+        limit:
+          buffering:
+            retryExpression: "IsNetworkError() && Attempts() < 2"
+    ```
+
+The retry expression is defined as a logical combination of the functions below with the operators AND (`&&`) and OR (`||`). At least one function is required:
 
 - `Attempts()` number of attempts (the first one counts)
 - `ResponseCode()` response code of the service

docs/content/middlewares/chain.md

@@ -1,6 +1,6 @@
 # Chain
 
-When One Isn't Enougth
+When One Isn't Enough
 {: .subtitle }
 
 ![Chain](../assets/img/middleware/chain.png)
@@ -10,31 +10,179 @@ It makes reusing the same groups easier.
 
 ## Configuration Example
 
-??? example "A Chain for WhiteList, BasicAuth, and HTTPS"
-    
-    ```toml
-    # ...    
-    [http.routers]
-        [http.routers.router1]
-            service = "service1"
-            middlewares = ["secured"]
-            rule = "Host: mydomain"
-    
-    [http.middlewares]
-        [http.middlewares.secured.Chain]
-            middlewares = ["https-only", "known-ips", "auth-users"]
-            
-        [http.middlewares.auth-users.BasicAuth]
-            users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
-        [http.middlewares.https-only.SchemeRedirect]
-            scheme = "https"
-        [http.middlewares.known-ips.ipWhiteList]
-            sourceRange = ["192.168.1.7", "x.x.x.x", "x.x.x.x"]
-    
-    [http.services]
-      [http.services.service1]
-        [http.services.service1.LoadBalancer]
-          [[http.services.service1.LoadBalancer.Servers]]
-            URL = "http://127.0.0.1:80"
-            Weight = 1
-    ```
+Example "A Chain for WhiteList, BasicAuth, and HTTPS"
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.routers.router1.service=service1"
+  - "traefik.http.routers.router1.middlewares=secured"
+  - "traefik.http.routers.router1.rule=Host(`mydomain`)"
+  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "http.services.service1.loadbalancer.server.port=80"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: test
+  namespace: default
+
+spec:
+  entryPoints:
+    - web
+
+  routes:
+    - match: Host(`mydomain`)
+      kind: Rule
+      services:
+        - name: whoami
+          port: 80
+      middlewares:
+        - name: secured
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: secured
+spec:
+  chain:
+    middlewares:
+    - name: https-only
+    - name: known-ips
+    - name: auth-users
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: auth-users
+spec:
+  basicAuth:
+    users:
+    - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: https-only
+spec:
+  redirectScheme:
+    scheme: https
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: known-ips
+spec:
+  ipWhiteList:
+    sourceRange:
+    - 192.168.1.7
+    - 127.0.0.1/32
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.routers.router1.service=service1"
+- "traefik.http.routers.router1.middlewares=secured"
+- "traefik.http.routers.router1.rule=Host(`mydomain`)"
+- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+- "http.services.service1.loadbalancer.server.port=80"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.routers.router1.service": "service1",
+  "traefik.http.routers.router1.middlewares": "secured",
+  "traefik.http.routers.router1.rule": "Host(`mydomain`)",
+  "traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
+  "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+  "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
+  "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
+  "http.services.service1.loadbalancer.server.port": "80"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.routers.router1.service=service1"
+  - "traefik.http.routers.router1.middlewares=secured"
+  - "traefik.http.routers.router1.rule=Host(`mydomain`)"
+  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "http.services.service1.loadbalancer.server.port=80"
+```
+
+```toml tab="File (TOML)"
+# ...    
+[http.routers]
+  [http.routers.router1]
+    service = "service1"
+    middlewares = ["secured"]
+    rule = "Host(`mydomain`)"
+
+[http.middlewares]
+  [http.middlewares.secured.chain]
+    middlewares = ["https-only", "known-ips", "auth-users"]
+
+  [http.middlewares.auth-users.basicAuth]
+    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
+
+  [http.middlewares.https-only.redirectScheme]
+    scheme = "https"
+
+  [http.middlewares.known-ips.ipWhiteList]
+    sourceRange = ["192.168.1.7", "127.0.0.1/32"]
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://127.0.0.1:80"
+```
+
+```yaml tab="File (YAML)"
+# ...    
+http:
+  routers:
+    router1:
+      service: service1
+      middlewares:
+        - secured
+      rule: "Host(`mydomain`)"
+
+  middlewares:
+    secured:
+      chain:
+        middlewares:
+          - https-only
+          - known-ips
+          - auth-users
+
+    auth-users:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+
+    https-only:
+      redirectScheme:
+        scheme: https
+
+    known-ips:
+      ipWhiteList:
+        sourceRange:
+          - "192.168.1.7"
+          - "127.0.0.1/32"
+
+  services:
+    service1:
+      loadBalancer:
+        servers:
+          - url: "http://127.0.0.1:80"
+```

docs/content/middlewares/circuitbreaker.md

@@ -12,34 +12,71 @@ When your system becomes unhealthy, the circuit becomes open and the requests ar
 
 To assess if your system is healthy, the circuit breaker constantly monitors the services. 
 
-!!! Note
+!!! note ""
 
     - The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state.
     - The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state.
 
 !!! important
 
-    Each router will eventually gets its own instance of a given circuit breaker. If two different routers refer to the same circuit breaker definition, they will get one instance each. It means that one circuit breaker can be open while the other stays close: their state is not shared. This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
+    Each router will eventually gets its own instance of a given circuit breaker.
+    
+    If two different routers refer to the same circuit breaker definition, they will get one instance each.
+    It means that one circuit breaker can be open while the other stays closed: their state is not shared.
+    
+    This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
 
 ## Configuration Examples
 
-??? example "Latency Check -- Using Toml"
+```yaml tab="Docker"
+# Latency Check
+labels:
+  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+```
 
-    ```toml
-    [http.middlewares]
-       [http.middlewares.latency-check.circuitbreaker]
-          expression = "LatencyAtQuantileMS(50.0) > 100"
-    ```
+```yaml tab="Kubernetes"
+# Latency Check
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: latency-check
+spec:
+  circuitBreaker:
+    expression: LatencyAtQuantileMS(50.0) > 100
+```
 
-??? example "Latency Check -- Using Docker Labels"
-   
-    ```yaml
-    # in a docker compose file
-    container-definition:
-         image: image-name
-         labels:
-             - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
-    ```
+```yaml tab="Consul Catalog"
+# Latency Check
+- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.latency-check.circuitbreaker.expression": "LatencyAtQuantileMS(50.0) > 100"
+}
+```
+
+```yaml tab="Rancher"
+# Latency Check
+labels:
+  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+```
+
+```toml tab="File (TOML)"
+# Latency Check
+[http.middlewares]
+  [http.middlewares.latency-check.circuitBreaker]
+    expression = "LatencyAtQuantileMS(50.0) > 100"
+```
+
+```yaml tab="File (YAML)"
+# Latency Check
+http:
+  middlewares:
+    latency-check:
+      circuitBreaker:
+        expression: "LatencyAtQuantileMS(50.0) > 100"
+```
 
 ## Possible States
 
@@ -48,7 +85,7 @@ There are three possible states for your circuit breaker:
 - Close (your service operates normally)
 - Open (the fallback mechanism takes over your service)
 - Recovering (the circuit breaker tries to resume normal operations by progressively sending requests to your service)
-   
+
 ### Close
 
 While close, the circuit breaker only collects metrics to analyze the behavior of the requests.
@@ -57,11 +94,14 @@ At specified intervals (`checkPeriod`), it will evaluate `expression` to decide
 
 ### Open
 
-While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`. After this duration, it will enter the recovering state.
+While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
+After this duration, it will enter the recovering state.
 
 ### Recovering
 
-While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`). If your service fails during recovery, the circuit breaker becomes open again. If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
+While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`).
+If your service fails during recovery, the circuit breaker becomes open again.
+If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
 
 ## Configuration Options
 
@@ -74,12 +114,12 @@ The `expression` can check three different metrics:
 - The network error ratio (`NetworkErrorRatio`)
 - The status code ratio (`ResponseCodeRatio`)
 - The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
-   
-#### NetworkErrorRatio
+
+#### `NetworkErrorRatio`
 
 If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
 
-#### ResponseCodeRatio
+#### `ResponseCodeRatio`
 
 You can trigger the circuit breaker based on the ratio of a given range of status codes.
 
@@ -87,22 +127,22 @@ The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`,
 
 The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`).
 
-!!! Note
+!!! note ""
     If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
     
     `from`is inclusive, `to` is exclusive. 
 
 For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX). 
 
-#### LatencyAtQuantileMS
+#### `LatencyAtQuantileMS`
 
 You can trigger the circuit breaker when a given proportion of your requests become too slow.
 
-For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median lantency (quantile 50) reaches 100MS.
+For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
 
-!!! Note
+!!! note ""
 
-    You must provide a float number (with the leading .0) for the quantile value
+    You must provide a float number (with the trailing .0) for the quantile value
  
 #### Using multiple metrics
 
@@ -111,7 +151,7 @@ You can combine multiple metrics using operators in your expression.
 Supported operators are:
 
 - AND (`&&`)
-- OR (`||)
+- OR (`||`)
 
 For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%. 
 
@@ -123,23 +163,24 @@ Here is the list of supported operators:
 - Greater or equal than (`>=`)
 - Lesser than (`<`)
 - Lesser or equal than (`<=`)
-- Not (`!`)
 - Equal (`==`)
 - Not Equal (`!=`)
- 
+
 ### Fallback mechanism
 
-The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured. 
-   
-### CheckPeriod
+The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service).
+This behavior cannot be configured. 
 
-The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
+### `CheckPeriod`
 
-### FallbackDuration
+The interval used to evaluate `expression` and decide if the state of the circuit breaker must change.
+By default, `CheckPeriod` is 100ms. This value cannot be configured.
+
+### `FallbackDuration`
 
 By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
 
-### RecoveringDuration
+### `RecoveringDuration`
 
 The duration of the recovering mode (recovering state). 
 

docs/content/middlewares/compress.md

@@ -9,26 +9,113 @@ The Compress middleware enables the gzip compression.
 
 ## Configuration Examples
 
-??? example "File -- enable gzip compression"
+```yaml tab="Docker"
+# Enable gzip compression
+labels:
+  - "traefik.http.middlewares.test-compress.compress=true"
+```
 
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-compress.Compress]
-    ```
+```yaml tab="Kubernetes"
+# Enable gzip compression
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress: {}
+```
+
+```yaml tab="Consul Catalog"
+# Enable gzip compression
+- "traefik.http.middlewares.test-compress.compress=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Enable gzip compression
+labels:
+  - "traefik.http.middlewares.test-compress.compress=true"
+```
+
+```toml tab="File (TOML)"
+# Enable gzip compression
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+```
+
+```yaml tab="File (YAML)"
+# Enable gzip compression
+http:
+  middlewares:
+    test-compress:
+      compress: {}
+```
+
+!!! info
     
-??? example "Docker -- enable gzip compression"
+    Responses are compressed when:
+    
+    * The response body is larger than `1400` bytes.
+    * The `Accept-Encoding` request header contains `gzip`.
+    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
 
-    ```yml
-    a-container:
-          image: a-container-image 
-            labels:
-              - "traefik.http.middlewares.test-compress.compress=true",
-    ```
+## Configuration Options
 
-## Notes
+### `excludedContentTypes`
 
-Responses are compressed when:
+`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests to before compressing.
 
-* The response body is larger than `512` bytes.
-* The `Accept-Encoding` request header contains `gzip`.
-* The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
+The requests with content types defined in `excludedContentTypes` are not compressed.
+
+Content types are compared in a case-insensitive, whitespace-ignored manner.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    excludedContentTypes:
+      - text/event-stream
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress.excludedcontenttypes": "text/event-stream"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    excludedContentTypes = ["text/event-stream"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        excludedContentTypes:
+          - text/event-stream
+```

docs/content/middlewares/contenttype.md

@@ -0,0 +1,83 @@
+
+# ContentType
+
+Handling ContentType auto-detection
+{: .subtitle }
+
+The Content-Type middleware - or rather its unique `autoDetect` option -
+specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.
+
+As a proxy, the default behavior should be to leave the header alone,
+regardless of what the backend did with it.
+However, the historic default was to always auto-detect and set the header if it was nil,
+and it is going to be kept that way in order to support users currently relying on it.
+This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+
+!!! info
+
+    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
+    is still to automatically set the `Content-Type` header.
+    Therefore, given the default value of the `autoDetect` option (false),
+    simply enabling this middleware for a router switches the router's behavior.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```yaml tab="Kubernetes"
+# Disable auto-detection
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: autodetect
+spec:
+  contentType:
+    autoDetect: false
+```
+
+```yaml tab="Consul Catalog"
+# Disable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
+}
+```
+
+```yaml tab="Rancher"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```toml tab="File (TOML)"
+# Disable auto-detection
+[http.middlewares]
+  [http.middlewares.autodetect.contentType]
+     autoDetect=false
+```
+
+```yaml tab="File (YAML)"
+# Disable auto-detection
+http:
+  middlewares:
+    autodetect:
+      contentType:
+        autoDetect: false
+```
+
+## Configuration Options
+
+### `autoDetect`
+
+`autoDetect` specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.

docs/content/middlewares/digestauth.md

@@ -9,70 +9,352 @@ The DigestAuth middleware is a quick way to restrict access to your services to
 
 ## Configuration Examples
 
-??? example "File -- Declaring the user list"
+```yaml tab="Docker"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
 
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-auth.digestauth]
-      users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
-    ```
+```yaml tab="Kubernetes"
+# Declaring the user list
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    secret: userssecret
+```
 
-??? example "Docker -- Using an external file for the authorized users"
+```yaml tab="Consul Catalog"
+# Declaring the user list
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
 
-    ```yml
-    a-container:
-          image: a-container-image 
-            labels:
-              - "traefik.http.middlewares.declared-users-only.digestauth.usersFile=path-to-file.ext",
-    ```
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    users = [
+      "test:traefik:a2688e031edb4be6a3797f3882655c05",
+      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+    ]
+```
+
+```yaml tab="File (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        users:
+          - "test:traefik:a2688e031edb4be6a3797f3882655c05"
+          - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+## Configuration Options
 
 !!! tip 
    
     Use `htdigest` to generate passwords.
 
-## Configuration Options
-
-### Users
+### `users`
 
 The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
 
-!!! Note
+!!! note ""
     
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
 
-### UsersFile
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDp0cmFlZmlrOmEyNjg4ZTAzMWVkYjRiZTZhMzc5N2YzODgyNjU1YzA1CnRlc3QyOnRyYWVmaWs6NTE4ODQ1ODAwZjllMmJmYjFmMWY3NDBlYzI0ZjA3NGUKCg==
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    users = [
+      "test:traefik:a2688e031edb4be6a3797f3882655c05",
+      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+    ]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        users:
+          - "test:traefik:a2688e031edb4be6a3797f3882655c05"
+          - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+### `usersFile`
 
 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
 
 The file content is a list of `name:realm:encoded-password`.
 
+!!! note ""
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        usersFile: "/path/to/my/usersfile"
+```
+
 ??? example "A file containing test/test and test2/test2"
 
-    ```
+    ```txt
     test:traefik:a2688e031edb4be6a3797f3882655c05
     test2:traefik:518845800f9e2bfb1f1f740ec24f074e
     ```
 
-!!! Note
-    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-
-### Realm
+### `realm`
 
 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 
 
-### HeaderField
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    realm: MyRealm
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    realm = "MyRealm"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        realm: "MyRealm"
+```
+
+### `headerField`
 
 You can customize the header field for the authenticated user using the `headerField`option.
 
-??? example "File -- Passing Authenticated Users to Services Via Headers"
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
+```
 
-    ```toml
-      [http.middlewares.my-auth.digestauth]
-        usersFile = "path-to-file.ext"
-        headerField = "X-WebAuth-User" # header for the authenticated user
-    ```
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: my-auth
+spec:
+  digestAuth:
+    # ...
+    headerField: X-WebAuth-User
+```
 
-### RemoveHeader
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.my-auth.digestauth.headerField": "X-WebAuth-User"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares.my-auth.digestAuth]
+  # ...
+  headerField = "X-WebAuth-User"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    my-auth:
+      digestAuth:
+        # ...
+        headerField: "X-WebAuth-User"
+```
+
+### `removeHeader`
 
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    removeHeader: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    removeHeader = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        removeHeader: true
+```

docs/content/middlewares/errorpages.md

@@ -12,55 +12,101 @@ The ErrorPage middleware returns a custom page in lieu of the default, according
 
 ## Configuration Examples
 
-??? example "File -- Custom Error Page for 5XX"
+```yaml tab="Docker"
+# Dynamic Custom Error Page for 5XX Status Code
+labels:
+  - "traefik.http.middlewares.test-errorpage.errors.status=500-599"
+  - "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
+  - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
+```
 
-    ```toml
-    [http.routers]
-      [http.routers.router1]
-        Service = "my-service"
-        Rule = Host(`my-domain`)
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-errorpage
+spec:
+  errors:
+    status:
+      - 500-599
+    query: /{status}.html
+    service:
+      name: whoami
+      port: 80
+```
 
-    [http.middlewares]
-      [http.middlewares.5XX-errors.Errors]
-        status = ["500-599"]
-        service = "error-handler-service"
-        query = "/error.html"
-                
-    [http.services]
-      # ... definition of error-handler-service and my-service
-    ```
+```yaml tab="Consul Catalog"
+# Dynamic Custom Error Page for 5XX Status Code
+- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
+- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
+- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
+```
 
-??? example "Docker -- Dynamic Custom Error Page for 5XX Status Code"
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-errorpage.errors.status": "500-599",
+  "traefik.http.middlewares.test-errorpage.errors.service": "serviceError",
+  "traefik.http.middlewares.test-errorpage.errors.query": "/{status}.html"
+}
+```
 
-    ```yaml
-    a-container:
-      image: a-container-image 
-        labels:
-          - "traefik.http.middlewares.test-errorpage.errors.status=500-599",
-          - "traefik.http.middlewares.test-errorpage.errors.service=serviceError",
-          - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html",
-            		
-    ```
-    
-    !!! note 
-        In this example, the error page URL is based on the status code (`query=/{status}.html)`.
+```yaml tab="Rancher"
+# Dynamic Custom Error Page for 5XX Status Code
+labels:
+  - "traefik.http.middlewares.test-errorpage.errors.status=500-599"
+  - "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
+  - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
+```
+
+```toml tab="File (TOML)"
+# Custom Error Page for 5XX
+[http.middlewares]
+  [http.middlewares.test-errorpage.errors]
+    status = ["500-599"]
+    service = "serviceError"
+    query = "/{status}.html"
+
+[http.services]
+  # ... definition of error-handler-service and my-service
+```
+
+```yaml tab="File (YAML)"
+# Custom Error Page for 5XX
+http:
+  middlewares:
+    test-errorpage:
+      errors:
+        status:
+          - "500-599"
+        service: serviceError
+        query: "/{status}.html"
+
+[http.services]
+  # ... definition of error-handler-service and my-service
+```
+
+!!! note "" 
+    In this example, the error page URL is based on the status code (`query=/{status}.html`).
 
 ## Configuration Options
 
-### status
+### `status`
 
 The `status` that will trigger the error page.
 
 The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
  
-!!! Note
+!!! note "" 
 
     You can define either a status code like `500` or ranges with a syntax like `500-599`.
 
-### service
+### `service`
 
 The service that will serve the new requested error page.
 
-### query
+!!! note "" 
+    In kubernetes, you need to reference a kubernetes service instead of a traefik service.
+
+### `query`
 
 The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.

docs/content/middlewares/forwardauth.md

@@ -1,6 +1,6 @@
 # ForwardAuth
 
-Using an External Service to Ccheck for Credentials
+Using an External Service to Check for Credentials
 {: .subtitle }
 
 ![AuthForward](../assets/img/middleware/authforward.png)
@@ -11,53 +11,537 @@ Otherwise, the response from the authentication server is returned.
 
 ## Configuration Examples
 
-??? example "File -- Forward authentication to authserver.com"
+```yaml tab="Docker"
+# Forward authentication to example.com
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+```
 
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-auth.forwardauth]
-        address = "https://authserver.com/auth"
-        trustForwardHeader = true
-        authResponseHeaders = ["X-Auth-User", "X-Secret"]
+```yaml tab="Kubernetes"
+# Forward authentication to example.com
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+```
 
-        [http.middlewares.test-auth.forwardauth.tls]
-          ca = "path/to/local.crt"
-          caOptional = true
-          cert = "path/to/foo.cert"
-          key = "path/to/foo.key"      
-    ```
+```yaml tab="Consul Catalog"
+# Forward authentication to example.com
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+```
 
-??? example "Docker -- Forward authentication to authserver.com"
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
+}
+```
 
-    ```yml
-    a-container:
-          image: a-container-image 
-            labels:
-              - "traefik.http.middlewares.test-auth.ForwardAuth.Address=https://authserver.com/auth"
-              - "traefik.http.middlewares.test-auth.ForwardAuth.AuthResponseHeaders=X-Auth-User, X-Secret"
-              - "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CA=path/to/local.crt"
-              - "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CAOptional=true"
-              - "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Cert=path/to/foo.cert"
-              - "traefik.http.middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify=true"
-              - "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Key=path/to/foo.key"
-              - "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
-              		
-    ```
+```yaml tab="Rancher"
+# Forward authentication to example.com
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+```
+
+```toml tab="File (TOML)"
+# Forward authentication to example.com
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+```
+
+```yaml tab="File (YAML)"
+# Forward authentication to example.com
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+```
 
 ## Configuration Options
 
-### address
+### `address`
 
 The `address` option defines the authentication server address.
 
-### trustForwardHeader
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+```
 
-Set the `trustForwardHeader` option to true to trust all the existing X-Forwarded-* headers.
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth 
+```
 
-### authResponseHeaders
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+```
+
+### `trustForwardHeader`
+
+Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    trustForwardHeader: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    trustForwardHeader = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        trustForwardHeader: true
+```
+
+### `authResponseHeaders`
 
 The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
 
-### tls
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
 
-The `tls` option is the tls configuration from Traefik to the authentication server.
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    authResponseHeaders:
+      - X-Auth-User
+      - X-Secret
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    authResponseHeaders = ["X-Auth-User", "X-Secret"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        authResponseHeaders:
+          - "X-Auth-User"
+          - "X-Secret"
+```
+
+### `tls`
+
+The `tls` option is the TLS configuration from Traefik to the authentication server.
+
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to the authentication server.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    tls:
+      caSecret: mycasercret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mycasercret
+  namespace: default
+
+data:
+  ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      ca = "path/to/local.crt"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        tls:
+          ca: "path/to/local.crt"
+```
+
+#### `tls.caOptional`
+
+Policy used for the secured connection with TLS Client Authentication to the authentication server.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    tls:
+      caOptional: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      caOptional = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        tls:
+          caOptional: true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to the authentication server.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    tls:
+      certSecret: mytlscert
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mytlscert
+  namespace: default
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        tls:
+          cert: "path/to/foo.cert"
+          key: "path/to/foo.key"
+```
+
+!!! info
+    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+#### `tls.key`
+
+Private certificate used for the secure connection to the authentication server.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    tls:
+      certSecret: mytlscert
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mytlscert
+  namespace: default
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        tls:
+          cert: "path/to/foo.cert"
+          key: "path/to/foo.key"
+```
+
+!!! info
+    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS for the connection to authentication server accepts any certificate presented by the server and any host name in that certificate.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    tls:
+      insecureSkipVerify: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      insecureSkipVerify: true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        tls:
+          insecureSkipVerify: true
+```

docs/content/middlewares/headers.md

@@ -13,76 +13,262 @@ The Headers middleware can manage the requests/responses headers.
 
 Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` to the response
 
-??? example "File"
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
+```
 
-    ```toml
-    [http.middlewares]
-      [http.middlewares.testHeader.headers]
-        [http.middlewares.testHeader.headers.CustomRequestHeaders]
-            X-Script-Name = "test"
-        [http.middlewares.testHeader.headers.CustomResponseHeaders]
-            X-Custom-Response-Header = "True"
-    ```
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: testHeader
+spec:
+  headers:
+    customRequestHeaders:
+      X-Script-Name: "test"
+    customResponseHeaders:
+      X-Custom-Response-Header: "value"
+```
 
-??? example "Docker"
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
+```
 
-    ```yml
-    a-container:
-          image: a-container-image 
-            labels:
-              - "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test",
-              - "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True",
-    ```
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
+  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "value"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    [http.middlewares.testHeader.headers.customRequestHeaders]
+        X-Script-Name = "test"
+    [http.middlewares.testHeader.headers.customResponseHeaders]
+        X-Custom-Response-Header = "value"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    testHeader:
+      headers:
+        customRequestHeaders:
+          X-Script-Name: "test"
+        customResponseHeaders:
+          X-Custom-Response-Header: "value"
+```
 
 ### Adding and Removing Headers
 
-`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request, and the `X-Custom-Response-Header` header removed from the response.
+`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request,
+and the `X-Custom-Response-Header` header removed from the response.
 
-??? example "File"
+Please note that it is not possible to remove headers through the use of labels (Docker, Rancher, Marathon, ...) for now.
 
-    ```toml    
-    [http.middlewares]
-      [http.middlewares.testHeader.headers]
-        [http.middlewares.testHeader.headers.CustomRequestHeaders]
-            X-Script-Name = "test"
-        [http.middlewares.testHeader.headers.CustomResponseHeaders]
-            X-Custom-Response-Header = "True"
-    ```
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+```
 
-??? example "Docker"
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: testHeader
+spec:
+  headers:
+    customRequestHeaders:
+      X-Script-Name: "test" # Adds
+      X-Custom-Request-Header: "" # Removes
+    customResponseHeaders:
+      X-Custom-Response-Header: "" # Removes
+```
 
-    ```yml
-    a-container:
-          image: a-container-image 
-            labels:
-              - "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test",
-              - "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True",
-    ```
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    [http.middlewares.testHeader.headers.customRequestHeaders]
+        X-Script-Name = "test" # Adds
+        X-Custom-Request-Header = "" # Removes
+    [http.middlewares.testHeader.headers.customResponseHeaders]
+        X-Custom-Response-Header = "" # Removes
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    testHeader:
+      headers:
+        customRequestHeaders:
+          X-Script-Name: "test" # Adds
+          X-Custom-Request-Header: "" # Removes
+        customResponseHeaders:
+          X-Custom-Response-Header: "" # Removes
+```
 
 ### Using Security Headers
 
-Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured per frontend in a similar manner to the custom headers above.
+Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured in a manner similar to the custom headers above.
 This functionality allows for some easy security features to quickly be set.
 
-??? example "File"
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.testHeader.headers.framedeny=true"
+  - "traefik.http.middlewares.testHeader.headers.sslredirect=true"
+```
 
-    ```toml    
-    [http.middlewares]
-      [http.middlewares.testHeader.headers]
-        FrameDeny = true
-        SSLRedirect = true
-    ```
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: testHeader
+spec:
+  headers:
+    frameDeny: "true"
+    sslRedirect: "true"
+```
 
-??? example "Docker"
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.framedeny=true"
+- "traefik.http.middlewares.testheader.headers.sslredirect=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.framedeny": "true",
+  "traefik.http.middlewares.testheader.headers.sslredirect": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.framedeny=true"
+  - "traefik.http.middlewares.testheader.headers.sslredirect=true"
+```
+
+```toml tab="File (TOML)"    
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    frameDeny = true
+    sslRedirect = true
+```
+
+```yaml tab="File (YAML)"  
+http:
+  middlewares:
+    testHeader:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+```
+
+### CORS Headers
+
+CORS (Cross-Origin Resource Sharing) headers can be added and configured in a manner similar to the custom headers above.
+This functionality allows for more advanced security features to quickly be set.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: testHeader
+spec:
+  headers:
+    accessControlAllowMethods:
+      - "GET"
+      - "OPTIONS"
+      - "PUT"
+    accessControlAllowOriginList:
+      - "https://foo.bar.org"
+      - "https://example.org"
+    accessControlMaxAge: 100
+    addVaryHeader: "true"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+- "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
+- "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+- "traefik.http.middlewares.testheader.headers.addvaryheader=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
+  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
+  "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
+  "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
+```
+
+```toml tab="File (TOML)"    
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
+    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
+    accessControlMaxAge = 100
+    addVaryHeader = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    testHeader:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlAllowOriginList:
+          - https://foo.bar.org
+          - https://example.org
+        accessControlMaxAge: 100
+        addVaryHeader: true
+```
 
-    ```yml
-    a-container:
-          image: a-container-image 
-            labels:
-              - "traefik.http.middlewares.testHeader.Headers.FrameDeny=true",
-              - "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true",
-    ```
-       
 ## Configuration Options
 
 ### General
@@ -90,90 +276,145 @@ This functionality allows for some easy security features to quickly be set.
 !!! warning
     If the custom header name is the same as one header name of the request or response, it will be replaced.
 
-!!! note
+!!! note ""
     The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
 
-### customRequestHeaders
+### `customRequestHeaders`
 
 The `customRequestHeaders` option lists the Header names and values to apply to the request.
 
-### allowedHosts 
+### `customResponseHeaders`
+
+The `customResponseHeaders` option lists the Header names and values to apply to the response.
+
+### `accessControlAllowCredentials`
+
+The `accessControlAllowCredentials` indicates whether the request can include user credentials.
+
+### `accessControlAllowHeaders`
+
+The `accessControlAllowHeaders` indicates which header field names can be used as part of the request.
+
+### `accessControlAllowMethods`
+
+The  `accessControlAllowMethods` indicates which methods can be used during requests.
+
+### `accessControlAllowOriginList`
+
+The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.
+
+A wildcard origin `*` can also be configured, and will match all requests.
+If this value is set by a backend server, it will be overwritten by Traefik
+
+This value can contains a list of allowed origins.
+
+More information including how to use the settings can be found on:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://www.w3.org/TR/cors/#access-control-allow-origin-response-header)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
+
+Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
+
+### `accessControlExposeHeaders`
+
+The `accessControlExposeHeaders` indicates which headers are safe to expose to the api of a CORS API specification.
+
+### `accessControlMaxAge`
+
+The `accessControlMaxAge` indicates how long a preflight request can be cached.
+
+### `addVaryHeader`
+
+The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
+
+### `allowedHosts` 
 
 The `allowedHosts` option lists fully qualified domain names that are allowed.
 
-### hostsProxyHeaders 
+### `hostsProxyHeaders` 
 
 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
 
-### sslRedirect 
+### `sslRedirect` 
 
 The `sslRedirect` is set to true, then only allow https requests.
 
-### sslTemporaryRedirect
+### `sslTemporaryRedirect`
                     
 Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
 
-### sslHost 
+### `sslHost` 
 
-The `SSLHost` option is the host name that is used to redirect http requests to https.
+The `sslHost` option is the host name that is used to redirect http requests to https.
 
-### sslProxyHeaders 
+### `sslProxyHeaders` 
 
-The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
+The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request.
+Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
 
-### sslForceHost 
+### `sslForceHost` 
 
 Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
 
-### stsSeconds 
+### `stsSeconds` 
 
-The `stsSeconds` is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
+The `stsSeconds` is the max-age of the Strict-Transport-Security header.
+If set to 0, would NOT include the header.
 
-### stsIncludeSubdomains 
+### `stsIncludeSubdomains` 
 
-The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header.
+The `stsIncludeSubdomains` is set to true, the `includeSubDomains` directive will be appended to the Strict-Transport-Security header.
 
-### stsPreload 
+### `stsPreload` 
 
-Set `STSPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
+Set `stsPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
 
-### forceSTSHeader
+### `forceSTSHeader`
 
-Set `ForceSTSHeader` to true, to add the STS header even when the connection is HTTP.
+Set `forceSTSHeader` to true, to add the STS header even when the connection is HTTP.
 
-### frameDeny 
+### `frameDeny` 
 
 Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
  
-### customFrameOptionsValue 
+### `customFrameOptionsValue` 
 
-The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value. This overrides the FrameDeny option.
+The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value.
+This overrides the FrameDeny option.
 
-### contentTypeNosniff
+### `contentTypeNosniff`
 
 Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`.
 
-### browserXssFilter
+### `browserXssFilter`
 
-Set `BrowserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
+Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
 
-### customBrowserXSSValue
+### `customBrowserXSSValue`
 
-The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the BrowserXssFilter option.
+The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value.
+This overrides the BrowserXssFilter option.
 
-### contentSecurityPolicy
+### `contentSecurityPolicy`
 
 The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
 
-### publicKey
+### `publicKey`
 
 The `publicKey` implements HPKP to prevent MITM attacks with forged certificates. 
 
-### referrerPolicy
+### `referrerPolicy`
 
 The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
 
-### isDevelopment
+### `featurePolicy`
 
-Set `isDevelopment` to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain.  
+The `featurePolicy` allows sites to control browser features.
+
+### `isDevelopment`
+
+Set `isDevelopment` to true when developing.
+The AllowedHosts, SSL, and STS options can cause some unwanted effects.
+Usually testing happens on http, not https, and on localhost, not your production domain.  
 If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.

docs/content/middlewares/inflightreq.md

@@ -0,0 +1,360 @@
+# InFlightReq
+
+Limiting the Number of Simultaneous In-Flight Requests
+{: .subtitle }
+
+![InFlightReq](../assets/img/middleware/inflightreq.png)
+
+To proactively prevent services from being overwhelmed with high load, a limit on the number of simultaneous in-flight requests can be applied.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    amount: 10
+```
+
+```yaml tab="Consul Catalog"
+# Limiting to 10 simultaneous connections
+- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inFlightReq]
+    amount = 10 
+```
+
+```yaml tab="File (YAML)"
+# Limiting to 10 simultaneous connections
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        amount: 10 
+```
+
+## Configuration Options
+
+### `amount`
+
+The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
+The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    amount: 10
+```
+
+```yaml tab="Consul Catalog"
+# Limiting to 10 simultaneous connections
+- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inFlightReq]
+    amount = 10 
+```
+
+```yaml tab="File (YAML)"
+# Limiting to 10 simultaneous connections
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        amount: 10 
+```
+
+### `sourceCriterion`
+ 
+SourceCriterion defines what criterion is used to group requests as originating from a common source.
+The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
+If none are set, the default is to use the `requestHost`.
+
+#### `sourceCriterion.ipStrategy`
+
+The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
+
+##### `ipStrategy.depth`
+
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
+
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
+- `depth` is ignored if its value is lesser than or equal to 0.
+    
+!!! example "Example of Depth & X-Forwarded-For"
+
+    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
+
+    | `X-Forwarded-For`                       | `depth` | clientIP     |
+    |-----------------------------------------|---------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    sourceCriterion:
+      ipStrategy:
+        depth: 2
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
+      depth = 2
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        sourceCriterion:
+          ipStrategy:
+            depth: 2
+```
+
+##### `ipStrategy.excludedIPs`
+
+`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Example of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    sourceCriterion:
+      ipStrategy:
+        excludedIPs:
+        - 127.0.0.1/32
+        - 192.168.1.7
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        sourceCriterion:
+          ipStrategy:
+            excludedIPs:
+              - "127.0.0.1/32"
+              - "192.168.1.7"
+```
+
+#### `sourceCriterion.requestHeaderName`
+
+Requests having the same value for the given header are grouped as coming from the same source.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+	sourceCriterion:
+      requestHeaderName: username
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername": "username"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
+      requestHeaderName = "username"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        sourceCriterion:
+          requestHeaderName: username
+```
+
+#### `sourceCriterion.requestHost`
+
+Whether to consider the request host as the source.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    sourceCriterion:
+      requestHost: true
+```
+
+```yaml tab="Cosul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
+      requestHost = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        sourceCriterion:
+          requestHost: true
+```

docs/content/middlewares/ipwhitelist.md

@@ -9,42 +9,142 @@ IPWhitelist accepts / refuses requests based on the client IP.
 
 ## Configuration Examples
 
-??? example "File -- Accepts request from defined IP"
+```yaml tab="Docker"
+# Accepts request from defined IP
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
 
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-ipwhitelist.ipWhiteList]
-        sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-    ```
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipwhitelist
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 127.0.0.1/32
+      - 192.168.1.7
+```
 
-??? example "Docker -- Accepts request from defined IP"
+```yaml tab="Consul Catalog"
+# Accepts request from defined IP
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
 
-    ```yml
-     a-container:
-        image: a-container-image 
-            labels:
-                - "traefik.http.middlewares.Middleware9.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
-    ```
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Accepts request from defined IP
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
+```toml tab="File (TOML)"
+# Accepts request from defined IP
+[http.middlewares]
+  [http.middlewares.test-ipwhitelist.ipWhiteList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+```
+
+```yaml tab="File (YAML)"
+# Accepts request from defined IP
+http:
+  middlewares:
+    test-ipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.1.7"
+```
 
 ## Configuration Options
 
-### sourceRange
+### `sourceRange`
 
-The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
+The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
 
-### ipStrategy
+### `ipStrategy`
 
 The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
 
-#### ipStrategy.depth 
+#### `ipStrategy.depth`
 
 The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
 
-!!! note "Examples of Depth & X-Forwaded-For"
+!!! example "Examples of Depth & X-Forwarded-For"
 
+    ```yaml tab="Docker"
+    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
+    labels:
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+    ```
+    
+    ```yaml tab="Kubernetes"
+    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: testIPwhitelist
+    spec:
+      ipWhiteList:
+        sourceRange:
+          - 127.0.0.1/32
+          - 192.168.1.7
+        ipStrategy:
+          depth: 2
+    ```
+    
+    ```yaml tab="Consul Catalog"
+    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
+    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+    ```
+    
+    ```json tab="Marathon"
+    "labels": {
+      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
+    }
+    ```
+    
+    ```yaml tab="Rancher"
+    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
+    labels:
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+    ```
+    
+    ```toml tab="File (TOML)"
+    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
+    [http.middlewares]
+      [http.middlewares.test-ipwhitelist.ipWhiteList]
+        sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+        [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+          depth = 2
+    ```
+    
+    ```yaml tab="File (YAML)"
+    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
+    http:
+      middlewares:
+        test-ipwhitelist:
+          ipWhiteList:
+            sourceRange:
+              - "127.0.0.1/32"
+              - "192.168.1.7"
+            ipStrategy:
+              depth: 2
+    ```
+    
     If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
     
-    ??? note "More examples"
+    ??? example "More examples"
     
         | `X-Forwarded-For`                       | `depth` | clientIP     |
         |-----------------------------------------|---------|--------------|
@@ -52,36 +152,75 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
         | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
         | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
 
-??? example "File -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
-
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-ipwhitelist.ipWhiteList]
-        sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-        [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
-            depth = 2
-    ```
-
-??? example "Docker -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
-
-    ```yml
-     a-container:
-        image: a-container-image 
-            labels:
-                - "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
-                - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-    ```
-
-!!! note
+!!! info
 
     - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
-    - `depth` is ignored if its value is is lesser than or equal to 0.
+    - `depth` is ignored if its value is lesser than or equal to 0.
 
-#### ipStrategy.excludedIPs
+#### `ipStrategy.excludedIPs`
+
+```yaml tab="Docker"
+# Exclude from `X-Forwarded-For`
+labels:
+    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```yaml tab="Kubernetes"
+# Exclude from `X-Forwarded-For`
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipwhitelist
+spec:
+  ipWhiteList:
+    ipStrategy:
+      excludedIPs:
+        - 127.0.0.1/32
+        - 192.168.1.7
+```
+
+```yaml tab="Consul Catalog"
+# Exclude from `X-Forwarded-For`
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Exclude from `X-Forwarded-For`
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```toml tab="File (TOML)"
+# Exclude from `X-Forwarded-For`
+[http.middlewares]
+  [http.middlewares.test-ipwhitelist.ipWhiteList]
+    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
+
+```yaml tab="File (YAML)"
+# Exclude from `X-Forwarded-For`
+http:
+  middlewares:
+    test-ipwhitelist:
+      ipWhiteList:
+        ipStrategy:
+          excludedIPs:
+            - "127.0.0.1/32"
+            - "192.168.1.7"
+```
 
 `excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
 
-!!! note "Examples of ExcludedIPs & X-Forwaded-For"
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Examples of ExcludedIPs & X-Forwarded-For"
 
     | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
     |-----------------------------------------|-----------------------|--------------|
@@ -90,24 +229,3 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
     | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
-
-!!! important
-    If `depth` is specified, `excludedIPs` is ignored.
-
-??? example "File -- Exclude from `X-Forwarded-For`"
-
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-ipwhitelist.ipWhiteList]
-        [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
-          excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-    ```
-
-??? example "Docker -- Exclude from `X-Forwarded-For`"
-
-    ```yml
-     a-container:
-        image: a-container-image 
-            labels:
-                - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
-    ```

docs/content/middlewares/maxconnection.md

@@ -1,44 +0,0 @@
-# MaxConnection
-
-Limiting the Number of Simultaneous Clients
-{: .subtitle }
-
-![MaxConnection](../assets/img/middleware/maxconnection.png)
-
-To proactively prevent services from being overwhelmed with high load, a maximum connection limit can be applied.
-
-## Configuration Examples
-
-??? example "File -- Limiting to 10 simultaneous connections"
-
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-maxconn.maxconn]
-      amount = 10 
-    ```
-
-??? example "Docker -- Limiting to 10 simultaneous connections"
-
-    ```yml
-    a-container:
-          image: a-container-image 
-            labels:
-              - "traefik.http.middlewares.test-maxconn.maxconn.amount=10"
-    ```
-
-## Configuration Options
-
-### amount
-
-The `amount` option defines the maximum amount of allowed simultaneous connections.
-The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `extractorfunc` strategy).
-
-### extractorfunc
-
-The `extractorfunc` defines the strategy used to categorize requests.
-
-The possible values are:
-
-- `request.host` categorizes requests based on the request host.
-- `client.ip` categorizes requests based on the client ip.
-- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.

docs/content/middlewares/overview.md

@@ -5,117 +5,199 @@ Tweaking the Request
 
 ![Overview](../assets/img/middleware/overview.png)
 
-Attached to the routers, pieces of middleware are a mean of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
+Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
 
-There are many different available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
+There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
 
 Pieces of middleware can be combined in chains to fit every scenario.
 
 ## Configuration Example
 
-??? example "As Toml Configuration File"
+```yaml tab="Docker"
+# As a Docker Label
+whoami:
+  #  A container that exposes an API to show its IP address
+  image: containous/whoami
+  labels:
+    # Create a middleware named `foo-add-prefix`
+    - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+    # Apply the middleware named `foo-add-prefix` to the router named `router1`
+    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
+```
 
-    ```toml
-    [providers]
-       [providers.file]
-
-    [http.routers]
-      [http.routers.router1]
-        Service = "myService"
-        Middlewares = ["foo-add-prefix"]
-        Rule = "Host: example.com"
-
-    [http.middlewares]
-     [http.middlewares.foo-add-prefix.AddPrefix]
-        prefix = "/foo"
-
-    [http.services]
-     [http.services.service1]
-       [http.services.service1.LoadBalancer]
-
-         [[http.services.service1.LoadBalancer.Servers]]
-           URL = "http://127.0.0.1:80"
-           Weight = 1
-    ```
-
-??? example "As a Docker Label"
-
-    ```yaml
-    # A container that exposes a simple API
-    whoami:
-      image: containous/whoami  # A container that exposes an API to show its IP address
-        labels:
-          - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo",
-    ```
-
-??? example "As a Kubernetes Traefik IngressRoute"
-
-    ```yaml
-    apiVersion: apiextensions.k8s.io/v1beta1
-    kind: CustomResourceDefinition
-    metadata:
-      name: middlewares.traefik.containo.us
-    spec:
-      group: traefik.containo.us
-      version: v1alpha1
-      names:
-        kind: Middleware
-        plural: middlewares
-        singular: middleware
-      scope: Namespaced
-
-    ---
-    apiVersion: traefik.containo.us/v1alpha1
+```yaml tab="Kubernetes"
+# As a Kubernetes Traefik IngressRoute
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
     kind: Middleware
-    metadata:
-      name: stripprefix
-    spec:
-      stripprefix:
-        prefixes:
-          - /stripit
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
 
-    ---
-    apiVersion: traefik.containo.us/v1alpha1
-    kind: IngressRoute
-    metadata:
-      name: ingressroute.crd
-    spec:
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: stripprefix
+spec:
+  stripPrefix:
+    prefixes:
+      - /stripit
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ingressroute
+spec:
+# more fields...
+  routes:
     # more fields...
-      routes:
-        # more fields...
-        middleware:
-        - name: stripprefix
-    ```
+    middlewares:
+      - name: stripprefix
+```
 
-## Advanced Configuration
+```yaml tab="Consul Catalog"
+# Create a middleware named `foo-add-prefix`
+- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+# Apply the middleware named `foo-add-prefix` to the router named `router1`
+- "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
+```
 
-When you declare a middleware, it lives in its `provider` namespace.
-For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker `provider` namespace.
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
+  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
+}
+```
 
-If you use multiple `providers` and wish to reference a middleware declared in another `provider`, then you'll have to prefix the middleware name with the `provider` name.
+```yaml tab="Rancher"
+# As a Rancher Label
+labels:
+  # Create a middleware named `foo-add-prefix`
+  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+  # Apply the middleware named `foo-add-prefix` to the router named `router1`
+  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
+```
 
-??? abstract "Referencing a Middleware from Another Provider"
+```toml tab="File (TOML)"
+# As TOML Configuration File
+[http.routers]
+  [http.routers.router1]
+    service = "myService"
+    middlewares = ["foo-add-prefix"]
+    rule = "Host(`example.com`)"
+
+[http.middlewares]
+  [http.middlewares.foo-add-prefix.addPrefix]
+    prefix = "/foo"
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://127.0.0.1:80"
+```
+
+```yaml tab="File (YAML)"
+# As YAML Configuration File
+http:
+  routers:
+    router1:
+      service: myService
+      middlewares:
+        - "foo-add-prefix"
+      rule: "Host(`example.com`)"
+
+  middlewares:
+    foo-add-prefix:
+      addPrefix:
+        prefix: "/foo"
+
+  services:
+    service1:
+      loadBalancer:
+        servers:
+          - url: "http://127.0.0.1:80"
+```
+
+## Provider Namespace
+
+When you declare a middleware, it lives in its provider's namespace.
+For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.
+
+If you use multiple providers and wish to reference a middleware declared in another provider
+(aka referencing a cross-provider middleware),
+then you'll have to append to the middleware name, the `@` separator, followed by the provider name.
+
+```text
+<resource-name>@<provider-name>
+```
+
+!!! important "Kubernetes Namespace"
+
+    As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
+    with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
+    In this case, since the definition of the middleware is not in kubernetes,
+    specifying a "kubernetes namespace" when referring to the resource does not make any sense,
+    and therefore this specification would be ignored even if present.
+
+!!! abstract "Referencing a Middleware from Another Provider"
 
     Declaring the add-foo-prefix in the file provider.
 
-    ```toml
-    [providers]
-       [providers.file]
-
+    ```toml tab="File (TOML)"
     [http.middlewares]
-     [http.middlewares.add-foo-prefix.AddPrefix]
+      [http.middlewares.add-foo-prefix.addPrefix]
         prefix = "/foo"
     ```
+    
+    ```yaml tab="File (YAML)"
+    http:
+      middlewares:
+        add-foo-prefix:
+          addPrefix:
+            prefix: "/foo"
+    ```
 
-    Using the add-foo-prefix middleware from docker.
+    Using the add-foo-prefix middleware from other providers:
 
-    ```yaml
+    ```yaml tab="Docker"
     your-container: #
-        image: your-docker-image
+      image: your-docker-image
 
-        labels:
-          # Attach file.add-foo-prefix middleware (declared in file)
-          - "traefik.http.routers.middlewares=file.add-foo-prefix",
+      labels:
+        # Attach add-foo-prefix@file middleware (declared in file)
+        - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: ingressroutestripprefix
+
+    spec:
+      entryPoints:
+        - web
+      routes:
+        - match: Host(`example.com`)
+          kind: Rule
+          services:
+            - name: whoami
+              port: 80
+          middlewares:
+            - name: add-foo-prefix@file
+            # namespace: bar
+            # A namespace specification such as above is ignored
+            # when the cross-provider syntax is used.
     ```
 
 ## Available Middlewares
@@ -127,14 +209,14 @@ If you use multiple `providers` and wish to reference a middleware declared in a
 | [Buffering](buffering.md)                 | Buffers the request/response                      | Request Lifecycle           |
 | [Chain](chain.md)                         | Combine multiple pieces of middleware             | Middleware tool             |
 | [CircuitBreaker](circuitbreaker.md)       | Stop calling unhealthy services                   | Request Lifecycle           |
-| [Compress](circuitbreaker.md)             | Compress the response                             | Content Modifier            |
+| [Compress](compress.md)                   | Compress the response                             | Content Modifier            |
 | [DigestAuth](digestauth.md)               | Adds Digest Authentication                        | Security, Authentication    |
 | [Errors](errorpages.md)                   | Define custom error pages                         | Request Lifecycle           |
 | [ForwardAuth](forwardauth.md)             | Authentication delegation                         | Security, Authentication    |
 | [Headers](headers.md)                     | Add / Update headers                              | Security                    |
 | [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs                      | Security, Request lifecycle |
-| [MaxConnection](maxconnection.md)         | Limit the number of simultaneous connections      | Security, Request lifecycle |
-| [PassTLSClientCert](passtlsclientcert.md) | TODO                                              | Security                    |
+| [InFlightReq](inflightreq.md)             | Limit the number of simultaneous connections      | Security, Request lifecycle |
+| [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header            | Security                    |
 | [RateLimit](ratelimit.md)                 | Limit the call frequency                          | Security, Request lifecycle |
 | [RedirectScheme](redirectscheme.md)       | Redirect easily the client elsewhere              | Request lifecycle           |
 | [RedirectRegex](redirectregex.md)         | Redirect the client elsewhere                     | Request lifecycle           |

docs/content/middlewares/passtlsclientcert.md

@@ -1,41 +1,196 @@
-# TODO - PassTLSClientCert
+# PassTLSClientCert
 
 Adding Client Certificates in a Header
 {: .subtitle }
 
-`TODO add schema`
+<!--
+TODO: add schema
+-->
 
 PassTLSClientCert adds in header the selected data from the passed client tls certificate.
 
 ## Configuration Examples
 
-??? example "File -- Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
+Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+
+```yaml tab="Docker"
+# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+labels:
+  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: addprefix
+spec:
+  passTLSClientCert:
+    pem: true
+```
+
+```yaml tab="Consul Catalog"
+# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header
+- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+labels:
+  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+```
+
+```toml tab="File (TOML)"
+# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+[http.middlewares]
+  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
+    pem = true
+```
+
+```yaml tab="File (YAML)"
+# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+http:
+  middlewares:
+    test-passtlsclientcert:
+      passTLSClientCert:
+        pem: true
+```
+
+??? example "Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
+
+    ```yaml tab="Docker"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    labels:
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+    ```
     
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-passtlsclientcert.passtlsclientcert]
-        pem = true
+    ```yaml tab="Kubernetes"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: test-passtlsclientcert
+    spec:
+      passTLSClientCert:
+        info:
+          notAfter: true
+          notBefore: true
+          sans: true
+          subject:
+            country: true
+            province: true
+            locality: true
+            organization: true
+            commonName: true
+            serialNumber: true
+            domainComponent: true
+          issuer:
+            country: true
+            province: true
+            locality: true
+            organization: true
+            commonName: true
+            serialNumber: true
+            domainComponent: true
+    ```
+    
+    ```yaml tab="Consul Catalog"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+    ```
+        
+    ```json tab="Marathon"
+    "labels": {
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
+    }
+    ```
+    
+    ```yaml tab="Rancher"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    labels:
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
     ```
 
-??? example "Docker -- Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
-
-    ```yml
-     a-container:
-        image: a-container-image 
-            labels:
-                - "traefik.http.middlewares.Middleware11.passtlsclientcert.pem=true"
-    ```
-
-??? example "File -- Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header"
-
-    ```toml
+    ```toml tab="File (TOML)"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     [http.middlewares]
-      [http.middlewares.test-passtlsclientcert.passtlsclientcert]
-        [http.middlewares.test-passtlsclientcert.passtlsclientcert.info]
+      [http.middlewares.test-passtlsclientcert.passTLSClientCert]
+        [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
           notAfter = true
           notBefore = true
           sans = true
-          [http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject]
+          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
             country = true
             province = true
             locality = true
@@ -43,7 +198,7 @@ PassTLSClientCert adds in header the selected data from the passed client tls ce
             commonName = true
             serialNumber = true
             domainComponent = true
-          [http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer]
+          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
             country = true
             province = true
             locality = true
@@ -53,29 +208,32 @@ PassTLSClientCert adds in header the selected data from the passed client tls ce
             domainComponent = true
     ```
 
-??? example "Docker -- Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header"
-
-    ```yml
-     a-container:
-        image: a-container-image 
-            labels:
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
-                - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+    ```yaml tab="File (YAML)"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    http:
+      middlewares:
+        test-passtlsclientcert:
+          passTLSClientCert:
+            info:
+              notAfter: true
+              notBefore: true
+              sans: true
+              subject:
+                country: true
+                province: true
+                locality: true
+                organization: true
+                commonName: true
+                serialNumber: true
+                domainComponent: true
+              issuer:
+                country: true
+                province: true
+                locality: true
+                organization: true
+                commonName: true
+                serialNumber: true
+                domainComponent: true
     ```
 
 ## Configuration Options
@@ -84,13 +242,16 @@ PassTLSClientCert adds in header the selected data from the passed client tls ce
 
 PassTLSClientCert can add two headers to the request: 
 
-* `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
-* `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
+- `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
+- `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
 
-!!! note
-    The headers are filled with escaped string so it can be safely placed inside a URL query.
+!!! info
 
-In the following example, you can see a complete certificate. We will use each part of it to explains the middleware options.
+    * The headers are filled with escaped string so it can be safely placed inside a URL query.
+    * These options only work accordingly to the [MutualTLS configuration](../https/tls.md#client-authentication-mtls).
+    That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.
+
+In the following example, you can see a complete certificate. We will use each part of it to explain the middleware options.
 
 ??? example "A complete client tls certificate"
 
@@ -104,7 +265,7 @@ In the following example, you can see a complete certificate. We will use each p
             Validity
                 Not Before: Dec  6 11:10:16 2018 GMT
                 Not After : Dec  5 11:10:16 2020 GMT
-            Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
+            Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
             Subject Public Key Info:
                 Public Key Algorithm: rsaEncryption
                     RSA Public-Key: (2048 bit)
@@ -141,7 +302,7 @@ In the following example, you can see a complete certificate. We will use each p
                     keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
     
                 X509v3 Subject Alternative Name: 
-                    DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
+                    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
         Signature Algorithm: sha1WithRSAEncryption
              76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
              16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
@@ -196,9 +357,10 @@ In the following example, you can see a complete certificate. We will use each p
     -----END CERTIFICATE-----
     ```
 
-### pem
+### `pem`
 
 The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
+
 In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
 
 ??? example "The data used by the pem option"
@@ -242,28 +404,35 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
     -----END CERTIFICATE-----
     ```
     
-!!! note "Extracted data"
+!!! info "Extracted data"
     
     The delimiters and `\n` will be removed.  
-    If there are more than one certificate, they are separated by a "`;`".
+    If there are more than one certificate, they are separated by a "`,`".
 
-### info
+!!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
+
+    The header size limit of web servers is commonly between 4kb and 8kb.  
+    You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).
+
+### `info`
 
 The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
 The value of the header will be an escaped concatenation of all the selected certificate details.
+
 The following example shows an unescaped result that uses all the available fields: 
 
 ```text
-Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
+Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```
 
-!!! note "Multiple certificates"
+!!! info "Multiple certificates"
 
-    If there are more than one certificate, they are separated by a `;`.
+    If there are more than one certificate, they are separated by a `,`.
 
-#### info.notafter 
+#### `info.notAfter`
+
+Set the `info.notAfter` option to `true` to add the `Not After` information from the `Validity` part.
 
-Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part.
 The data are taken from the following certificate part:      
 
 ```text
@@ -271,15 +440,15 @@ The data are taken from the following certificate part:
         Not After : Dec  5 11:10:16 2020 GMT            
 ```
 
-The escape `notafter` info part will be like:
+The escape `notAfter` info part will be like:
 
 ```text
-NA=1607166616
+NA="1607166616"
 ```
 
-#### info.notbefore
+#### `info.notBefore`
 
-Set the `info.notafter` option to `true` to add the `Not Before` information from the `Validity` part.
+Set the `info.notBefore` option to `true` to add the `Not Before` information from the `Validity` part.
 
 The data are taken from the following certificate part:
 
@@ -288,43 +457,44 @@ Validity
     Not Before: Dec  6 11:10:16 2018 GMT
 ```
 
-The escape `notafter` info part will be like:
+The escape `notBefore` info part will be like:
 
 ```text
-NB=1544094616
+NB="1544094616"
 ```
 
-#### info.sans
+#### `info.sans`
 
 Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
+
 The data are taken from the following certificate part:
 
 ```text
  X509v3 Subject Alternative Name: 
-    DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
+    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
 ```
 
 The escape SANs info part will be like:
 
 ```text
-SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
+SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```
 
-!!! note "multiple values"
+!!! info "multiple values"
 
     All the SANs data are separated by a `,`.
-    
-#### info.subject
+
+#### `info.subject`
 
 The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
 
 The data are taken from the following certificate part :
 
 ```text
-Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
+Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
 ```
 
-##### info.subject.country
+##### `info.subject.country`
 
 Set the `info.subject.country` option to true to add the `country` information into the subject.  
 The data are taken from the subject part with the `C` key. 
@@ -334,7 +504,7 @@ The escape country info in the subject part will be like :
 C=FR,C=US
 ```
 
-##### info.subject.province
+##### `info.subject.province`
 
 Set the `info.subject.province` option to true to add the `province` information into the subject.
   
@@ -346,7 +516,7 @@ The escape province info in the subject part will be like :
 ST=Cheese org state,ST=Cheese com state
 ```
 
-##### info.subject.locality
+##### `info.subject.locality`
 
 Set the `info.subject.locality` option to true to add the `locality` information into the subject.
   
@@ -358,7 +528,7 @@ The escape locality info in the subject part will be like :
 L=TOULOUSE,L=LYON
 ```
 
-##### info.subject.organization
+##### `info.subject.organization`
 
 Set the `info.subject.organization` option to true to add the `organization` information into the subject.
   
@@ -370,33 +540,33 @@ The escape organization info in the subject part will be like :
 O=Cheese,O=Cheese 2
 ```
 
-##### info.subject.commonname
+##### `info.subject.commonName`
 
-Set the `info.subject.commonname` option to true to add the `commonname` information into the subject.
+Set the `info.subject.commonName` option to true to add the `commonName` information into the subject.
   
 The data are taken from the subject part with the `CN` key.
 
-The escape commonname info in the subject part will be like :
+The escape common name info in the subject part will be like :
 
 ```text
-CN=*.cheese.com
+CN=*.example.com
 ```
 
-##### info.subject.serialnumber
+##### `info.subject.serialNumber`
 
-Set the `info.subject.serialnumber` option to true to add the `serialnumber` information into the subject.
+Set the `info.subject.serialNumber` option to true to add the `serialNumber` information into the subject.
   
 The data are taken from the subject part with the `SN` key.
 
-The escape serialnumber info in the subject part will be like :
+The escape serial number info in the subject part will be like :
 
 ```text
 SN=1234567890
 ```
 
-##### info.subject.domaincomponent
+##### `info.subject.domainComponent`
 
-Set the `info.subject.domaincomponent` option to true to add the `domaincomponent` information into the subject.
+Set the `info.subject.domainComponent` option to true to add the `domainComponent` information into the subject.
   
 The data are taken from the subject part with the `DC` key.
 
@@ -406,7 +576,7 @@ The escape domaincomponent info in the subject part will be like :
 DC=org,DC=cheese
 ```
 
-#### info.issuer
+#### `info.issuer`
 
 The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
 
@@ -416,7 +586,7 @@ The data are taken from the following certificate part :
 Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
 ```
 
-##### info.issuer.country
+##### `info.issuer.country`
 
 Set the `info.issuer.country` option to true to add the `country` information into the issuer.  
 The data are taken from the issuer part with the `C` key. 
@@ -426,7 +596,7 @@ The escape country info in the issuer part will be like :
 C=FR,C=US
 ```
 
-##### info.issuer.province
+##### `info.issuer.province`
 
 Set the `info.issuer.province` option to true to add the `province` information into the issuer.
   
@@ -438,7 +608,7 @@ The escape province info in the issuer part will be like :
 ST=Signing State,ST=Signing State 2
 ```
 
-##### info.issuer.locality
+##### `info.issuer.locality`
 
 Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
   
@@ -450,7 +620,7 @@ The escape locality info in the issuer part will be like :
 L=TOULOUSE,L=LYON
 ```
 
-##### info.issuer.organization
+##### `info.issuer.organization`
 
 Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
   
@@ -462,37 +632,37 @@ The escape organization info in the issuer part will be like :
 O=Cheese,O=Cheese 2
 ```
 
-##### info.issuer.commonname
+##### `info.issuer.commonName`
 
-Set the `info.issuer.commonname` option to true to add the `commonname` information into the issuer.
+Set the `info.issuer.commonName` option to true to add the `commonName` information into the issuer.
   
 The data are taken from the issuer part with the `CN` key.
 
-The escape commonname info in the issuer part will be like :
+The escape common name info in the issuer part will be like :
 
 ```text
 CN=Simple Signing CA 2
 ```
 
-##### info.issuer.serialnumber
+##### `info.issuer.serialNumber`
 
-Set the `info.issuer.serialnumber` option to true to add the `serialnumber` information into the issuer.
+Set the `info.issuer.serialNumber` option to true to add the `serialNumber` information into the issuer.
   
 The data are taken from the issuer part with the `SN` key.
 
-The escape serialnumber info in the issuer part will be like :
+The escape serial number info in the issuer part will be like :
 
 ```text
 SN=1234567890
 ```
 
-##### info.issuer.domaincomponent
+##### `info.issuer.domainComponent`
 
-Set the `info.issuer.domaincomponent` option to true to add the `domaincomponent` information into the issuer.
+Set the `info.issuer.domainComponent` option to true to add the `domainComponent` information into the issuer.
   
 The data are taken from the issuer part with the `DC` key.
 
-The escape domaincomponent info in the issuer part will be like :
+The escape domain component info in the issuer part will be like :
 
 ```text
 DC=org,DC=cheese

docs/content/middlewares/ratelimit.md

@@ -1,68 +1,446 @@
-# TODO -- RateLimit
+# RateLimit
 
-Protection from Too Many Calls
+To Control the Number of Requests Going to a Service
 {: .subtitle }
 
-![RateLimit](../assets/img/middleware/ratelimit.png)
-
-The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows you define what is fair.
+The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows one to define what fair is.
 
 ## Configuration Example
 
-??? example "Limit to 100 requests every 10 seconds (with a possible burst of 200)"
+```yaml tab="Docker"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+```
 
-    ```toml
-    [http.middlewares]
-        [http.middlewares.fair-ratelimit.ratelimit]
-            extractorfunc = "client.ip"
-    
-              [http.middlewares.fair-ratelimit.ratelimit.rateset1]
-                period = "10s"
-                average = 100
-                burst = 200
-    ```
+```yaml tab="Kubernetes"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    average: 100
+    burst: 50
+```
 
-??? example "Combine multiple limits"
+```yaml tab="Consul Catalog"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+```
 
-    ```toml
-    [http.middlewares]
-        [http.middlewares.fair-ratelimit.ratelimit]
-            extractorfunc = "client.ip"
-    
-              [http.middlewares.fair-ratelimit.ratelimit.rateset1]
-                period = "10s"
-                average = 100
-                burst = 200
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
+  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "50"
+}
+```
 
-              [http.middlewares.fair-ratelimit.ratelimit.rateset2]
-                period = "3s"
-                average = 5
-                burst = 10
-    ```
-    
-    Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds. These can "burst" up to 10 and 200 in each period, respectively. 
+```yaml tab="Rancher"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+```
+
+```toml tab="File (TOML)"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 100
+    burst = 50
+```
+
+```yaml tab="File (YAML)"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        average: 100
+        burst: 50
+```
 
 ## Configuration Options
 
-### extractorfunc
+### `average`
+
+`average` is the maximum rate, by default in requests by second, allowed for the given source.
+
+It defaults to `0`, which means no rate limiting.
+
+The rate is actually defined by dividing `average` by `period`.
+So for a rate below 1 req/s, one needs to define a `period` larger than a second.
+
+```yaml tab="Docker"
+# 100 reqs/s
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+```
+
+```yaml tab="Kubernetes"
+# 100 reqs/s
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    average: 100
+```
+
+```yaml tab="Consul Catalog"
+# 100 reqs/s
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+```
+
+```toml tab="File (TOML)"
+# 100 reqs/s
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 100
+```
+
+```yaml tab="File (YAML)"
+# 100 reqs/s
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        average: 100
+```
+
+### `period`
+
+`period`, in combination with `average`, defines the actual maximum rate, such as:
+
+```go
+r = average / period
+```
+
+It defaults to `1` second.
+
+```yaml tab="Docker"
+# 6 reqs/minute
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```yaml tab="Kubernetes"
+# 6 reqs/minute
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    period: 1m
+    average: 6
+```
+
+```yaml tab="Consul Catalog"
+# 6 reqs/minute
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "6",
+  "traefik.http.middlewares.test-ratelimit.ratelimit.period": "1m",
+}
+```
+
+```yaml tab="Rancher"
+# 6 reqs/minute
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```toml tab="File (TOML)"
+# 6 reqs/minute
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 6
+    period = 1m
+```
+
+```yaml tab="File (YAML)"
+# 6 reqs/minute
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        average: 6
+        period: 1m
+```
+
+### `burst`
+
+`burst` is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
+
+It defaults to `1`.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    burst: 100
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "100",
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    burst = 100
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        burst: 100
+```
+
+### `sourceCriterion`
  
-The `extractorfunc` option defines the strategy used to categorize requests.
+SourceCriterion defines what criterion is used to group requests as originating from a common source.
+The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
+If none are set, the default is to use the request's remote address field (as an `ipStrategy`).
 
-The possible values are:
+#### `sourceCriterion.ipStrategy`
 
-- `request.host` categorizes requests based on the request host.
-- `client.ip` categorizes requests based on the client ip.
-- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
+The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
 
-### ratelimit (multiple values)
+##### `ipStrategy.depth`
 
-You can combine multiple ratelimit. 
-The ratelimit will trigger with the first reached limit.
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
 
-Each ratelimit has 3 options, `period`, `average`, and `burst`.
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
+- `depth` is ignored if its value is lesser than or equal to 0.
 
-The rate limit will allow an average of `average` requests every `period`, with a maximum of `burst` request on that period.
+!!! example "Example of Depth & X-Forwarded-For"
 
-!!! note "Period Format"
+    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
 
-    Period is to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
+    | `X-Forwarded-For`                       | `depth` | clientIP     |
+    |-----------------------------------------|---------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+
+##### `ipStrategy.excludedIPs`
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    sourceCriterion:
+      ipStrategy:
+        excludedIPs:
+        - 127.0.0.1/32
+        - 192.168.1.7
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        sourceCriterion:
+          ipStrategy:
+            excludedIPs:
+              - "127.0.0.1/32"
+              - "192.168.1.7"
+```
+
+`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Example of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
+#### `sourceCriterion.requestHeaderName`
+
+Requests having the same value for the given header are grouped as coming from the same source.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+	sourceCriterion:
+      requestHeaderName: username
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername": "username"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
+      requestHeaderName = "username"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        sourceCriterion:
+          requestHeaderName: username
+```
+
+#### `sourceCriterion.requestHost`
+
+Whether to consider the request host as the source.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    sourceCriterion:
+      requestHost: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
+      requestHost = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        sourceCriterion:
+          requestHost: true
+```

docs/content/middlewares/redirectregex.md

@@ -1,42 +1,85 @@
-# TODO - RedirectRegex
+# RedirectRegex
 
 Redirecting the Client to a Different Location
 {: .subtitle }
 
-`TODO: add schema`
+<!--
+TODO: add schema
+-->
 
 RegexRedirect redirect a request from an url to another with regex matching and replacement.
 
 ## Configuration Examples
 
-??? example "File -- Redirect with domain replacement"
+```yaml tab="Docker"
+# Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
+labels:
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+```
 
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-redirectregex.redirectregex]
-        regex = "^http://localhost/(.*)"
-        replacement = "http://mydomain/$1"
-    ```
+```yaml tab="Kubernetes"
+# Redirect with domain replacement
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectregex
+spec:
+  redirectRegex:
+    regex: ^http://localhost/(.*)
+    replacement: http://mydomain/${1}
+```
 
-??? example "Docker -- Redirect with domain replacement"
+```yaml tab="Consul Catalog"
+# Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
+- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+```
 
-    ```yml
-     a-container:
-        image: a-container-image 
-            labels:
-                - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
-                - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
-    ```
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectregex.redirectregex.regex": "^http://localhost/(.*)",
+  "traefik.http.middlewares.test-redirectregex.redirectregex.replacement": "http://mydomain/${1}"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
+labels:
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+```
+
+```toml tab="File (TOML)"
+# Redirect with domain replacement
+[http.middlewares]
+  [http.middlewares.test-redirectregex.redirectRegex]
+    regex = "^http://localhost/(.*)"
+    replacement = "http://mydomain/${1}"
+```
+
+```yaml tab="File (YAML)"
+# Redirect with domain replacement
+http:
+  middlewares:
+    test-redirectregex:
+      redirectRegex:
+        regex: "^http://localhost/(.*)"
+        replacement: "http://mydomain/${1}"
+```
 
 ## Configuration Options
 
-### permanent
+### `permanent`
 
 Set the `permanent` option to `true` to apply a permanent redirection.
 
-### regex
+### `regex`
 
-The `Regex` option is the regular expression to match and capture elements form the request URL.
+The `regex` option is the regular expression to match and capture elements from the request URL.
 
 !!! warning
 
@@ -46,7 +89,6 @@ The `Regex` option is the regular expression to match and capture elements form
 
     Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
     
-### replacement
+### `replacement`
 
-The `replacement` option defines how to modify the URl to have the new target URL.
- 
+The `replacement` option defines how to modify the URL to have the new target URL.

docs/content/middlewares/redirectscheme.md

@@ -1,41 +1,251 @@
-# TODO - RedirectScheme
+# RedirectScheme
 
 Redirecting the Client to a Different Scheme/Port
 {: .subtitle }
 
-`TODO: add schema`
+<!--
+TODO: add schema
+-->
 
-RegexRedirect redirect request from a scheme to another.
+RedirectScheme redirect request from a scheme to another.
 
 ## Configuration Examples
 
-??? example "File -- Redirect to https"
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
 
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-redirectscheme.redirectscheme]
-        scheme = "https"
-    ```
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+```
 
-??? example "Docker -- Redirect to https"
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
 
-    ```yml
-     a-container:
-        image: a-container-image 
-            labels:
-                - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
-    ```
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+    permanent = true
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+```
 
 ## Configuration Options
 
-### permanent
+### `permanent`
 
 Set the `permanent` option to `true` to apply a permanent redirection.
 
-### scheme
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    # ...
+    permanent: true
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    permanent = true
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        # ...
+        permanent: true
+```
+
+### `scheme`
 
 The `scheme` option defines the scheme of the new url.
 
-### port
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    scheme: https
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        scheme: https
+```
+
+### `port`
 
 The `port` option defines the port of the new url.
+
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    # ...
+    port: 443
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.port": "443"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    port = 443
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        # ...
+        port: 443
+```

docs/content/middlewares/replacepath.md

@@ -1,40 +1,75 @@
-# TODO -- ReplacePath
+# ReplacePath
 
 Updating the Path Before Forwarding the Request
 {: .subtitle }
 
-`TODO: add schema`
+<!--
+TODO: add schema
+-->
 
 Replace the path of the request url.
 
 ## Configuration Examples
 
-??? example "File -- Replace the path by /foo"
+```yaml tab="Docker"
+# Replace the path by /foo
+labels:
+  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+```
 
-    ```toml
-    [http.middlewares]
-      [http.middlewares.test-replacepath.ReplacePath]
-         path = "/foo"
-    ```
+```yaml tab="Kubernetes"
+# Replace the path by /foo
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-replacepath
+spec:
+  replacePath:
+    path: /foo
+```
 
-??? example "Docker --Replace the path by /foo"
+```yaml tab="Consul Catalog"
+# Replace the path by /foo
+- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-replacepath.replacepath.path": "/foo"
+}
+```
+
+```yaml tab="Rancher"
+# Replace the path by /foo
+labels:
+  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+```
+
+```toml tab="File (TOML)"
+# Replace the path by /foo
+[http.middlewares]
+  [http.middlewares.test-replacepath.replacePath]
+    path = "/foo"
+```
+
+```yaml tab="File (YAML)"
+# Replace the path by /foo
+http:
+  middlewares:
+    test-replacepath:
+      replacePath:
+        path: "/foo"
+```
 
-    ```yaml
-    a-container:
-      image: a-container-image 
-        labels:
-          - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
-    ```
-    
 ## Configuration Options
 
 ### General
 
 The ReplacePath middleware will:
 
-* replace the actual path by the specified one.
-* store the original path in a `X-Replaced-Path` header.
+- replace the actual path by the specified one.
+- store the original path in a `X-Replaced-Path` header.
 
-### path
+### `path`
 
 The `path` option defines the path to use as replacement in the request url.

docs/content/middlewares/replacepathregex.md

@@ -1,4 +1,94 @@
-# TODO -- ReplacePathRegex
+# ReplacePathRegex
 
 Updating the Path Before Forwarding the Request (Using a Regex)
-{: .subtitle }
+{: .subtitle }
+
+<!--
+TODO: add schema
+-->
+
+The ReplaceRegex replace a path from an url to another with regex matching and replacement.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+# Replace path with regex
+labels:
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$$1"
+```
+
+```yaml tab="Kubernetes"
+# Replace path with regex
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-replacepathregex
+spec:
+  replacePathRegex:
+    regex: ^/foo/(.*)
+    replacement: /bar/$1
+```
+
+```yaml tab="Consul Catalog"
+# Replace path with regex
+- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex": "^/foo/(.*)",
+  "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement": "/bar/$1"
+}
+```
+
+```yaml tab="Rancher"
+# Replace path with regex
+labels:
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+```
+
+```toml tab="File (TOML)"
+# Redirect with domain replacement
+[http.middlewares]
+  [http.middlewares.test-replacepathregex.replacePathRegex]
+    regex = "^/foo/(.*)"
+    replacement = "/bar/$1"
+```
+
+```yaml tab="File (YAML)"
+# Redirect with domain replacement
+http:
+  middlewares:
+    test-replacepathregex:
+      replacePathRegex:
+        regex: "^/foo/(.*)"
+        replacement: "/bar/$1"
+```
+
+## Configuration Options
+
+### General
+
+The ReplacePathRegex middleware will:
+
+- replace the matching path by the specified one.
+- store the original path in a `X-Replaced-Path` header.
+
+### `regex`
+
+The `regex` option is the regular expression to match and capture the path from the request URL.
+
+!!! warning
+
+    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
+
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+    
+### `replacement`
+
+The `replacement` option defines how to modify the path to have the new target path.

docs/content/middlewares/retry.md

@@ -1,20 +1,71 @@
-# TODO -- Retry
+# Retry
 
 Retrying until it Succeeds
 {: .subtitle }
 
-## Old Content
+<!--
+TODO: add schema
+-->
 
-## Retry Configuration
+The Retry middleware is in charge of reissuing a request a given number of times to a backend server if that server does not reply.
+To be clear, as soon as the server answers, the middleware stops retrying, regardless of the response status.
 
-```toml
-# Enable retry sending request if network error
-[retry]
+## Configuration Examples
 
-# Number of attempts
-#
-# Optional
-# Default: (number servers in backend) -1
-#
-# attempts = 3
+```yaml tab="Docker"
+# Retry to send request 4 times
+labels:
+  - "traefik.http.middlewares.test-retry.retry.attempts=4"
 ```
+
+```yaml tab="Kubernetes"
+# Retry to send request 4 times
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-retry
+spec:
+  retry:
+    attempts: 4
+```
+
+```yaml tab="Consul Catalog"
+# Retry to send request 4 times
+- "traefik.http.middlewares.test-retry.retry.attempts=4"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-retry.retry.attempts": "4"
+}
+```
+
+```yaml tab="Rancher"
+# Retry to send request 4 times
+labels:
+  - "traefik.http.middlewares.test-retry.retry.attempts=4"
+```
+
+```toml tab="File (TOML)"
+# Retry to send request 4 times
+[http.middlewares]
+  [http.middlewares.test-retry.retry]
+     attempts = 4
+```
+
+```yaml tab="File (YAML)"
+# Retry to send request 4 times
+http:
+  middlewares:
+    test-retry:
+      retry:
+       attempts: 4
+```
+
+## Configuration Options
+
+### `attempts` 
+
+_mandatory_
+
+The `attempts` option defines how many times the request should be retried.

docs/content/middlewares/stripprefix.md

@@ -1,13 +1,174 @@
-# TODO -- StripPrefix
+# StripPrefix
 
 Removing Prefixes From the Path Before Forwarding the Request
 {: .subtitle }
 
-## OldContent
- 
-Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
-For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.  
-Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.  
+<!--
+TODO: add schema
+-->
+
+Remove the specified prefixes from the URL path.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+# Strip prefix /foobar and /fiibar
+labels:
+  - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
+```
+
+```yaml tab="Kubernetes"
+# Strip prefix /foobar and /fiibar
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-stripprefix
+spec:
+  stripPrefix:
+    prefixes:
+      - /foobar
+      - /fiibar
+```
+
+```yaml tab="Consul Catalog"
+# Strip prefix /foobar and /fiibar
+- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar,/fiibar"
+}
+```
+
+```yaml tab="Rancher"
+# Strip prefix /foobar and /fiibar
+labels:
+  - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
+```
+
+```toml tab="File (TOML)"
+# Strip prefix /foobar and /fiibar
+[http.middlewares]
+  [http.middlewares.test-stripprefix.stripPrefix]
+    prefixes = ["/foobar", "/fiibar"]
+```
+
+```yaml tab="File (YAML)"
+# Strip prefix /foobar and /fiibar
+http:
+  middlewares:
+    test-stripprefix:
+      stripPrefix:
+        prefixes:
+          - "/foobar"
+          - "/fiibar"
+```
+
+## Configuration Options
+
+### General
+
+The StripPrefix middleware will:
+
+- strip the matching path prefix.
+- store the matching path prefix in a `X-Forwarded-Prefix` header.
+
+!!! tip
+    
+    Use a `StripPrefix` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
+
+### `prefixes`
+
+The `prefixes` option defines the prefixes to strip from the request URL.
+
+For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.
+
+Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
+
 If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.  
 Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
-The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.
+
+The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
+
+### `forceSlash`
+
+_Optional, Default=true_
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
+  - "traefik.http.middlewares.example.stripprefix.forceslash=false"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: example
+spec:
+  stripPrefix:
+    prefixes:
+      - "/foobar"
+    forceSlash: false
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
+  "traefik.http.middlewares.example.stripprefix.forceslash": "false"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
+  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.example.stripPrefix]
+    prefixes = ["/foobar"]
+    forceSlash = false
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    example:
+      stripPrefix:
+        prefixes:
+          - "/foobar"
+        forceSlash: false
+```
+
+The `forceSlash` option makes sure that the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
+
+This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
+
+It's recommended to explicitly set `forceSlash` to `false`.
+
+??? info "Behavior examples"
+    
+    - `forceSlash=true`
+    
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | `/`    |
+    | `/foo`     | `/foo`          | `/`    |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | `/`    |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |
+    
+    - `forceSlash=false`
+    
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | empty  |
+    | `/foo`     | `/foo`          | empty  |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | empty  |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |

docs/content/middlewares/stripprefixregex.md

@@ -1,13 +1,85 @@
-# TODO -- StripPrefix
+# StripPrefixRegex
 
 Removing Prefixes From the Path Before Forwarding the Request (Using a Regex)
 {: .subtitle }
 
-## OldContent
+Remove the matching prefixes from the URL path.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-stripprefixregex
+spec:
+  stripPrefixRegex:
+    regex:
+      - "/foo/[a-z0-9]+/[0-9]+/"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex": "/foo/[a-z0-9]+/[0-9]+/"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-stripprefixregex.stripPrefixRegex]
+    regex = ["/foo/[a-z0-9]+/[0-9]+/"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-stripprefixregex:
+      stripPrefixRegex:
+        regex:
+          - "/foo/[a-z0-9]+/[0-9]+/"
+```
+
+## Configuration Options
+
+### General
+
+The StripPrefixRegex middleware will:
+
+- strip the matching path prefix.
+- store the matching path prefix in a `X-Forwarded-Prefix` header.
+
+!!! tip
+    
+    Use a `stripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
+
+### `regex`
+
+The `regex` option is the regular expression to match the path prefix from the request URL.
+
+!!! tip
+
+    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.  
 
-Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
-For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.  
 Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.  
+
 If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.  
+
 Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
-The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.
+
+The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.

docs/content/migration/v2.md

@@ -0,0 +1,304 @@
+# Migration: Steps needed between the versions
+
+## v2.0 to v2.1
+
+### Kubernetes CRD
+
+In v2.1, a new Kubernetes CRD called `TraefikService` was added.
+While updating an installation to v2.1,
+one should apply that CRD, and update the existing `ClusterRole` definition to allow Traefik to use that CRD.
+
+To add that CRD and enhance the permissions, following definitions need to be applied to the cluster.
+
+```yaml tab="TraefikService"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+```
+
+```yaml tab="ClusterRole"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - tlsoptions
+    verbs:
+      - get
+      - list
+      - watch
+```
+
+After having both resources applied, Traefik will work properly.
+
+## v2.1 to v2.2
+
+### Headers middleware: accessControlAllowOrigin
+
+`accessControlAllowOrigin` is deprecated.
+This field will be removed in future 2.x releases.
+Please configure your allowed origins in `accessControlAllowOriginList` instead.
+
+### Kubernetes CRD
+
+In v2.2, new Kubernetes CRDs called `TLSStore` and `IngressRouteUDP` were added.
+While updating an installation to v2.2,
+one should apply that CRDs, and update the existing `ClusterRole` definition to allow Traefik to use that CRDs.
+
+To add that CRDs and enhance the permissions, following definitions need to be applied to the cluster.
+
+```yaml tab="TLSStore"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsstores.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSStore
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+
+```
+
+```yaml tab="IngressRouteUDP"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressrouteudps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteUDP
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+  scope: Namespaced
+
+```
+
+```yaml tab="ClusterRole"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+    verbs:
+      - get
+      - list
+      - watch
+
+```
+
+After having both resources applied, Traefik will work properly.
+
+### Kubernetes Ingress
+
+To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in the Ingress.
+
+#### Expose an Ingress on 80 and 443
+
+Define the default TLS configuration on the HTTPS entry point. 
+
+```yaml tab="Ingress"
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: example
+
+spec:
+  tls:
+  - secretName: myTlsSecret
+
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: "/foo"
+        backend:
+          serviceName: example-com
+          servicePort: 80
+```
+
+Entry points definition and enable Ingress provider:
+
+```yaml tab="File (YAML)"
+# Static configuration
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+    http:
+      tls: {}
+
+providers:
+  kubernetesIngress: {}
+```
+
+```toml tab="File (TOML)"
+# Static configuration
+
+[entryPoints.web]
+  address = ":80"
+
+[entryPoints.websecure]
+  address = ":443"
+  [entryPoints.websecure.http]
+    [entryPoints.websecure.http.tls]
+
+[providers.kubernetesIngress]
+```
+
+```bash tab="CLI"
+# Static configuration
+
+--entryPoints.web.address=:80
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.tls=true
+--providers.kubernetesIngress=true
+```
+
+#### Use TLS only on one Ingress
+
+Define the TLS restriction with annotations.
+
+```yaml tab="Ingress"
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: example-tls
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+
+spec:
+  tls:
+  - secretName: myTlsSecret
+
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: ""
+        backend:
+          serviceName: example-com
+          servicePort: 80
+```
+
+Entry points definition and enable Ingress provider:
+
+```yaml tab="File (YAML)"
+# Static configuration
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+
+providers:
+  kubernetesIngress: {}
+```
+
+```toml tab="File (TOML)"
+# Static configuration
+
+[entryPoints.web]
+  address = ":80"
+
+[entryPoints.websecure]
+  address = ":443"
+
+[providers.kubernetesIngress]
+```
+
+```bash tab="CLI"
+# Static configuration
+
+--entryPoints.web.address=:80
+--entryPoints.websecure.address=:443
+--providers.kubernetesIngress=true
+```

docs/content/observability/access-logs.md

@@ -5,51 +5,67 @@ Who Calls Whom?
 
 By default, logs are written to stdout, in text format.
 
-## Configuration Examples
+## Configuration 
 
-??? example "Enabling Access Logs"
+To enable the access logs:
 
-    ```toml
-    [accessLog]
-    ```
+```toml tab="File (TOML)"
+[accessLog]
+```
 
-## Configuration Options 
+```yaml tab="File (YAML)"
+accessLog: {}
+```
 
-### filePath
+```bash tab="CLI"
+--accesslog=true
+```
+
+### `filePath`
 
 By default access logs are written to the standard output.
 To write the logs into a log file, use the `filePath` option.
 
-in the Common Log Format (CLF), extended with additional fields.
-
-### format
+### `format`
  
 By default, logs are written using the Common Log Format (CLF).
 To write logs in JSON, use `json` in the `format` option.
+If the given format is unsupported, the default (CLF) is used instead.
 
-!!! note "Common Log Format"
-
-#### CLF - Common Log Format
-
+!!! info "Common Log Format"
+    
     ```html
-    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms 
+    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
     ```
 
-#### bufferingSize
+### `bufferingSize`
 
 To write the logs in an asynchronous fashion, specify a  `bufferingSize` option.
 This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.
 In some cases, this option can greatly help performances.
 
-??? example "Configuring a buffer of 100 lines"
+```toml tab="File (TOML)"
+# Configuring a buffer of 100 lines
+[accessLog]
+  filePath = "/path/to/access.log"
+  bufferingSize = 100
+```
 
-    ```toml
-    [accessLog]
-    filePath = "/path/to/access.log"
-    bufferingSize = 100
-    ```
+```yaml tab="File (YAML)"
+# Configuring a buffer of 100 lines
+accessLog:
+  filePath: "/path/to/access.log"
+  bufferingSize: 100
+```
 
-#### Filtering
+```bash tab="CLI"
+# Configuring a buffer of 100 lines
+--accesslog=true
+--accesslog.filepath=/path/to/access.log
+--accesslog.bufferingsize=100
+```
+
+### Filtering
 
 To filter logs, you can specify a set of filters which are logically "OR-connected". 
 Thus, specifying multiple filters will keep more access logs than specifying only one.
@@ -60,20 +76,42 @@ The available filters are:
 - `retryAttempts`, to keep the access logs when at least one retry has happened
 - `minDuration`, to keep access logs when requests take longer than the specified duration
 
-??? example "Configuring Multiple Filters"
+```toml tab="File (TOML)"
+# Configuring Multiple Filters
+[accessLog]
+  filePath = "/path/to/access.log"
+  format = "json"
 
-    ```toml
-    [accessLog]
-    filePath = "/path/to/access.log"
-    format = "json"
-    
-      [accessLog.filters]    
-        statusCodes = ["200", "300-302"]
-        retryAttempts = true
-        minDuration = "10ms"
-    ```
+  [accessLog.filters]    
+    statusCodes = ["200", "300-302"]
+    retryAttempts = true
+    minDuration = "10ms"
+```
 
-#### Limiting the Fields
+```yaml tab="File (YAML)"
+# Configuring Multiple Filters
+accessLog:
+  filePath: "/path/to/access.log"
+  format: json
+  filters:    
+    statusCodes:
+      - "200"
+      - "300-302"
+    retryAttempts: true
+    minDuration: "10ms"
+```
+
+```bash tab="CLI"
+# Configuring Multiple Filters
+--accesslog=true
+--accesslog.filepath=/path/to/access.log
+--accesslog.format=json
+--accesslog.filters.statuscodes=200,300-302
+--accesslog.filters.retryattempts
+--accesslog.filters.minduration=10ms
+```
+
+### Limiting the Fields
 
 You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.header` options
 
@@ -83,70 +121,99 @@ Each field can be set to:
 - `drop` to drop the value
 - `redact` to replace the value with "redacted"
 
-??? example "Limiting the Logs to Specific Fields"
+The `defaultMode` for `fields.header` is `drop`.
 
-    ```toml
-    [accessLog]
-        filePath = "/path/to/access.log"
-        format = "json"
-        
-        [accessLog.filters]
-            statusCodes = ["200", "300-302"]
-    
-        [accessLog.fields]
-            defaultMode = "keep"
-    
-            [accessLog.fields.names]
-                "ClientUsername" = "drop"
+```toml tab="File (TOML)"
+# Limiting the Logs to Specific Fields
+[accessLog]
+  filePath = "/path/to/access.log"
+  format = "json"
 
-            [accessLog.fields.headers]
-                defaultMode = "keep"
-        
-                [accessLog.fields.headers.names]
-                    "User-Agent" = "redact"
-                    "Authorization" = "drop"
-                    "Content-Type" = "keep"
-    ```
-    
-??? list "Available Fields"
+  [accessLog.fields]
+    defaultMode = "keep"
 
-    ```ini
-    StartUTC
-    StartLocal
-    Duration
-    FrontendName
-    BackendName
-    BackendURL
-    BackendAddr
-    ClientAddr
-    ClientHost
-    ClientPort
-    ClientUsername
-    RequestAddr
-    RequestHost
-    RequestPort
-    RequestMethod
-    RequestPath
-    RequestProtocol
-    RequestLine
-    RequestContentSize
-    OriginDuration
-    OriginContentSize
-    OriginStatus
-    OriginStatusLine
-    DownstreamStatus
-    DownstreamStatusLine
-    DownstreamContentSize
-    RequestCount
-    GzipRatio
-    Overhead
-    RetryAttempts
-    ```
+    [accessLog.fields.names]
+      "ClientUsername" = "drop"
+
+    [accessLog.fields.headers]
+      defaultMode = "keep"
+  
+      [accessLog.fields.headers.names]
+        "User-Agent" = "redact"
+        "Authorization" = "drop"
+        "Content-Type" = "keep"
+```
+
+```yaml tab="File (YAML)"
+# Limiting the Logs to Specific Fields
+accessLog:
+  filePath: "/path/to/access.log"
+  format: json
+  fields:
+    defaultMode: keep
+    names:
+      ClientUsername: drop
+    headers:
+      defaultMode: keep
+      names:
+          User-Agent: redact
+          Authorization: drop
+          Content-Type: keep
+```
+
+```bash tab="CLI"
+# Limiting the Logs to Specific Fields
+--accesslog=true
+--accesslog.filepath=/path/to/access.log
+--accesslog.format=json
+--accesslog.fields.defaultmode=keep
+--accesslog.fields.names.ClientUsername=drop
+--accesslog.fields.headers.defaultmode=keep
+--accesslog.fields.headers.names.User-Agent=redact
+--accesslog.fields.headers.names.Authorization=drop
+--accesslog.fields.headers.names.Content-Type=keep
+```
+
+??? info "Available Fields"
+
+    | Field                   | Description                                                                                                                                                         |
+    |-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+    | `StartUTC`              | The time at which request processing started.                                                                                                                       |
+    | `StartLocal`            | The local time at which request processing started.                                                                                                                 |
+    | `Duration`              | The total time taken (in nanoseconds) by processing the response, including the origin server's time but not the log writing time.                                  |
+    | `FrontendName`          | The name of the Traefik frontend.                                                                                                                                   |
+    | `BackendName`           | The name of the Traefik backend.                                                                                                                                    |
+    | `BackendURL`            | The URL of the Traefik backend.                                                                                                                                     |
+    | `BackendAddr`           | The IP:port of the Traefik backend (extracted from `BackendURL`)                                                                                                    |
+    | `ClientAddr`            | The remote address in its original form (usually IP:port).                                                                                                          |
+    | `ClientHost`            | The remote IP address from which the client request was received.                                                                                                   |
+    | `ClientPort`            | The remote TCP port from which the client request was received.                                                                                                     |
+    | `ClientUsername`        | The username provided in the URL, if present.                                                                                                                       |
+    | `RequestAddr`           | The HTTP Host header (usually IP:port). This is treated as not a header by the Go API.                                                                              |
+    | `RequestHost`           | The HTTP Host server name (not including port).                                                                                                                     |
+    | `RequestPort`           | The TCP port from the HTTP Host.                                                                                                                                    |
+    | `RequestMethod`         | The HTTP method.                                                                                                                                                    |
+    | `RequestPath`           | The HTTP request URI, not including the scheme, host or port.                                                                                                       |
+    | `RequestProtocol`       | The version of HTTP requested.                                                                                                                                      |
+    | `RequestScheme`         | The HTTP scheme requested `http` or `https`.                                                                                                                        |
+    | `RequestLine`           | `RequestMethod` + `RequestPath` + `RequestProtocol`                                                                                                                 |
+    | `RequestContentSize`    | The number of bytes in the request entity (a.k.a. body) sent by the client.                                                                                         |
+    | `OriginDuration`        | The time taken by the origin server ('upstream') to return its response.                                                                                            |
+    | `OriginContentSize`     | The content length specified by the origin server, or 0 if unspecified.                                                                                             |
+    | `OriginStatus`          | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent.     |
+    | `OriginStatusLine`      | `OriginStatus` + Status code explanation                                                                                                                            |
+    | `DownstreamStatus`      | The HTTP status code returned to the client.                                                                                                                        |
+    | `DownstreamStatusLine`  | `DownstreamStatus` + Status code explanation                                                                                                                        |
+    | `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
+    | `RequestCount`          | The number of requests received since the Traefik instance started.                                                                                                 |
+    | `GzipRatio`             | The response body compression ratio achieved.                                                                                                                       |
+    | `Overhead`              | The processing time overhead caused by Traefik.                                                                                                                     |
+    | `RetryAttempts`         | The amount of attempts the request was retried.                                                                                                                     |
 
 ## Log Rotation
 
 Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
 This allows the logs to be rotated and processed by an external program, such as `logrotate`.
 
-!!! note
+!!! warning
     This does not work on Windows due to the lack of USR signals.

docs/content/observability/logs.md

@@ -5,46 +5,80 @@ Reading What's Happening
 
 By default, logs are written to stdout, in text format.
 
-## Configuration Example
-
-??? example "Writing Logs in a File"
-
-    ```toml
-    [log]
-    filePath = "/path/to/traefik.log"
-    ```
-
-??? example "Writing Logs in a File, in JSON"
-
-    ```toml
-    [log]
-    filePath = "/path/to/log-file.log"
-    format   = "json"
-    ```
-
-## Configuration Options
+## Configuration
 
 ### General
 
 Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
 
-#### filePath
+#### `filePath`
 
 By default, the logs are written to the standard output.
 You can configure a file path instead using the `filePath` option.
 
-#### format
+```toml tab="File (TOML)"
+# Writing Logs to a File
+[log]
+  filePath = "/path/to/traefik.log"
+```
+
+```yaml tab="File (YAML)"
+# Writing Logs to a File
+log:
+  filePath: "/path/to/traefik.log"
+```
+
+```bash tab="CLI"
+# Writing Logs to a File
+--log.filePath=/path/to/traefik.log
+```
+
+#### `format`
 
 By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option.   
 
-#### logLevel
+```toml tab="File (TOML)"
+# Writing Logs to a File, in JSON
+[log]
+  filePath = "/path/to/log-file.log"
+  format = "json"
+```
 
-By default, the `logLevel` is set to `error`, but you can choose amongst `debug`, `panic`, `fatal`, `error`, `warn`, and `info`. 
+```yaml tab="File (YAML)"
+# Writing Logs to a File, in JSON
+log:
+  filePath: "/path/to/log-file.log"
+  format: json
+```
+
+```bash tab="CLI"
+# Writing Logs to a File, in JSON
+--log.filePath=/path/to/traefik.log
+--log.format=json
+```
+
+#### `level`
+
+By default, the `level` is set to `ERROR`. Alternative logging levels are `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`. 
+
+```toml tab="File (TOML)"
+[log]
+  level = "DEBUG"
+```
+
+```yaml tab="File (YAML)"
+log:
+  level: DEBUG
+```
+
+```bash tab="CLI"
+--log.level=DEBUG
+```
 
 ## Log Rotation
 
 Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
 This allows the logs to be rotated and processed by an external program, such as `logrotate`.
 
-!!! note
+!!! warning
     This does not work on Windows due to the lack of USR signals.