Prepare release v2.0.0-rc3

Prepare release v1.7.14
Finish kubernetes throttling refactoring
2025-09-22 13:44:25 +03:00 · 2019-09-10 18:58:03 +02:00 · 2019-09-10 18:30:05 +02:00 · 2019-09-10 18:30:05 +02:00 · 2019-09-10 18:30:05 +02:00 · 2019-09-10 17:52:04 +02:00
5770 changed files with 50381 additions and 1184834 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,4 @@
 *.log
 *.exe
 cover.out
+vendor/
--- a/.golangci.toml
+++ b/.golangci.toml
@@ -23,6 +23,10 @@
  [linters-settings.misspell]
    locale = "US"

+  [linters-settings.funlen]
+    lines = 230 # default 60
+    statements = 120 # default 40
+
 [linters]
  enable-all = true
  disable = [
@@ -36,8 +40,7 @@
    "scopelint",
    "gochecknoinits",
    "gochecknoglobals",
-    # uncomment when the CI will be updated
-    # "bodyclose", # Too many false-positive and panics.
+    "bodyclose", # Too many false-positive and panics.
  ]

 [issues]
@@ -50,8 +53,8 @@
    "should have a package comment, unless it's in another file for this package",
  ]
 [[issues.exclude-rules]]
-    path = ".+_test.go"
-    linters = ["goconst"]
+    path = "(.+)_test.go"
+    linters = ["goconst", "funlen"]
 [[issues.exclude-rules]]
    path = "integration/.+_test.go"
    text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
@@ -66,7 +69,7 @@
    text = "Error return value of `rw.Write` is not checked"
 [[issues.exclude-rules]]
    path = "pkg/middlewares/recovery/recovery.go"
-    text = "`logger` can be `github.com/containous/traefik/vendor/github.com/stretchr/testify/assert.TestingT`"
+    text = "`logger` can be `github.com/stretchr/testify/assert.TestingT`"
 [[issues.exclude-rules]]
    path = "pkg/provider/docker/builder_test.go"
    text = "(U1000: func )?`(.+)` is unused"
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -11,7 +11,7 @@ builds:
    env:
      - CGO_ENABLED=0
    ldflags:
-      - -s -w -X github.com/containous/traefik/pkg/version.Version={{.Version}} -X github.com/containous/traefik/pkg/version.Codename={{.Env.CODENAME}}  -X github.com/containous/traefik/pkg/version.BuildDate={{.Date}}
+      - -s -w -X github.com/containous/traefik/v2/pkg/version.Version={{.Version}} -X github.com/containous/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/containous/traefik/v2/pkg/version.BuildDate={{.Date}}

    goos:
      - linux
@@ -40,16 +40,16 @@ builds:
 changelog:
  skip: true

-archive:
-  name_template: '{{ .ProjectName }}_v{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm
-    }}v{{ .Arm }}{{ end }}'
-  format: tar.gz
-  format_overrides:
-    - goos: windows
-      format: zip
-  files:
-    - LICENSE.md
-    - CHANGELOG.md
+archives:
+  - id: traefik
+    name_template: '{{ .ProjectName }}_v{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
+    format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - LICENSE.md
+      - CHANGELOG.md

 checksum:
  name_template: "{{ .ProjectName }}_v{{ .Version }}_checksums.txt"
--- a/.semaphoreci/golang.sh
+++ b/.semaphoreci/golang.sh
@@ -2,19 +2,19 @@

 set -e

-curl -O https://dl.google.com/go/go1.12.linux-amd64.tar.gz
+curl -O https://dl.google.com/go/go"${GO_VERSION}".linux-amd64.tar.gz

-tar -xvf go1.12.linux-amd64.tar.gz
-rm -rf go1.12.linux-amd64.tar.gz
+tar -xvf go"${GO_VERSION}".linux-amd64.tar.gz
+rm -rf go"${GO_VERSION}".linux-amd64.tar.gz

-sudo mkdir -p /usr/local/golang/1.12/go
-sudo mv go /usr/local/golang/1.12/
+sudo mkdir -p /usr/local/golang/"${GO_VERSION}"/go
+sudo mv go /usr/local/golang/"${GO_VERSION}"/

 sudo rm /usr/local/bin/go
-sudo chmod +x /usr/local/golang/1.12/go/bin/go
-sudo ln -s /usr/local/golang/1.12/go/bin/go /usr/local/bin/go
+sudo chmod +x /usr/local/golang/"${GO_VERSION}"/go/bin/go
+sudo ln -s /usr/local/golang/"${GO_VERSION}"/go/bin/go /usr/local/bin/go

-export GOROOT="/usr/local/golang/1.12/go"
-export GOTOOLDIR="/usr/local/golang/1.12/go/pkg/tool/linux_amd64"
+export GOROOT="/usr/local/golang/${GO_VERSION}/go"
+export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"

 go version
--- a/.semaphoreci/setup.sh
+++ b/.semaphoreci/setup.sh
@@ -1,17 +1,35 @@
-#!/usr/bin/env bash
-set -e
-
-export DOCKER_VERSION=17.03.1
-
-# shellcheck source=/dev/null
+# For personnal CI
+# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/containous/
+# cd /home/runner/workspace/src/github.com/containous/traefik/
+for s in apache2 cassandra elasticsearch memcached mysql mongod postgresql sphinxsearch rethinkdb rabbitmq-server redis-server; do sudo service $s stop; done
+sudo swapoff -a
+sudo dd if=/dev/zero of=/swapfile bs=1M count=3072
+sudo mkswap /swapfile
+sudo swapon /swapfile
+sudo rm -rf /home/runner/.rbenv
+sudo rm -rf /usr/local/golang/{1.4.3,1.5.4,1.6.4,1.7.6,1.8.6,1.9.7,1.10.3,1.11}
+#export DOCKER_VERSION=18.06.3
 source .semaphoreci/vars
-
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/"${PULL_REQUEST_NUMBER}".diff | patch --dry-run -p1 -R); fi
-
+if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
+echo ${SHOULD_TEST}
 if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
+echo ${TEMP_STORAGE}
+echo ${SHOULD_TEST}
+#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
+#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
+if [ -n "$SHOULD_TEST" ]; then docker version; fi
+export GO_VERSION=1.12
+if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
+#if [ "${GO_VERSION}" == '1.13' ]; then export GO_VERSION=1.13rc2; fi
+echo "Selected Go version: ${GO_VERSION}"

-if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
+if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi
+if [ -f "./.semaphoreci/golang.sh" ]; then export GOROOT="/usr/local/golang/${GO_VERSION}/go"; fi
+if [ -f "./.semaphoreci/golang.sh" ]; then export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"; fi
+go version

-if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
+if [ -f "./go.mod" ]; then export GO111MODULE=on; fi
+if [ -f "./go.mod" ]; then export GOPROXY=https://proxy.golang.org; fi
+if [ -f "./go.mod" ]; then go mod download; fi

-if [ -n "$SHOULD_TEST" ]; then  docker version; fi
+df
--- a/.semaphoreci/vars
+++ b/.semaphoreci/vars
@@ -10,7 +10,7 @@ else
  export VERSION=''
 fi

-export CODENAME=faisselle
+export CODENAME=montdor

 export N_MAKE_JOBS=2

--- a/.travis.yml
+++ b/.travis.yml
@@ -9,9 +9,10 @@ services:

 env:
  global:
-    - REPO: $TRAVIS_REPO_SLUG
-    - VERSION: $TRAVIS_TAG
-    - CODENAME: faisselle
+    - REPO=$TRAVIS_REPO_SLUG
+    - VERSION=$TRAVIS_TAG
+    - CODENAME=montdor
+    - GO111MODULE=on

 script:
 - echo "Skipping tests... (Tests are executed on SemaphoreCI)"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,165 @@
 # Change Log

+## [v2.0.0-rc3](https://github.com/containous/traefik/tree/v2.0.0-rc3) (2019-09-10)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc2...v2.0.0-rc3)
+
+**Enhancements:**
+- **[acme,api,tracing]** New API security ([#5311](https://github.com/containous/traefik/pull/5311) by [juliens](https://github.com/juliens))
+- **[authentication,middleware,k8s,k8s/crd]** Auth middlewares in kubernetes CRD use secrets ([#5299](https://github.com/containous/traefik/pull/5299) by [juliens](https://github.com/juliens))
+- **[logs]** Default to CLF when accesslog format is unsupported ([#5314](https://github.com/containous/traefik/pull/5314) by [mpl](https://github.com/mpl))
+- **[middleware,k8s,k8s/crd]** k8s ErrorPage middleware now uses k8s service ([#5339](https://github.com/containous/traefik/pull/5339) by [juliens](https://github.com/juliens))
+- **[webui]** Add more pages in the WebUI ([#5278](https://github.com/containous/traefik/pull/5278) by [Basgrani](https://github.com/Basgrani))
+
+**Bug fixes:**
+- **[api]** Add provider in middleware chain ([#5334](https://github.com/containous/traefik/pull/5334) by [juliens](https://github.com/juliens))
+- **[k8s,k8s/crd]** fix: TLS domains with IngressRoute. ([#5327](https://github.com/containous/traefik/pull/5327) by [ldez](https://github.com/ldez))
+- **[middleware]** Improve rate limiter tests ([#5310](https://github.com/containous/traefik/pull/5310) by [mpl](https://github.com/mpl))
+- **[server]** Write HTTP server logs into the global logger. ([#5329](https://github.com/containous/traefik/pull/5329) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Misc documentation fixes ([#5307](https://github.com/containous/traefik/pull/5307) by [ldez](https://github.com/ldez))
+- misc documentation fixes ([#5302](https://github.com/containous/traefik/pull/5302) by [mpl](https://github.com/mpl))
+- Enhance the Retry Middleware Documentation ([#5298](https://github.com/containous/traefik/pull/5298) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+**Misc:**
+- Cherry pick v1.7 into v2.0 ([#5341](https://github.com/containous/traefik/pull/5341) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+## [v2.0.0-rc2](https://github.com/containous/traefik/tree/v2.0.0-rc2) (2019-09-03)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc1...v2.0.0-rc2)
+
+**Enhancements:**
+- **[api]** Improve API for the web UI ([#5267](https://github.com/containous/traefik/pull/5267) by [ldez](https://github.com/ldez))
+- **[middleware,tracing]** Re enable ratelimit integration tests ([#5288](https://github.com/containous/traefik/pull/5288) by [mmatur](https://github.com/mmatur))
+- **[tracing]** Update Zipkin OpenTracing driver to latest 0.4.3 release ([#5283](https://github.com/containous/traefik/pull/5283) by [basvanbeek](https://github.com/basvanbeek))
+
+**Bug fixes:**
+- **[api]** Add errors about unknown entryPoint in runtime api ([#5265](https://github.com/containous/traefik/pull/5265) by [juliens](https://github.com/juliens))
+- **[metrics,tracing]** fix: Datadog case. ([#5272](https://github.com/containous/traefik/pull/5272) by [ldez](https://github.com/ldez))
+- **[middleware,k8s,k8s/crd]** The chain middleware in k8s use middlewareRef ([#5290](https://github.com/containous/traefik/pull/5290) by [juliens](https://github.com/juliens))
+- **[middleware]** Don&#39;t panic with undefined middleware ([#5289](https://github.com/containous/traefik/pull/5289) by [ldez](https://github.com/ldez))
+- **[middleware]** fix buffering middleware ([#5281](https://github.com/containous/traefik/pull/5281) by [ldez](https://github.com/ldez))
+- **[middleware]** fix: stripPrefix and stripPrefixRegex. ([#5291](https://github.com/containous/traefik/pull/5291) by [ldez](https://github.com/ldez))
+- **[service,websocket]** Fix recovered panic when websocket is mirrored ([#5255](https://github.com/containous/traefik/pull/5255) by [juliens](https://github.com/juliens))
+- **[webui]** Rest provider icon in the webui ([#5261](https://github.com/containous/traefik/pull/5261) by [mmatur](https://github.com/mmatur))
+- Fix trailing slash with check new version ([#5266](https://github.com/containous/traefik/pull/5266) by [mmatur](https://github.com/mmatur))
+
+**Documentation:**
+- **[middleware]** fix: stripPrefixRegex documentation. ([#5273](https://github.com/containous/traefik/pull/5273) by [ldez](https://github.com/ldez))
+- Fix some documentation issues ([#5286](https://github.com/containous/traefik/pull/5286) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Update restrictions in the documentation. ([#5270](https://github.com/containous/traefik/pull/5270) by [ldez](https://github.com/ldez))
+- Base of the migration guide ([#5263](https://github.com/containous/traefik/pull/5263) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+## [v2.0.0-rc1](https://github.com/containous/traefik/tree/v2.0.0-rc1) (2019-08-26)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-beta1...v2.0.0-rc1)
+
+**Enhancements:**
+- **[acme]** Improve acme logs. ([#5139](https://github.com/containous/traefik/pull/5139) by [ldez](https://github.com/ldez))
+- **[docker,k8s,k8s/crd,k8s/ingress]** chore: update docker and k8s ([#5174](https://github.com/containous/traefik/pull/5174) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd,k8s/ingress]** Correct Kubernetes Ingress and IngressRoute port heuristic for choosing HTTPS ([#5167](https://github.com/containous/traefik/pull/5167) by [seh](https://github.com/seh))
+- **[k8s,k8s/ingress]** Add TLS-enabled Router ([#5162](https://github.com/containous/traefik/pull/5162) by [dtomcej](https://github.com/dtomcej))
+- **[middleware,provider]** Add Feature-Policy header support ([#5156](https://github.com/containous/traefik/pull/5156) by [dtomcej](https://github.com/dtomcej))
+- **[middleware]** Add rate limiter, rename maxConn into inFlightReq ([#5246](https://github.com/containous/traefik/pull/5246) by [mpl](https://github.com/mpl))
+- **[server]** WeightedRoundRobin load balancer ([#5237](https://github.com/containous/traefik/pull/5237) by [juliens](https://github.com/juliens))
+- **[server]** Adds mirroring service ([#5251](https://github.com/containous/traefik/pull/5251) by [juliens](https://github.com/juliens))
+- **[server]** Add support proxyprotocol v2 ([#4755](https://github.com/containous/traefik/pull/4755) by [c0va23](https://github.com/c0va23))
+- **[webui]** Add a new dashboard page ([#5249](https://github.com/containous/traefik/pull/5249) by [Basgrani](https://github.com/Basgrani))
+- **[webui]** Add doc and version in navbar ([#5137](https://github.com/containous/traefik/pull/5137) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** Use components to split Home concerns ([#5136](https://github.com/containous/traefik/pull/5136) by [Slashgear](https://github.com/Slashgear))
+- Bump x/sys to support Risc-V architecture ([#5245](https://github.com/containous/traefik/pull/5245) by [carlosedp](https://github.com/carlosedp))
+
+**Bug fixes:**
+- **[cli]** Apply the case of the CLI flags for the configuration ([#5153](https://github.com/containous/traefik/pull/5153) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[metrics]** Fix prometheus metrics ([#5152](https://github.com/containous/traefik/pull/5152) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Fix `url.Parse` due to go1.12.8 changes. ([#5207](https://github.com/containous/traefik/pull/5207) by [ldez](https://github.com/ldez))
+- Ensure WaitGroup.Done() is always called ([#5026](https://github.com/containous/traefik/pull/5026) by [bsdelf](https://github.com/bsdelf))
+
+**Documentation:**
+- **[acme,docker]** Add a docker-compose &amp; let&#39;s encrypt user-guide ([#5121](https://github.com/containous/traefik/pull/5121) by [pbenefice](https://github.com/pbenefice))
+- **[acme,docker]** Removed extra colon before the 8080 docker port ([#5209](https://github.com/containous/traefik/pull/5209) by [fairwood136](https://github.com/fairwood136))
+- **[acme,k8s/crd]** Fix: CRD user guide ([#5244](https://github.com/containous/traefik/pull/5244) by [ldez](https://github.com/ldez))
+- **[acme]** Fix acme example ([#5130](https://github.com/containous/traefik/pull/5130) by [jamct](https://github.com/jamct))
+- **[middleware]** docker-compose labels require $&#39;s to be escaped ([#5225](https://github.com/containous/traefik/pull/5225) by [Makeshift](https://github.com/Makeshift))
+- AML indent for domains under TLS documentation section ([#5173](https://github.com/containous/traefik/pull/5173) by [edvincent](https://github.com/edvincent))
+- Fix malformed rule ([#5133](https://github.com/containous/traefik/pull/5133) by [dtomcej](https://github.com/dtomcej))
+- doc: improve examples. ([#5132](https://github.com/containous/traefik/pull/5132) by [ldez](https://github.com/ldez))
+
+**Misc:**
+- Cherry pick v1.7 into v2.0 ([#5192](https://github.com/containous/traefik/pull/5192) by [ldez](https://github.com/ldez))
+
+## [v1.7.14](https://github.com/containous/traefik/tree/v1.7.14) (2019-08-14)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.13...v1.7.14)
+
+**Bug fixes:**
+- Update to go1.12.8 ([#5201](https://github.com/containous/traefik/pull/5201) by [ldez](https://github.com/ldez)). HTTP/2 Denial of Service [CVE-2019-9512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512) and [CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514)
+- **[server]** Make hijackConnectionTracker.Close thread safe ([#5194](https://github.com/containous/traefik/pull/5194) by [jlevesy](https://github.com/jlevesy))
+
+## [v1.7.13](https://github.com/containous/traefik/tree/v1.7.13) (2019-08-07)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.12...v1.7.13)
+
+**Bug fixes:**
+- **[acme]** Update lego ([#5166](https://github.com/containous/traefik/pull/5166) by [dabeck](https://github.com/dabeck))
+- **[consulcatalog]** warning should not be a fail status ([#4537](https://github.com/containous/traefik/pull/4537) by [saez0pub](https://github.com/saez0pub))
+- **[docker]** Update docker api version ([#4909](https://github.com/containous/traefik/pull/4909) by [dtomcej](https://github.com/dtomcej))
+- **[dynamodb]** Use dynamodbav tags to override json tags. ([#5002](https://github.com/containous/traefik/pull/5002) by [ldez](https://github.com/ldez))
+- **[healthcheck]** Wrr loadbalancer honors old weight on recovered servers ([#5051](https://github.com/containous/traefik/pull/5051) by [DougWagner](https://github.com/DougWagner))
+- **[k8s]** Check for multiport services on Global Backend Ingress ([#5021](https://github.com/containous/traefik/pull/5021) by [dtomcej](https://github.com/dtomcej))
+- **[logs]** Allows logs to use local time zone instead of UTC ([#4954](https://github.com/containous/traefik/pull/4954) by [dduportal](https://github.com/dduportal))
+- **[middleware]** Clear TLS client headers if TLSMutualAuth is optional ([#4963](https://github.com/containous/traefik/pull/4963) by [stffabi](https://github.com/stffabi))
+- **[tls]** Add missing KeyUsages for default generated certificate ([#5150](https://github.com/containous/traefik/pull/5150) by [dtomcej](https://github.com/dtomcej))
+
+**Documentation:**
+- **[acme]** Fixed doc link for AlibabaCloud ([#5109](https://github.com/containous/traefik/pull/5109) by [ddymko](https://github.com/ddymko))
+- **[docker]** Add example for CLI ([#5131](https://github.com/containous/traefik/pull/5131) by [alvarezbruned](https://github.com/alvarezbruned))
+- **[docker]** Use the latest stable version of traefik in the docs ([#4927](https://github.com/containous/traefik/pull/4927) by [kolaente](https://github.com/kolaente))
+- **[logs]** Update documentation to clarify the default format for logs ([#4953](https://github.com/containous/traefik/pull/4953) by [dduportal](https://github.com/dduportal))
+- **[rancher]** Add remarks about Rancher 2 ([#4999](https://github.com/containous/traefik/pull/4999) by [ldez](https://github.com/ldez))
+- **[tls]** Fixes the TLS Mutual Authentication documentation ([#5085](https://github.com/containous/traefik/pull/5085) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Format YAML example on user guide ([#5067](https://github.com/containous/traefik/pull/5067) by [gurayyildirim](https://github.com/gurayyildirim))
+- Update Slack support channel references to Discourse community forum ([#5014](https://github.com/containous/traefik/pull/5014) by [dduportal](https://github.com/dduportal))
+- Updating Service Fabric documentation ([#5160](https://github.com/containous/traefik/pull/5160) by [gheibia](https://github.com/gheibia))
+- Improve API / Dashboard wording in documentation ([#4929](https://github.com/containous/traefik/pull/4929) by [dduportal](https://github.com/dduportal))
+
+## [v2.0.0-beta1](https://github.com/containous/traefik/tree/v2.0.0-beta1) (2019-07-19)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha8...v2.0.0-beta1)
+
+**Enhancements:**
+- **[acme]** Certificate resolvers. ([#5116](https://github.com/containous/traefik/pull/5116) by [ldez](https://github.com/ldez))
+- **[api,provider]** Enhance REST provider ([#5072](https://github.com/containous/traefik/pull/5072) by [dtomcej](https://github.com/dtomcej))
+- **[api]** Deal with multiple errors and their criticality ([#5070](https://github.com/containous/traefik/pull/5070) by [mpl](https://github.com/mpl))
+- **[api]** API: remove configuration of Entrypoint and Middlewares ([#5119](https://github.com/containous/traefik/pull/5119) by [mpl](https://github.com/mpl))
+- **[api]** Improve API endpoints ([#5080](https://github.com/containous/traefik/pull/5080) by [ldez](https://github.com/ldez))
+- **[api]** Manage status for TCP element in the endpoint overview. ([#5108](https://github.com/containous/traefik/pull/5108) by [ldez](https://github.com/ldez))
+- **[file]** Restrict traefik.toml to static configuration. ([#5090](https://github.com/containous/traefik/pull/5090) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd]** Add scheme to IngressRoute. ([#5062](https://github.com/containous/traefik/pull/5062) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/ingress]** Renamed `kubernetes` provider in `kubernetesIngress` provider ([#5068](https://github.com/containous/traefik/pull/5068) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[logs]** Improve error on router without service. ([#5126](https://github.com/containous/traefik/pull/5126) by [ldez](https://github.com/ldez))
+- **[metrics]** Add Metrics ([#5111](https://github.com/containous/traefik/pull/5111) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Disable RateLimit temporarily ([#5123](https://github.com/containous/traefik/pull/5123) by [juliens](https://github.com/juliens))
+- **[tls]** TLSOptions: handle conflict: same host name, different TLS options ([#5056](https://github.com/containous/traefik/pull/5056) by [mpl](https://github.com/mpl))
+- **[tls]** Expand Client Auth Type configuration ([#5078](https://github.com/containous/traefik/pull/5078) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[tracing]** Add Jaeger collector endpoint ([#5082](https://github.com/containous/traefik/pull/5082) by [rmfitzpatrick](https://github.com/rmfitzpatrick))
+- **[webui]** refactor(webui): use @vue/cli to bootstrap new ui ([#5091](https://github.com/containous/traefik/pull/5091) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** feat(webui/dashboard): init new dashboard ([#5105](https://github.com/containous/traefik/pull/5105) by [Slashgear](https://github.com/Slashgear))
+- Move dynamic config into a dedicated package. ([#5075](https://github.com/containous/traefik/pull/5075) by [ldez](https://github.com/ldez))
+
+**Bug fixes:**
+- **[file]** fix: TLS configuration from directory. ([#5118](https://github.com/containous/traefik/pull/5118) by [ldez](https://github.com/ldez))
+- **[middleware]** Remove X-Forwarded-(Uri, Method, Tls-Client-Cert and Tls-Client-Cert-Info) from untrusted IP ([#5012](https://github.com/containous/traefik/pull/5012) by [stffabi](https://github.com/stffabi))
+- **[middleware]** Properly add response headers for CORS ([#4857](https://github.com/containous/traefik/pull/4857) by [dtomcej](https://github.com/dtomcej))
+
+**Documentation:**
+- **[acme]** Lets encrypt documentation typo ([#5127](https://github.com/containous/traefik/pull/5127) by [juliens](https://github.com/juliens))
+- **[docker,marathon]** Update Dynamic Configuration Reference for both Docker and Marathon ([#5100](https://github.com/containous/traefik/pull/5100) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/ingress]** Add documentation about Kubernetes Ingress provider ([#5112](https://github.com/containous/traefik/pull/5112) by [mpl](https://github.com/mpl))
+- **[k8s/crd]** user guide: fix a mistake in the deployment definition ([#5096](https://github.com/containous/traefik/pull/5096) by [ldez](https://github.com/ldez))
+- **[middleware]** Fixed a typo in label. ([#5128](https://github.com/containous/traefik/pull/5128) by [jamct](https://github.com/jamct))
+- **[provider]** Improve providers documentation. ([#5050](https://github.com/containous/traefik/pull/5050) by [ldez](https://github.com/ldez))
+- **[tracing]** Improve tracing documentation ([#5102](https://github.com/containous/traefik/pull/5102) by [mmatur](https://github.com/mmatur))
+- Add a basic Traefik install guide ([#5117](https://github.com/containous/traefik/pull/5117) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+**Misc:**
+- Cherry pick v1.7 into v2.0 ([#5115](https://github.com/containous/traefik/pull/5115) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
 ## [v2.0.0-alpha8](https://github.com/containous/traefik/tree/v2.0.0-alpha8) (2019-07-01)
 [All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha7...v2.0.0-alpha8)

@@ -113,7 +273,7 @@
 - **[api,authentication]** Remove authentication hashes from API ([#4918](https://github.com/containous/traefik/pull/4918) by [ldez](https://github.com/ldez))
 - **[consul]** Enhance KV logs. ([#4877](https://github.com/containous/traefik/pull/4877) by [ldez](https://github.com/ldez))
 - **[k8s]** Fix kubernetes template for backend responseforwarding flushinterval setting ([#4901](https://github.com/containous/traefik/pull/4901) by [ravilr](https://github.com/ravilr))
- **[metrics]** Upgraded DataDog tracing library to 1.13.0 ([#4878](https://github.com/containous/traefik/pull/4878) by [aantono](https://github.com/aantono))
+- **[metrics]** Upgraded Datadog tracing library to 1.13.0 ([#4878](https://github.com/containous/traefik/pull/4878) by [aantono](https://github.com/aantono))
 - **[server]** Add missing callback on close of hijacked connections ([#4900](https://github.com/containous/traefik/pull/4900) by [ravilr](https://github.com/ravilr))

 **Documentation:**
@@ -315,7 +475,7 @@
 - **[k8s/ingress]** Loop through service ports for global backend ([#4486](https://github.com/containous/traefik/pull/4486) by [dtomcej](https://github.com/dtomcej))
 - **[k8s]** Add entrypoints prefix in kubernetes frontend/backend id  ([#4679](https://github.com/containous/traefik/pull/4679) by [juliens](https://github.com/juliens))
 - **[websocket]** Exclude websocket connections from Average Response Time ([#4313](https://github.com/containous/traefik/pull/4313) by [siyu6974](https://github.com/siyu6974))
- **[middleware]** Added support for configuring trace headers for DataDog tracing ([#4516](https://github.com/containous/traefik/pull/4516) by [aantono](https://github.com/aantono))
+- **[middleware]** Added support for configuring trace headers for Datadog tracing ([#4516](https://github.com/containous/traefik/pull/4516) by [aantono](https://github.com/aantono))

 **Documentation:**
 - **[acme]** Add _FILE Environment Variable Documentation ([#4643](https://github.com/containous/traefik/pull/4643) by [dargmuesli](https://github.com/dargmuesli))
@@ -566,7 +726,7 @@
 - **[metrics]** Metrics: Add support for InfluxDB Database / RetentionPolicy and HTTP client ([#3391](https://github.com/containous/traefik/pull/3391) by [drewkerrigan](https://github.com/drewkerrigan))
 - **[middleware,consulcatalog,docker,ecs,kv,marathon,mesos,rancher]** Pass the TLS Cert infos in headers ([#3826](https://github.com/containous/traefik/pull/3826) by [jbdoumenjou](https://github.com/jbdoumenjou))
 - **[middleware,server]** Extreme Makeover: server refactoring ([#3461](https://github.com/containous/traefik/pull/3461) by [ldez](https://github.com/ldez))
- **[middleware,tracing]** Added integration support for DataDog APM Tracing ([#3517](https://github.com/containous/traefik/pull/3517) by [aantono](https://github.com/aantono))
+- **[middleware,tracing]** Added integration support for Datadog APM Tracing ([#3517](https://github.com/containous/traefik/pull/3517) by [aantono](https://github.com/aantono))
 - **[middleware,tracing]** Create a custom logger for jaeger ([#3541](https://github.com/containous/traefik/pull/3541) by [mmatur](https://github.com/mmatur))
 - **[middleware]** Performance enhancements for the rules matchers. ([#3563](https://github.com/containous/traefik/pull/3563) by [ShaneSaww](https://github.com/ShaneSaww))
 - **[middleware]** Extract internal router creation from server ([#3204](https://github.com/containous/traefik/pull/3204) by [Juliens](https://github.com/Juliens))
@@ -627,7 +787,7 @@
 - **[oxy]** Handle Te header when http2 ([#3824](https://github.com/containous/traefik/pull/3824) by [Juliens](https://github.com/Juliens))
 - **[server]** Avoid goroutine leak in server ([#3851](https://github.com/containous/traefik/pull/3851) by [nmengin](https://github.com/nmengin))
 - **[server]** Avoid panic during stop ([#3898](https://github.com/containous/traefik/pull/3898) by [nmengin](https://github.com/nmengin))
- **[tracing]** Added default configuration for DataDog APM Tracer ([#3655](https://github.com/containous/traefik/pull/3655) by [aantono](https://github.com/aantono))
+- **[tracing]** Added default configuration for Datadog APM Tracer ([#3655](https://github.com/containous/traefik/pull/3655) by [aantono](https://github.com/aantono))
 - **[tracing]** Added support for Trace name truncation for traces ([#3689](https://github.com/containous/traefik/pull/3689) by [aantono](https://github.com/aantono))
 - **[websocket]** Handle shutdown of Hijacked connections ([#3636](https://github.com/containous/traefik/pull/3636) by [Juliens](https://github.com/Juliens))
 - **[webui]** Added Dashboard table item for Rate Limits ([#3893](https://github.com/containous/traefik/pull/3893) by [codecyclist](https://github.com/codecyclist))
@@ -764,7 +924,7 @@
 - **[docker]** Uses both binded HostIP and HostPort when useBindPortIP=true ([#3638](https://github.com/containous/traefik/pull/3638) by [geraldcroes](https://github.com/geraldcroes))
 - **[k8s]** Fix Rewrite-target regex ([#3699](https://github.com/containous/traefik/pull/3699) by [dtomcej](https://github.com/dtomcej))
 - **[middleware]** Correct Entrypoint Redirect with Stripped or Added Path ([#3631](https://github.com/containous/traefik/pull/3631) by [dtomcej](https://github.com/dtomcej))
- **[tracing]** Added default configuration for DataDog APM Tracer ([#3655](https://github.com/containous/traefik/pull/3655) by [aantono](https://github.com/aantono))
+- **[tracing]** Added default configuration for Datadog APM Tracer ([#3655](https://github.com/containous/traefik/pull/3655) by [aantono](https://github.com/aantono))
 - **[tracing]** Added support for Trace name truncation for traces ([#3689](https://github.com/containous/traefik/pull/3689) by [aantono](https://github.com/aantono))
 - **[websocket]** Handle shutdown of Hijacked connections ([#3636](https://github.com/containous/traefik/pull/3636) by [Juliens](https://github.com/Juliens))
 - H2C: Remove buggy line in init to make verbose switch working ([#3701](https://github.com/containous/traefik/pull/3701) by [dduportal](https://github.com/dduportal))
@@ -860,7 +1020,7 @@
 - **[mesos]** Segments Labels: Mesos ([#3383](https://github.com/containous/traefik/pull/3383) by [drewkerrigan](https://github.com/drewkerrigan))
 - **[metrics]** Metrics: Add support for InfluxDB Database / RetentionPolicy and HTTP client ([#3391](https://github.com/containous/traefik/pull/3391) by [drewkerrigan](https://github.com/drewkerrigan))
 - **[middleware,server]** Extreme Makeover: server refactoring ([#3461](https://github.com/containous/traefik/pull/3461) by [ldez](https://github.com/ldez))
- **[middleware,tracing]** Added integration support for DataDog APM Tracing ([#3517](https://github.com/containous/traefik/pull/3517) by [aantono](https://github.com/aantono))
+- **[middleware,tracing]** Added integration support for Datadog APM Tracing ([#3517](https://github.com/containous/traefik/pull/3517) by [aantono](https://github.com/aantono))
 - **[middleware,tracing]** Create a custom logger for jaeger ([#3541](https://github.com/containous/traefik/pull/3541) by [mmatur](https://github.com/mmatur))
 - **[middleware]** Performance enhancements for the rules matchers. ([#3563](https://github.com/containous/traefik/pull/3563) by [ShaneSaww](https://github.com/ShaneSaww))
 - **[middleware]** Extract internal router creation from server ([#3204](https://github.com/containous/traefik/pull/3204) by [Juliens](https://github.com/Juliens))
@@ -1038,7 +1198,7 @@
 - **[metrics]** Added entrypoint metrics to influxdb ([#2992](https://github.com/containous/traefik/pull/2992) by [adityacs](https://github.com/adityacs))
 - **[metrics]** Remove unnecessary conversion ([#2850](https://github.com/containous/traefik/pull/2850) by [ferhatelmas](https://github.com/ferhatelmas))
 - **[metrics]** Extend metrics and rebuild prometheus exporting logic ([#2567](https://github.com/containous/traefik/pull/2567) by [marco-jantke](https://github.com/marco-jantke))
- **[metrics]** Added missing metrics to registry for DataDog and StatsD ([#2890](https://github.com/containous/traefik/pull/2890) by [aantono](https://github.com/aantono))
+- **[metrics]** Added missing metrics to registry for Datadog and StatsD ([#2890](https://github.com/containous/traefik/pull/2890) by [aantono](https://github.com/aantono))
 - **[middleware,consul,consulcatalog,docker,ecs,k8s,marathon,mesos,rancher]** New option in secure middleware ([#2958](https://github.com/containous/traefik/pull/2958) by [mmatur](https://github.com/mmatur))
 - **[middleware,consulcatalog,docker,ecs,k8s,kv,marathon,mesos,rancher]** Ability to use &#34;X-Forwarded-For&#34; as a source of IP for white list. ([#3070](https://github.com/containous/traefik/pull/3070) by [ldez](https://github.com/ldez))
 - **[middleware,docker]** Use pointer of error pages ([#2607](https://github.com/containous/traefik/pull/2607) by [ldez](https://github.com/ldez))
@@ -1290,7 +1450,7 @@
 - **[mesos]** Add all available labels to Mesos Backend  ([#2687](https://github.com/containous/traefik/pull/2687) by [ldez](https://github.com/ldez))
 - **[metrics]** Added entrypoint metrics to influxdb ([#2992](https://github.com/containous/traefik/pull/2992) by [adityacs](https://github.com/adityacs))
 - **[metrics]** Extend metrics and rebuild prometheus exporting logic ([#2567](https://github.com/containous/traefik/pull/2567) by [marco-jantke](https://github.com/marco-jantke))
- **[metrics]** Added missing metrics to registry for DataDog and StatsD ([#2890](https://github.com/containous/traefik/pull/2890) by [aantono](https://github.com/aantono))
+- **[metrics]** Added missing metrics to registry for Datadog and StatsD ([#2890](https://github.com/containous/traefik/pull/2890) by [aantono](https://github.com/aantono))
 - **[metrics]** Remove unnecessary conversion ([#2850](https://github.com/containous/traefik/pull/2850) by [ferhatelmas](https://github.com/ferhatelmas))
 - **[middleware,consul,consulcatalog,docker,ecs,k8s,marathon,mesos,rancher]** New option in secure middleware ([#2958](https://github.com/containous/traefik/pull/2958) by [mmatur](https://github.com/mmatur))
 - **[middleware,consulcatalog,docker,ecs,k8s,kv,marathon,mesos,rancher]** Ability to use &#34;X-Forwarded-For&#34; as a source of IP for white list. ([#3070](https://github.com/containous/traefik/pull/3070) by [ldez](https://github.com/ldez))
@@ -1911,12 +2071,12 @@
 - **[marathon]** Add support for readiness checks. ([#1883](https://github.com/containous/traefik/pull/1883) by [timoreimann](https://github.com/timoreimann))
 - **[marathon]** Move marathon mock ([#1732](https://github.com/containous/traefik/pull/1732) by [ldez](https://github.com/ldez))
 - **[marathon]** Use single API call to fetch Marathon resources. ([#1815](https://github.com/containous/traefik/pull/1815) by [timoreimann](https://github.com/timoreimann))
- **[metrics]** Added RetryMetrics to DataDog and StatsD providers ([#1884](https://github.com/containous/traefik/pull/1884) by [aantono](https://github.com/aantono))
+- **[metrics]** Added RetryMetrics to Datadog and StatsD providers ([#1884](https://github.com/containous/traefik/pull/1884) by [aantono](https://github.com/aantono))
 - **[metrics]** Extract metrics to own package and refactor implementations ([#1968](https://github.com/containous/traefik/pull/1968) by [marco-jantke](https://github.com/marco-jantke))
 - **[metrics]** Add metrics for backend_retries_total ([#1504](https://github.com/containous/traefik/pull/1504) by [marco-jantke](https://github.com/marco-jantke))
 - **[metrics]** Add status code to request duration metric ([#1755](https://github.com/containous/traefik/pull/1755) by [marco-jantke](https://github.com/marco-jantke))
 - **[middleware]** Add trusted whitelist proxy protocol ([#2234](https://github.com/containous/traefik/pull/2234) by [emilevauge](https://github.com/emilevauge)))
- **[metrics]** DataDog and StatsD Metrics Support ([#1701](https://github.com/containous/traefik/pull/1701) by [aantono](https://github.com/aantono))
+- **[metrics]** Datadog and StatsD Metrics Support ([#1701](https://github.com/containous/traefik/pull/1701) by [aantono](https://github.com/aantono))
 - **[middleware]** Create Header Middleware ([#1236](https://github.com/containous/traefik/pull/1236) by [dtomcej](https://github.com/dtomcej))
 - **[middleware]** Add configurable timeouts and curate default timeout settings ([#1873](https://github.com/containous/traefik/pull/1873) by [marco-jantke](https://github.com/marco-jantke))
 - **[middleware]** Fix command bug content. ([#2002](https://github.com/containous/traefik/pull/2002) by [ldez](https://github.com/ldez))
@@ -2222,11 +2382,11 @@
 - **[marathon]** Move marathon mock ([#1732](https://github.com/containous/traefik/pull/1732) by [ldez](https://github.com/ldez))
 - **[marathon]** Support multi-port service routing for containers running on Marathon ([#1742](https://github.com/containous/traefik/pull/1742) by [aantono](https://github.com/aantono))
 - **[marathon]** Use test builder. ([#1871](https://github.com/containous/traefik/pull/1871) by [timoreimann](https://github.com/timoreimann))
- **[metrics]** DataDog and StatsD Metrics Support ([#1701](https://github.com/containous/traefik/pull/1701) by [aantono](https://github.com/aantono))
+- **[metrics]** Datadog and StatsD Metrics Support ([#1701](https://github.com/containous/traefik/pull/1701) by [aantono](https://github.com/aantono))
 - **[metrics]** Add status code to request duration metric ([#1755](https://github.com/containous/traefik/pull/1755) by [marco-jantke](https://github.com/marco-jantke))
 - **[metrics]** Add metrics for backend_retries_total ([#1504](https://github.com/containous/traefik/pull/1504) by [marco-jantke](https://github.com/marco-jantke))
 - **[metrics]** Extract metrics to own package and refactor implementations ([#1968](https://github.com/containous/traefik/pull/1968) by [marco-jantke](https://github.com/marco-jantke))
- **[metrics]** Added RetryMetrics to DataDog and StatsD providers ([#1884](https://github.com/containous/traefik/pull/1884) by [aantono](https://github.com/aantono))
+- **[metrics]** Added RetryMetrics to Datadog and StatsD providers ([#1884](https://github.com/containous/traefik/pull/1884) by [aantono](https://github.com/aantono))
 - **[middleware]** Return 503 on empty backend ([#1748](https://github.com/containous/traefik/pull/1748) by [marco-jantke](https://github.com/marco-jantke))
 - **[middleware]** Add configurable timeouts and curate default timeout settings ([#1873](https://github.com/containous/traefik/pull/1873) by [marco-jantke](https://github.com/marco-jantke))
 - **[middleware]** Custom Error Pages ([#1675](https://github.com/containous/traefik/pull/1675) by [bparli](https://github.com/bparli))
--- a/Gopkg.lock
+++ b/Gopkg.lock
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -1,284 +0,0 @@
-# Gopkg.toml example
-#
-# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
-# for detailed Gopkg.toml documentation.
-#
-# required = ["github.com/user/thing/cmd/thing"]
-# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
-#
-# [[constraint]]
-#   name = "github.com/user/project"
-#   version = "1.0.0"
-#
-# [[constraint]]
-#   name = "github.com/user/project2"
-#   branch = "dev"
-#   source = "github.com/myfork/project2"
-#
-# [[override]]
-#  name = "github.com/x/y"
-#  version = "2.4.0"
-
-required = [
-  "k8s.io/code-generator/cmd/client-gen",
-  "k8s.io/code-generator/cmd/deepcopy-gen",
-  "k8s.io/code-generator/cmd/defaulter-gen",
-  "k8s.io/code-generator/cmd/lister-gen",
-  "k8s.io/code-generator/cmd/informer-gen",
-]
-
-[prune]
-  non-go = true
-  go-tests = true
-  unused-packages = true
-  [[prune.project]]
-    name = "k8s.io/code-generator"
-    non-go = false
-    unused-packages = false
-
-#[[constraint]]
-#  branch = "master"
-#  name = "github.com/ArthurHlt/go-eureka-client"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/BurntSushi/toml"
-
-#[[constraint]]
-#  branch = "master"
-#  name = "github.com/BurntSushi/ty"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/NYTimes/gziphandler"
-
-[[constraint]]
-  branch = "containous-fork"
-  name = "github.com/abbot/go-http-auth"
-  source = "github.com/containous/go-http-auth"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/armon/go-proxyproto"
-
-#[[constraint]]
-#  name = "github.com/aws/aws-sdk-go"
-#  version = "1.13.11"
-
-[[constraint]]
-  name = "github.com/cenkalti/backoff"
-  version = "2.1.1"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/containous/mux"
-
-[[constraint]]
-  branch = "containous-fork"
-  name = "github.com/containous/alice"
-
-#[[constraint]]
-#  name = "github.com/thoas/stats"
-#  # related to https://github.com/thoas/stats/pull/32
-#  revision = "4975baf6a358ed3ddaa42133996e1959f96c9300"
-
-[[constraint]]
-  name = "github.com/coreos/go-systemd"
-  version = "14.0.0"
-
-#[[constraint]]
-#  branch = "master"
-#  name = "github.com/docker/leadership"
-#  source = "github.com/containous/leadership"
-
-[[constraint]]
-  name = "github.com/eapache/channels"
-  version = "1.1.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/elazarl/go-bindata-assetfs"
-
-[[constraint]]
-  branch = "fork-containous"
-  name = "github.com/go-check/check"
-  source = "github.com/containous/check"
-
-[[override]]
-  branch = "fork-containous"
-  name = "github.com/go-check/check"
-  source = "github.com/containous/check"
-
-[[constraint]]
-  name = "github.com/go-kit/kit"
-  version = "0.7.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/gorilla/websocket"
-
-#[[constraint]]
-#  name = "github.com/hashicorp/consul"
-#  version = "1.0.6"
-
-[[constraint]]
-  name = "github.com/influxdata/influxdb"
-  version = "1.3.7"
-
-#[[constraint]]
-#  branch = "master"
-#  name = "github.com/jjcollinge/servicefabric"
-
-#[[constraint]]
-#  branch = "master"
-#  name = "github.com/abronan/valkeyrie"
-
-#[[constraint]]
-#  name = "github.com/mesosphere/mesos-dns"
-#  source = "https://github.com/containous/mesos-dns.git"
-
-[[constraint]]
-  name = "github.com/opentracing/opentracing-go"
-  version = "1.0.2"
-
-[[constraint]]
-  branch = "containous-fork"
-  name = "github.com/rancher/go-rancher-metadata"
-  source = "github.com/containous/go-rancher-metadata"
-
-[[constraint]]
-  name = "github.com/Masterminds/sprig"
-  version = "2.19.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/stvp/go-udp-testing"
-
-[[constraint]]
-  name = "github.com/stretchr/testify"
-  version = "1.2.1"
-
-[[constraint]]
-  name = "github.com/uber/jaeger-client-go"
-  source = "github.com/jaegertracing/jaeger-client-go"
-  version = "2.16.0"
-
-[[constraint]]
-  name = "github.com/uber/jaeger-lib"
-  source = "github.com/jaegertracing/jaeger-lib"
-  version = "2.0.0"
-
-[[constraint]]
-  branch = "v1"
-  name = "github.com/unrolled/secure"
-
-[[constraint]]
-  name = "github.com/vdemeester/shakers"
-  version = "0.1.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/vulcand/oxy"
-
-[[constraint]]
-  name = "github.com/go-acme/lego"
-  version = "2.6.0"
-
-[[constraint]]
-  name = "google.golang.org/grpc"
-  version = "1.13.0"
-
-[[override]]
-  name = "golang.org/x/sys"
-  revision = "1c9583448a9c3aa0f9a6a5241bf73c0bd8aafded"
-
-[[constraint]]
-  name = "github.com/golang/protobuf"
-  version = "v1.3.0"
-
-[[constraint]]
-  name = "gopkg.in/fsnotify.v1"
-  source = "github.com/fsnotify/fsnotify"
-  version = "1.4.2"
-
-[[constraint]]
-  name = "k8s.io/client-go"
-  version = "8.0.0" # 8.0.0
-
-[[constraint]]
-  name = "k8s.io/code-generator"
-  version = "kubernetes-1.11.7"
-
-[[constraint]]
-  name = "k8s.io/api"
-  version = "kubernetes-1.11.7" # "kubernetes-1.11.7"
-
-[[constraint]]
-  name = "k8s.io/apimachinery"
-  version = "kubernetes-1.11.7" # "kubernetes-1.11.7"
-
-[[override]]
-  name = "github.com/json-iterator/go"
-  version = "1.1.6"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/libkermit/docker"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/libkermit/docker-check"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/libkermit/compose"
-
-[[constraint]]
- name = "github.com/docker/docker"
- revision = "7848b8beb9d38a98a78b75f78e05f8d2255f9dfe"
-
-[[override]]
- name = "github.com/docker/docker"
- revision = "7848b8beb9d38a98a78b75f78e05f8d2255f9dfe"
-
-[[override]]
- name = "github.com/docker/cli"
- revision = "6b63d7b96a41055baddc3fa71f381c7f60bd5d8e"
-
-[[override]]
- name = "github.com/docker/distribution"
- revision = "edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c"
-
-[[override]]
-  branch = "master"
-  name = "github.com/docker/libcompose"
-
-[[override]]
-  name = "github.com/Nvveen/Gotty"
-  revision = "a8b993ba6abdb0e0c12b0125c603323a71c7790c"
-  source = "github.com/ijc25/Gotty"
-
-[[override]]
-  # ALWAYS keep this override
-  name = "github.com/mailgun/timetools"
-  revision = "7e6055773c5137efbeb3bd2410d705fe10ab6bfd"
-
-[[override]]
-  version = "v1.1.1"
-  name = "github.com/miekg/dns"
-
-[[constraint]]
-  name = "github.com/patrickmn/go-cache"
-  version = "2.1.0"
-
-[[constraint]]
-  name = "gopkg.in/DataDog/dd-trace-go.v1"
-  version = "1.13.0"
-
-[[constraint]]
-  name = "github.com/instana/go-sensor"
-  version = "1.4.12"
-
-[[constraint]]
-  name = "github.com/ExpediaDotCom/haystack-client-go"
-  version = "0.2.3"
--- a/13
+++ b/13
@@ -58,7 +58,7 @@ build-webui-image:
 generate-webui: build-webui-image
 	if [ ! -d "static" ]; then \
 		mkdir -p static; \
-		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build; \
+		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build:nc; \
 		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ../static; \
 		echo 'For more informations show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
 	fi
@@ -128,15 +128,6 @@ docs-serve:
 generate-crd:
 	./script/update-generated-crd-code.sh

-## Download dependencies
-dep-ensure:
-	dep ensure -v
-	./script/prune-dep.sh
-
-## Clean vendor directory
-dep-prune:
-	./script/prune-dep.sh
-
 ## Create packages for the release
 release-packages: generate-webui build-dev-image
 	rm -rf dist
@@ -156,5 +147,5 @@ fmt:

 run-dev:
 	go generate
-	go build ./cmd/traefik
+	GO111MODULE=on go build ./cmd/traefik
 	./traefik
--- a/README.md
+++ b/README.md
@@ -90,8 +90,7 @@ To get your hands on Traefik, you can use the [5-Minute Quickstart](http://docs.

 You can access the simple HTML frontend of Traefik.

-![Web UI Providers](docs/content/assets/img/dashboard-main.png)
-![Web UI Health](docs/content/assets/img/dashboard-health.png)
+![Web UI Providers](docs/content/assets/img/webui-dashboard.png)

 ## Documentation

--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,35 +1,37 @@
-FROM golang:1.12-alpine
+FROM golang:1.13-alpine

 RUN apk --update upgrade \
    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
    && update-ca-certificates \
    && rm -rf /var/cache/apk/*

-# Download golangci-lint and misspell binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.15.0 \
-    && go get github.com/client9/misspell/cmd/misspell
-
-# Download goreleaser binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh
-
 # Which docker version to test on
-ARG DOCKER_VERSION=17.03.2
-ARG DEP_VERSION=0.5.0
+ARG DOCKER_VERSION=18.09.7
+
+# Download docker
+RUN mkdir -p /usr/local/bin \
+    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
+    | tar -xzC /usr/local/bin --transform 's#^.+/##x'

 # Download go-bindata binary to bin folder in $GOPATH
 RUN mkdir -p /usr/local/bin \
    && curl -fsSL -o /usr/local/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata \
    && chmod +x /usr/local/bin/go-bindata

-# Download dep binary to bin folder in $GOPATH
-RUN mkdir -p /usr/local/bin \
-    && curl -fsSL -o /usr/local/bin/dep https://github.com/golang/dep/releases/download/v${DEP_VERSION}/dep-linux-amd64 \
-    && chmod +x /usr/local/bin/dep
+# Download golangci-lint binary to bin folder in $GOPATH
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.18.0

-# Download docker
-RUN mkdir -p /usr/local/bin \
-    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}-ce.tgz \
-    | tar -xzC /usr/local/bin --transform 's#^.+/##x'
+# Download golangci-lint and misspell binary to bin folder in $GOPATH
+RUN GO111MODULE=off go get github.com/client9/misspell/cmd/misspell
+
+# Download goreleaser binary to bin folder in $GOPATH
+RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh

 WORKDIR /go/src/github.com/containous/traefik
+
+# Download go modules
+COPY go.mod .
+COPY go.sum .
+RUN GO111MODULE=on GOPROXY=https://proxy.golang.org go mod download
+
 COPY . /go/src/github.com/containous/traefik
--- a/cmd/configuration.go
+++ b/cmd/configuration.go
@@ -3,8 +3,8 @@ package cmd
 import (
 	"time"

-	"github.com/containous/traefik/pkg/config/static"
-	"github.com/containous/traefik/pkg/types"
+	"github.com/containous/traefik/v2/pkg/config/static"
+	"github.com/containous/traefik/v2/pkg/types"
 )

 // TraefikCmdConfiguration wraps the static configuration and extra parameters.
--- a/cmd/healthcheck/healthcheck.go
+++ b/cmd/healthcheck/healthcheck.go
@@ -7,8 +7,8 @@ import (
 	"os"
 	"time"

-	"github.com/containous/traefik/pkg/cli"
-	"github.com/containous/traefik/pkg/config/static"
+	"github.com/containous/traefik/v2/pkg/cli"
+	"github.com/containous/traefik/v2/pkg/config/static"
 )

 // NewCmd builds a new HealthCheck command.
@@ -24,7 +24,7 @@ func NewCmd(traefikConfiguration *static.Configuration, loaders []cli.ResourceLo

 func runCmd(traefikConfiguration *static.Configuration) func(_ []string) error {
 	return func(_ []string) error {
-		traefikConfiguration.SetEffectiveConfiguration("")
+		traefikConfiguration.SetEffectiveConfiguration()

 		resp, errPing := Do(*traefikConfiguration)
 		if resp != nil {
@@ -51,7 +51,7 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 		return nil, errors.New("please enable `ping` to use health check")
 	}

-	pingEntryPoint, ok := staticConfiguration.EntryPoints[staticConfiguration.Ping.EntryPoint]
+	pingEntryPoint, ok := staticConfiguration.EntryPoints["traefik"]
 	if !ok {
 		return nil, errors.New("missing `ping` entrypoint")
 	}
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -11,35 +11,28 @@ import (
 	"strings"
 	"time"

-	"github.com/containous/traefik/autogen/genstatic"
-	"github.com/containous/traefik/cmd"
-	"github.com/containous/traefik/cmd/healthcheck"
-	cmdVersion "github.com/containous/traefik/cmd/version"
-	"github.com/containous/traefik/pkg/cli"
-	"github.com/containous/traefik/pkg/collector"
-	"github.com/containous/traefik/pkg/config"
-	"github.com/containous/traefik/pkg/config/static"
-	"github.com/containous/traefik/pkg/log"
-	"github.com/containous/traefik/pkg/provider/aggregator"
-	"github.com/containous/traefik/pkg/safe"
-	"github.com/containous/traefik/pkg/server"
-	"github.com/containous/traefik/pkg/server/router"
-	traefiktls "github.com/containous/traefik/pkg/tls"
-	"github.com/containous/traefik/pkg/version"
+	"github.com/containous/traefik/v2/autogen/genstatic"
+	"github.com/containous/traefik/v2/cmd"
+	"github.com/containous/traefik/v2/cmd/healthcheck"
+	cmdVersion "github.com/containous/traefik/v2/cmd/version"
+	"github.com/containous/traefik/v2/pkg/cli"
+	"github.com/containous/traefik/v2/pkg/collector"
+	"github.com/containous/traefik/v2/pkg/config/dynamic"
+	"github.com/containous/traefik/v2/pkg/config/static"
+	"github.com/containous/traefik/v2/pkg/log"
+	"github.com/containous/traefik/v2/pkg/provider/acme"
+	"github.com/containous/traefik/v2/pkg/provider/aggregator"
+	"github.com/containous/traefik/v2/pkg/safe"
+	"github.com/containous/traefik/v2/pkg/server"
+	"github.com/containous/traefik/v2/pkg/server/router"
+	traefiktls "github.com/containous/traefik/v2/pkg/tls"
+	"github.com/containous/traefik/v2/pkg/version"
 	"github.com/coreos/go-systemd/daemon"
 	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/sirupsen/logrus"
 	"github.com/vulcand/oxy/roundrobin"
 )

-func init() {
-	goDebug := os.Getenv("GODEBUG")
-	if len(goDebug) > 0 {
-		goDebug += ","
-	}
-	os.Setenv("GODEBUG", goDebug+"tls13=1")
-}
-
 func main() {
 	// traefik config inits
 	tConfig := cmd.NewTraefikConfiguration()
@@ -53,7 +46,7 @@ Complete documentation is available at https://traefik.io`,
 		Configuration: tConfig,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			return runCmd(&tConfig.Configuration, cli.GetConfigFile(loaders))
+			return runCmd(&tConfig.Configuration)
 		},
 	}

@@ -78,7 +71,7 @@ Complete documentation is available at https://traefik.io`,
 	os.Exit(0)
 }

-func runCmd(staticConfiguration *static.Configuration, configFile string) error {
+func runCmd(staticConfiguration *static.Configuration) error {
 	configureLogging(staticConfiguration)

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
@@ -87,8 +80,10 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error
 		log.WithoutContext().Errorf("Could not set roundrobin default weight: %v", err)
 	}

-	staticConfiguration.SetEffectiveConfiguration(configFile)
-	staticConfiguration.ValidateConfiguration()
+	staticConfiguration.SetEffectiveConfiguration()
+	if err := staticConfiguration.ValidateConfiguration(); err != nil {
+		return err
+	}

 	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)

@@ -112,15 +107,9 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error

 	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)

-	acmeProvider, err := staticConfiguration.InitACMEProvider()
-	if err != nil {
-		log.WithoutContext().Errorf("Unable to initialize ACME provider: %v", err)
-	} else if acmeProvider != nil {
-		if err := providerAggregator.AddProvider(acmeProvider); err != nil {
-			log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
-			acmeProvider = nil
-		}
-	}
+	tlsManager := traefiktls.NewManager()
+
+	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)

 	serverEntryPointsTCP := make(server.TCPEntryPoints)
 	for entryPointName, config := range staticConfiguration.EntryPoints {
@@ -129,27 +118,31 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error
 		if err != nil {
 			return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
 		}
-		serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProvider)
+		serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProviders)

 	}

-	tlsManager := traefiktls.NewManager()
-
-	if acmeProvider != nil {
-		acmeProvider.SetTLSManager(tlsManager)
-		if acmeProvider.TLSChallenge != nil &&
-			acmeProvider.HTTPChallenge == nil &&
-			acmeProvider.DNSChallenge == nil {
-			tlsManager.TLSAlpnGetter = acmeProvider.GetTLSALPNCertificate
-		}
-	}
-
 	svr := server.NewServer(*staticConfiguration, providerAggregator, serverEntryPointsTCP, tlsManager)

-	if acmeProvider != nil && acmeProvider.OnHostRule {
-		acmeProvider.SetConfigListenerChan(make(chan config.Configuration))
-		svr.AddListener(acmeProvider.ListenConfiguration)
+	resolverNames := map[string]struct{}{}
+
+	for _, p := range acmeProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		svr.AddListener(p.ListenConfiguration)
 	}
+
+	svr.AddListener(func(config dynamic.Configuration) {
+		for rtName, rt := range config.HTTP.Routers {
+			if rt.TLS == nil || rt.TLS.CertResolver == "" {
+				continue
+			}
+
+			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
+				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+			}
+		}
+	})
+
 	ctx := cmd.ContextWithSignal(context.Background())

 	if staticConfiguration.Ping != nil {
@@ -196,6 +189,40 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error
 	return nil
 }

+// initACMEProvider creates an acme provider from the ACME part of globalConfiguration
+func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
+	challengeStore := acme.NewLocalChallengeStore()
+	localStores := map[string]*acme.LocalStore{}
+
+	var resolvers []*acme.Provider
+	for name, resolver := range c.CertificatesResolvers {
+		if resolver.ACME != nil {
+			if localStores[resolver.ACME.Storage] == nil {
+				localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
+			}
+
+			p := &acme.Provider{
+				Configuration:  resolver.ACME,
+				Store:          localStores[resolver.ACME.Storage],
+				ChallengeStore: challengeStore,
+				ResolverName:   name,
+			}
+
+			if err := providerAggregator.AddProvider(p); err != nil {
+				log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
+				continue
+			}
+			p.SetTLSManager(tlsManager)
+			if p.TLSChallenge != nil {
+				tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
+			}
+			p.SetConfigListenerChan(make(chan dynamic.Configuration))
+			resolvers = append(resolvers, p)
+		}
+	}
+	return resolvers
+}
+
 func configureLogging(staticConfiguration *static.Configuration) {
 	// configure default log flags
 	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
@@ -272,14 +299,14 @@ You haven't specified the sendAnonymousUsage option, it will be enabled by defau
 Stats collection is enabled.
 Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.
 Help us improve Traefik by leaving this feature on :)
-More details on: https://docs.traefik.io/basics/#collected-data
+More details on: https://docs.traefik.io/v2.0/contributing/data-collection/
 `)
 		collect(staticConfiguration)
 	} else {
 		log.WithoutContext().Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://docs.traefik.io/basics/#collected-data
+More details on: https://docs.traefik.io/v2.0/contributing/data-collection/
 `)
 	}
 }
--- a/cmd/version/version.go
+++ b/cmd/version/version.go
@@ -7,8 +7,8 @@ import (
 	"runtime"
 	"text/template"

-	"github.com/containous/traefik/pkg/cli"
-	"github.com/containous/traefik/pkg/version"
+	"github.com/containous/traefik/v2/pkg/cli"
+	"github.com/containous/traefik/v2/pkg/version"
 )

 var versionTemplate = `Version:      {{.Version}}
--- a/docs/content/assets/img/dashboard-health.png
+++ b/docs/content/assets/img/dashboard-health.png
--- a/docs/content/assets/img/dashboard-main.png
+++ b/docs/content/assets/img/dashboard-main.png
--- a/docs/content/assets/img/middleware/maxconnection.png
+++ b/docs/content/assets/img/middleware/maxconnection.png
--- a/docs/content/assets/img/middleware/ratelimit.png
+++ b/docs/content/assets/img/middleware/ratelimit.png
--- a/docs/content/assets/img/webui-dashboard.png
+++ b/docs/content/assets/img/webui-dashboard.png
--- a/docs/content/assets/styles/extra.css
+++ b/docs/content/assets/styles/extra.css
@@ -34,6 +34,10 @@ h3 {
    font-weight: bold !important;
 }

+.md-typeset h5 {
+    text-transform: none;
+}
+
 figcaption {
    text-align: center;
    font-size: 0.8em;
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -28,7 +28,7 @@ Successfully tagged traefik-webui:latest
 [...]
 docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
 Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.12-alpine
+Step 1/10 : FROM golang:1.13-alpine
 ---> f4bfb3d22bda
 [...]
 Successfully built 5c3c1a911277
@@ -58,7 +58,10 @@ PRE_TARGET= make test-unit

 ### Method 2: Using `go`

-You need `go` v1.12+.
+Requirements:
+
+- `go` v1.13+
+- environment variable `GO111MODULE=on`

 !!! tip "Source Directory"

@@ -100,7 +103,7 @@ Beforehand, you need to get `go-bindata` (the first time) in order to be able to
 cd ~/go/src/github.com/containous/traefik

 # Get go-bindata. (Important: the ellipses are required.)
-go get github.com/containous/go-bindata/...
+GO111MODULE=off go get github.com/containous/go-bindata/...

 # Let's build

@@ -118,29 +121,6 @@ You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/con

 If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.

-### Setting up dependency management
-
-The [dep](https://github.com/golang/dep) command is not required for building;
-however, it is necessary if you need to update the dependencies (i.e., add, update, or remove third-party packages).
-
-You need [dep](https://github.com/golang/dep) >= 0.5.0.
-
-If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively).
-
-A following `make dep-prune` run should be triggered to trim down the size of the vendor folder.
-The final result must be committed into VCS.
-
-Here's a full example using dep to add a new dependency:
-
-```bash
-# install the new main dependency github.com/foo/bar and minimize vendor size
-$ dep ensure -add github.com/foo/bar
-# generate (Only required to integrate other components such as web dashboard)
-$ go generate
-# Standard go build
-$ go build ./cmd/traefik
-```
-
 ## Testing

 ### Method 1: `Docker` and `make`
--- a/docs/content/contributing/data-collection.md
+++ b/docs/content/contributing/data-collection.md
@@ -9,22 +9,27 @@ Understanding how you use Traefik is very important to us: it helps us improve t
 For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us so we can benefit from your experience and use cases.

 !!! warning
-    During the alpha stage only, leaving this option unset will not prevent Traefik from running but will generate an error log indicating that it enables data collection by default.
+    Before the GA, leaving this option unset will not prevent Traefik from running but will generate an error log indicating that it enables data collection by default.

-??? example "Enabling Data Collection with TOML"
-
-    ```toml
+!!! example "Enabling Data Collection"
+    
+    ```toml tab="File (TOML)"
    [global]
      # Send anonymous usage data
      sendAnonymousUsage = true
    ```
-
-??? example "Enabling Data Collection with the CLI"
-
-    ```bash
-    ./traefik --sendAnonymousUsage=true
+    
+    ```yaml tab="File (YAML)"
+    global:
+      # Send anonymous usage data
+      sendAnonymousUsage: true
    ```
    
+    ```bash tab="CLI"
+    # Send anonymous usage data
+    --global.sendAnonymousUsage
+    ```
+
 ## Collected Data

 This feature comes from the public proposal [here](https://github.com/containous/traefik/issues/2369).
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -0,0 +1,70 @@
+# Install Traefik
+
+You can install Traefik with the following flavors:
+
+* [Use the official Docker image](./#use-the-official-docker-image)
+* [Use the binary distribution](./#use-the-binary-distribution)
+* [Compile your binary from the sources](./#compile-your-binary-from-the-sources)
+
+## Use the Official Docker Image
+
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.0/traefik.sample.toml):
+
+```shell
+docker run -d -p 8080:8080 -p 80:80 \
+    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.0
+```
+
+For more details, go to the [Docker provider documentation](../providers/docker.md)
+
+!!! tip
+
+    * Prefer a fixed version than the latest that could be an unexpected version.
+    ex: `traefik:v2.0.0`
+    * Docker images comes in 2 flavors: scratch based or alpine based.
+    * All the orchestrator using docker images could fetch the official Traefik docker image.
+
+## Use the Binary Distribution
+
+Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page.
+
+??? tip "Check the integrity of the downloaded file"
+
+    ```bash tab="Linux"
+    # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
+    sha256sum ./traefik_${traefik_version}_linux_${arch}.tar.gz
+    ```
+
+    ```bash tab="macOS"
+    # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
+    shasum -a256 ./traefik_${traefik_version}_darwin_amd64.tar.gz
+    ```
+
+    ```powershell tab="Windows PowerShell"
+    # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
+    Get-FileHash ./traefik_${traefik_version}_windows_${arch}.zip -Algorithm SHA256
+    ```
+
+??? tip "Extract the downloaded archive"
+
+    ```bash tab="Linux"
+    tar -zxvf traefik_${traefik_version}_linux_${arch}.tar.gz
+    ```
+
+    ```bash tab="macOS"
+    tar -zxvf ./traefik_${traefik_version}_darwin_amd64.tar.gz
+    ```
+
+    ```powershell tab="Windows PowerShell"
+    Expand-Archive traefik_${traefik_version}_windows_${arch}.zip
+    ```
+
+And run it:
+
+```bash
+./traefik --help
+```
+
+## Compile your Binary from the Sources
+
+All the details are available in the [Contributing Guide](../contributing/building-testing.md)
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -11,84 +11,49 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
 ## Configuration Examples

 ??? example "Enabling ACME"
-
-    ```toml tab="TOML"
+    
+    ```toml tab="File (TOML)"
    [entryPoints]
      [entryPoints.web]
        address = ":80"
    
-      [entryPoints.http-tls]
+      [entryPoints.web-secure]
        address = ":443"
    
-    # every router with TLS enabled will now be able to use ACME for its certificates
-    [acme]
+    [certificatesResolvers.sample.acme]
      email = "your-email@your-domain.org"
      storage = "acme.json"
-      # dynamic generation based on the Host() & HostSNI() matchers
-      onHostRule = true
      [acme.httpChallenge]
        # used during the challenge
        entryPoint = "web"
    ```
    
-    ```yaml tab="YAML"
+    ```yaml tab="File (YAML)"
    entryPoints:
      web:
        address: ":80"
    
-      http-tls:
+      web-secure:
        address: ":443"
    
-    # every router with TLS enabled will now be able to use ACME for its certificates
-    acme:
-      email: your-email@your-domain.org
-      storage: acme.json
-      # dynamic generation based on the Host() & HostSNI() matchers
-      onHostRule: true
-      httpChallenge:
-        # used during the challenge
-        entryPoint: web
-    ```
-
-??? example "Configuring Wildcard Certificates"
-    
-    ```toml tab="TOML"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-    
-      [entryPoints.http-tls]
-        address = ":443"
-    
-    [acme]
-      email = "your-email@your-domain.org"
-      storage = "acme.json"
-      [acme.dnsChallenge]
-        provider = "xxx"
-    
-      [[acme.domains]]
-        main = "*.mydomain.com"
-        sans = ["mydomain.com"]
+    certificatesResolvers:
+      sample:
+        acme:
+          email: your-email@your-domain.org
+          storage: acme.json
+          httpChallenge:
+            # used during the challenge
+            entryPoint: web
    ```
    
-    ```yaml tab="YAML"
-    entryPoints:
-      web:
-        address: ":80"
-    
-      http-tls:
-        address: ":443"
-    
-    acme:
-      email: your-email@your-domain.org
-      storage: acme.json
-      dnsChallenge:
-        provide: xxx
-    
-      domains:
-        - main: "*.mydomain.com"
-          sans:
-            - mydomain.com
+    ```bash tab="CLI"
+    --entryPoints.web.address=":80"
+    --entryPoints.websecure.address=":443"
+    # ...
+    --certificatesResolvers.sample.acme.email: your-email@your-domain.org
+    --certificatesResolvers.sample.acme.storage: acme.json
+    # used during the challenge
+    --certificatesResolvers.sample.acme.httpChallenge.entryPoint: web
    ```

 ??? note "Configuration Reference"
@@ -96,13 +61,17 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
    There are many available options for ACME.
    For a quick glance at what's possible, browse the configuration reference:
    
-    ```toml tab="TOML"
+    ```toml tab="File (TOML)"
    --8<-- "content/https/ref-acme.toml"
    ```
    
-    ```yaml tab="YAML"
+    ```yaml tab="File (YAML)"
    --8<-- "content/https/ref-acme.yaml"
    ```
+    
+    ```bash tab="CLI"
+    --8<-- "content/https/ref-acme.txt"
+    ```

 ## Automatic Renewals

@@ -124,37 +93,69 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry

 ??? example "Configuring the `tlsChallenge`"

-    ```toml tab="TOML"
-    [acme]
-      [acme.tlsChallenge]
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.sample.acme]
+      # ...
+      [certificatesResolvers.sample.acme.tlsChallenge]
    ```

-    ```yaml tab="YAML"
-    acme:
-      tlsChallenge: {}
+    ```yaml tab="File (YAML)"
+    certificatesResolvers:
+      sample:
+        acme:
+          # ...
+          tlsChallenge: {}
    ```
    
+    ```bash tab="CLI"
+    # ...
+    --certificatesResolvers.sample.acme.tlsChallenge=true
+    ```
+
 ### `httpChallenge`

 Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.

 As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
+when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.

 ??? example "Using an EntryPoint Called http for the `httpChallenge`"

-    ```toml tab="TOML"
-    [acme]
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+      
+      [entryPoints.web-secure]
+        address = ":443"
+    
+    [certificatesResolvers.sample.acme]
      # ...
-      [acme.httpChallenge]
-        entryPoint = "http"
+      [certificatesResolvers.sample.acme.httpChallenge]
+        entryPoint = "web"
    ```

-    ```yaml tab="YAML"
-    acme:
-      # ...
-      httpChallenge:
-        entryPoint: http
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+    
+      web-secure:
+        address: ":443"
+    
+    certificatesResolvers:
+      sample:
+        acme:
+          # ...
+          httpChallenge:
+            entryPoint: web
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=":80"
+    --entryPoints.websecure.address=":443"
+    # ...
+    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
    ```

 !!! note
@@ -166,21 +167,30 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni

 ??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"

-    ```toml tab="TOML"
-    [acme]
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.sample.acme]
      # ...
-      [acme.dnsChallenge]
+      [certificatesResolvers.sample.acme.dnsChallenge]
        provider = "digitalocean"
        delayBeforeCheck = 0
    # ...
    ```
    
-    ```yaml tab="YAML"
-    acme:
-      # ...
-      dnsChallenge:
-        provider: digitalocean
-        delayBeforeCheck: 0
+    ```yaml tab="File (YAML)"
+    certificatesResolvers:
+      sample:
+        acme:
+          # ...
+          dnsChallenge:
+            provider: digitalocean
+            delayBeforeCheck: 0
+        # ...
+    ```
+    
+    ```bash tab="CLI"
+    # ...
+    --certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+    --certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
    # ...
    ```

@@ -199,9 +209,10 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       |                                                                             |
 |-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
 | [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
-| [Alibaba Cloud](https://www.vultr.com)                      | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
+| [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
 | [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
 | [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
+| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
 | [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
 | [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
 | [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key`                                               | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
@@ -215,6 +226,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)    |
 | [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)      |
 | [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)          |
+| [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)      |
 | External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
 | [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)     |
 | [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/fastdns)      |
@@ -227,13 +239,15 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
 | [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
+| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
 | [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
 | [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
 | [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4)     |
-| manual                                                      | -              | none, but you need to run Traefik interactively [^4], turn on `acmeLogging` to see instructions and press <kbd>Enter</kbd>.                 |                                                                                               |
+| manual                                                      | -              | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
 | [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
 | [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
+| [Namesilo](https://www.namesilo.com/)                       | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)     |
 | [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
 | [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
 | [Ns1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
@@ -250,6 +264,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
 | [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
+| [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
 | [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)       |
 | [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)        |
 | [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
@@ -268,22 +283,29 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used

 Use custom DNS servers to resolve the FQDN authority.

-```toml tab="TOML"
-[acme]
+```toml tab="File (TOML)"
+[certificatesResolvers.sample.acme]
  # ...
-  [acme.dnsChallenge]
+  [certificatesResolvers.sample.acme.dnsChallenge]
    # ...
    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
 ```

-```yaml tab="YAML"
-acme:
-  # ...
-  dnsChallenge:
-    # ...
-    resolvers:
-    - "1.1.1.1:53"
-    - "8.8.8.8:53"
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  sample:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        resolvers:
+        - "1.1.1.1:53"
+        - "8.8.8.8:53"
+```
+
+```bash tab="CLI"
+# ...
+--certificatesResolvers.sample.acme.dnsChallenge.resolvers:="1.1.1.1:53,8.8.8.8:53"
 ```

 #### Wildcard Domains
@@ -291,140 +313,56 @@ acme:
 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
 As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).

-```toml tab="TOML"
-[acme]
-  # ...
-  [[acme.domains]]
-    main = "*.local1.com"
-    sans = ["local1.com"]
-
-# ...
-```
-
-```yaml tab="YAML"
-acme:
-  # ...
-  domains:
-    - main: "*.local1.com"
-      sans:
-      - local1.com
-
-# ...
-```
-
-!!! note "Double Wildcard Certificates"
-    It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
-
-Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
-In this case the generated DNS TXT record for both domains is the same.
-Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant,
-it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the `DNS-01` challenge fail.
-
-The Traefik ACME client library [LEGO](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue.
-The [Supported `provider` table](#providers) indicates if they allow generating certificates for a wildcard domain and its root domain.
-
-## Known Domains, SANs
-
-You can set SANs (alternative domains) for each main domain.
-Every domain must have A/AAAA records pointing to Traefik.
-Each domain & SAN will lead to a certificate request.
-
-```toml tab="TOML"
-[acme]
-  # ...
-  [[acme.domains]]
-    main = "local1.com"
-    sans = ["test1.local1.com", "test2.local1.com"]
-  [[acme.domains]]
-    main = "local2.com"
-  [[acme.domains]]
-    main = "*.local3.com"
-    sans = ["local3.com", "test1.test1.local3.com"]
-# ...
-```
-
-```yaml tab="YAML"
-acme:
-  # ...
-  domains:
-    - main: "local1.com"
-      sans:
-      - "test1.local1.com"
-      - "test2.local1.com"
-    - main: "local2.com"
-    - main: "*.local3.com"
-      sans:
-      - "local3.com"
-      - "test1.test1.local3.com"
-# ...
-```
-
-!!! important
-    The certificates for the domains listed in `acme.domains` are negotiated at Traefik startup only.
-
-!!! note
-    Wildcard certificates can only be verified through a `DNS-01` challenge.
-
 ## `caServer`

 ??? example "Using the Let's Encrypt staging server"

-    ```toml tab="TOML"
-    [acme]
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.sample.acme]
      # ...
      caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
      # ...
    ```
    
-    ```yaml tab="YAML"
-    acme:
-      # ...
-      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
-      # ...
+    ```yaml tab="File (YAML)"
+    certificatesResolvers:
+      sample:
+        acme:
+          # ...
+          caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+          # ...
    ```

-## `onHostRule`
-
-Enable certificate generation on [routers](../routing/routers/index.md) `Host` & `HostSNI` rules.
-
-This will request a certificate from Let's Encrypt for each router with a Host rule.
-
-```toml tab="TOML"
-[acme]
-  # ...
-  onHostRule = true
-  # ...
-```
-
-```yaml tab="YAML"
-acme:
-  # ...
-  onHostRule: true
-  # ...
-```
-
-!!! note "Multiple Hosts in a Rule"
-    The rule `Host(test1.traefik.io,test2.traefik.io)` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`.
-
-!!! warning
-    `onHostRule` option can not be used to generate wildcard certificates. Refer to [wildcard generation](#wildcard-domains) for further information.
+    ```bash tab="CLI"
+    # ...
+    --certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+    # ...
+    ```

 ## `storage`

 The `storage` option sets the location where your ACME certificates are saved to.

-```toml tab="TOML"
-[acme]
+```toml tab="File (TOML)"
+[certificatesResolvers.sample.acme]
  # ...
  storage = "acme.json"
  # ...
 ```

-```yaml tab="YAML"
-acme
-  # ...
-  storage: acme.json
-  # ...
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  sample:
+    acme:
+      # ...
+      storage: acme.json
+      # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesResolvers.sample.acme.storage=acme.json
+# ...
 ```

 The value can refer to some kinds of storage:
--- a/docs/content/https/ref-acme.toml
+++ b/docs/content/https/ref-acme.toml
@@ -1,123 +1,89 @@
 # Enable ACME (Let's Encrypt): automatic SSL.
-[acme]
+[certificatesResolvers.sample.acme]

-# Email address used for registration.
-#
-# Required
-#
-email = "test@traefik.io"
-
-# File or key used for certificates storage.
-#
-# Required
-#
-storage = "acme.json"
-
-# If true, display debug log messages from the acme client library.
-#
-# Optional
-# Default: false
-#
-# acmeLogging = true
-
-# If true, override certificates in key-value store when using storeconfig.
-#
-# Optional
-# Default: false
-#
-# overrideCertificates = true
-
-# Enable certificate generation on routers host rules.
-#
-# Optional
-# Default: false
-#
-# onHostRule = true
-
-# CA server to use.
-# Uncomment the line to use Let's Encrypt's staging server,
-# leave commented to go to prod.
-#
-# Optional
-# Default: "https://acme-v02.api.letsencrypt.org/directory"
-#
-# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
-
-# KeyType to use.
-#
-# Optional
-# Default: "RSA4096"
-#
-# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
-#
-# KeyType = "RSA4096"
-
-# Use a TLS-ALPN-01 ACME challenge.
-#
-# Optional (but recommended)
-#
-[acme.tlsChallenge]
-
-# Use a HTTP-01 ACME challenge.
-#
-# Optional
-#
-# [acme.httpChallenge]
-
-  # EntryPoint to use for the HTTP-01 challenges.
+  # Email address used for registration.
  #
  # Required
  #
-  # entryPoint = "web"
+  email = "test@traefik.io"

-# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
-# Note: mandatory for wildcard certificate generation.
-#
-# Optional
-#
-# [acme.dnsChallenge]
-
-  # DNS provider used.
+  # File or key used for certificates storage.
  #
  # Required
  #
-  # provider = "digitalocean"
+  storage = "acme.json"

-  # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
-  # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
-  # Useful if internal networks block external DNS queries.
+  # CA server to use.
+  # Uncomment the line to use Let's Encrypt's staging server,
+  # leave commented to go to prod.
  #
  # Optional
-  # Default: 0
+  # Default: "https://acme-v02.api.letsencrypt.org/directory"
  #
-  # delayBeforeCheck = 0
+  # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

-  # Use following DNS servers to resolve the FQDN authority.
+  # KeyType to use.
  #
  # Optional
-  # Default: empty
+  # Default: "RSA4096"
  #
-  # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
+  # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
+  #
+  # keyType = "RSA4096"

-  # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
+  # Use a TLS-ALPN-01 ACME challenge.
  #
-  # NOT RECOMMENDED:
-  # Increase the risk of reaching Let's Encrypt's rate limits.
+  # Optional (but recommended)
+  #
+  [certificatesResolvers.sample.acme.tlsChallenge]
+
+  # Use a HTTP-01 ACME challenge.
  #
  # Optional
-  # Default: false
  #
-  # disablePropagationCheck = true
+  # [certificatesResolvers.sample.acme.httpChallenge]

-# Domains list.
-# Only domains defined here can generate wildcard certificates.
-# The certificates for these domains are negotiated at traefik startup only.
-#
-# [[acme.domains]]
-#   main = "local1.com"
-#   sans = ["test1.local1.com", "test2.local1.com"]
-# [[acme.domains]]
-#   main = "local2.com"
-# [[acme.domains]]
-#   main = "*.local3.com"
-#   sans = ["local3.com", "test1.test1.local3.com"]
+    # EntryPoint to use for the HTTP-01 challenges.
+    #
+    # Required
+    #
+    # entryPoint = "web"
+
+  # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
+  # Note: mandatory for wildcard certificate generation.
+  #
+  # Optional
+  #
+  # [certificatesResolvers.sample.acme.dnsChallenge]
+
+    # DNS provider used.
+    #
+    # Required
+    #
+    # provider = "digitalocean"
+
+    # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
+    # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
+    # Useful if internal networks block external DNS queries.
+    #
+    # Optional
+    # Default: 0
+    #
+    # delayBeforeCheck = 0
+
+    # Use following DNS servers to resolve the FQDN authority.
+    #
+    # Optional
+    # Default: empty
+    #
+    # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
+
+    # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
+    #
+    # NOT RECOMMENDED:
+    # Increase the risk of reaching Let's Encrypt's rate limits.
+    #
+    # Optional
+    # Default: false
+    #
+    # disablePropagationCheck = true
--- a/docs/content/https/ref-acme.txt
+++ b/docs/content/https/ref-acme.txt
@@ -0,0 +1,88 @@
+# Enable ACME (Let's Encrypt): automatic SSL.
+
+# Email address used for registration.
+#
+# Required
+#
+--certificatesResolvers.sample.acme.email="test@traefik.io"
+
+# File or key used for certificates storage.
+#
+# Required
+#
+--certificatesResolvers.sample.acme.storage="acme.json"
+
+# CA server to use.
+# Uncomment the line to use Let's Encrypt's staging server,
+# leave commented to go to prod.
+#
+# Optional
+# Default: "https://acme-v02.api.letsencrypt.org/directory"
+#
+--certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+
+# KeyType to use.
+#
+# Optional
+# Default: "RSA4096"
+#
+# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
+#
+--certificatesResolvers.sample.acme.keyType=RSA4096
+
+# Use a TLS-ALPN-01 ACME challenge.
+#
+# Optional (but recommended)
+#
+--certificatesResolvers.sample.acme.tlsChallenge=true
+
+# Use a HTTP-01 ACME challenge.
+#
+# Optional
+#
+--certificatesResolvers.sample.acme.httpChallenge=true
+
+# EntryPoint to use for the HTTP-01 challenges.
+#
+# Required
+#
+--certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+
+# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
+# Note: mandatory for wildcard certificate generation.
+#
+# Optional
+#
+--certificatesResolvers.sample.acme.dnsChallenge=true
+
+# DNS provider used.
+#
+# Required
+#
+--certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+
+# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
+# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
+# Useful if internal networks block external DNS queries.
+#
+# Optional
+# Default: 0
+#
+--certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+
+# Use following DNS servers to resolve the FQDN authority.
+#
+# Optional
+# Default: empty
+#
+--certificatesResolvers.sample.acme.dnsChallenge.resolvers="1.1.1.1:53,8.8.8.8:53"
+
+# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
+#
+# NOT RECOMMENDED:
+# Increase the risk of reaching Let's Encrypt's rate limits.
+#
+# Optional
+# Default: false
+#
+--certificatesResolvers.sample.acme.dnsChallenge.disablePropagationCheck=true
--- a/docs/content/https/ref-acme.yaml
+++ b/docs/content/https/ref-acme.yaml
@@ -1,127 +1,93 @@
-# Enable ACME (Let's Encrypt): automatic SSL.
-acme:
+certificatesResolvers:
+  sample:
+    # Enable ACME (Let's Encrypt): automatic SSL.
+    acme:

-  # Email address used for registration.
-  #
-  # Required
-  #
-  email: "test@traefik.io"
+      # Email address used for registration.
+      #
+      # Required
+      #
+      email: "test@traefik.io"

-  # File or key used for certificates storage.
-  #
-  # Required
-  #
-  storage: "acme.json"
+      # File or key used for certificates storage.
+      #
+      # Required
+      #
+      storage: "acme.json"

-  # If true, display debug log messages from the acme client library.
-  #
-  # Optional
-  # Default: false
-  #
-  # acmeLogging: true
+      # CA server to use.
+      # Uncomment the line to use Let's Encrypt's staging server,
+      # leave commented to go to prod.
+      #
+      # Optional
+      # Default: "https://acme-v02.api.letsencrypt.org/directory"
+      #
+      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"

-  # If true, override certificates in key-value store when using storeconfig.
-  #
-  # Optional
-  # Default: false
-  #
-  # overrideCertificates: true
+      # KeyType to use.
+      #
+      # Optional
+      # Default: "RSA4096"
+      #
+      # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
+      #
+      # keyType: RSA4096

-  # Enable certificate generation on routers host rules.
-  #
-  # Optional
-  # Default: false
-  #
-  # onHostRule: true
+      # Use a TLS-ALPN-01 ACME challenge.
+      #
+      # Optional (but recommended)
+      #
+      tlsChallenge:

-  # CA server to use.
-  # Uncomment the line to use Let's Encrypt's staging server,
-  # leave commented to go to prod.
-  #
-  # Optional
-  # Default: "https://acme-v02.api.letsencrypt.org/directory"
-  #
-  # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      # Use a HTTP-01 ACME challenge.
+      #
+      # Optional
+      #
+      # httpChallenge:

-  # KeyType to use.
-  #
-  # Optional
-  # Default: "RSA4096"
-  #
-  # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
-  #
-  # KeyType: RSA4096
+        # EntryPoint to use for the HTTP-01 challenges.
+        #
+        # Required
+        #
+        # entryPoint: web

-  # Use a TLS-ALPN-01 ACME challenge.
-  #
-  # Optional (but recommended)
-  #
-  tlsChallenge:
+      # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
+      # Note: mandatory for wildcard certificate generation.
+      #
+      # Optional
+      #
+      # dnsChallenge:

-  # Use a HTTP-01 ACME challenge.
-  #
-  # Optional
-  #
-  # httpChallenge:
+        # DNS provider used.
+        #
+        # Required
+        #
+        # provider: digitalocean

-    # EntryPoint to use for the HTTP-01 challenges.
-    #
-    # Required
-    #
-    # entryPoint: web
+        # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
+        # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
+        # Useful if internal networks block external DNS queries.
+        #
+        # Optional
+        # Default: 0
+        #
+        # delayBeforeCheck: 0

-  # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
-  # Note: mandatory for wildcard certificate generation.
-  #
-  # Optional
-  #
-  # dnsChallenge:
+        # Use following DNS servers to resolve the FQDN authority.
+        #
+        # Optional
+        # Default: empty
+        #
+        # resolvers
+        # - "1.1.1.1:53"
+        # - "8.8.8.8:53"

-    # DNS provider used.
-    #
-    # Required
-    #
-    # provider: digitalocean
-
-    # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
-    # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
-    # Useful if internal networks block external DNS queries.
-    #
-    # Optional
-    # Default: 0
-    #
-    # delayBeforeCheck: 0
-
-    # Use following DNS servers to resolve the FQDN authority.
-    #
-    # Optional
-    # Default: empty
-    #
-    # resolvers
-    # - "1.1.1.1:53"
-    # - "8.8.8.8:53"
-
-    # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
-    #
-    # NOT RECOMMENDED:
-    # Increase the risk of reaching Let's Encrypt's rate limits.
-    #
-    # Optional
-    # Default: false
-    #
-    # disablePropagationCheck: true
-
-  # Domains list.
-  # Only domains defined here can generate wildcard certificates.
-  # The certificates for these domains are negotiated at traefik startup only.
-  #
-  # domains:
-  # - main: "local1.com"
-  #   sans:
-  #   - "test1.local1.com"
-  #   - "test2.local1.com"
-  # - main: "local2.com"
-  # - main: "*.local3.com"
-  #   sans:
-  #   - "local3.com"
-  #   - "test1.test1.local3.com"
+        # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
+        #
+        # NOT RECOMMENDED:
+        # Increase the risk of reaching Let's Encrypt's rate limits.
+        #
+        # Optional
+        # Default: false
+        #
+        # disablePropagationCheck: true
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -35,7 +35,7 @@ tls:
 !!! important "File Provider Only"

    In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
-    In its current alpha version, it is the only available method to configure the certificates (as well as the options and the stores).
+    It is the only available method to configure the certificates (as well as the options and the stores).

 ## Certificates Stores

@@ -52,9 +52,9 @@ tls:
    default: {}
 ```

-!!! important "Alpha restriction"
+!!! important "Restriction"

-    During the alpha version, any store definition other than the default one (named `default`) will be ignored,
+    Any store definition other than the default one (named `default`) will be ignored,
    and there is thefore only one globally available TLS store.

 In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
@@ -85,9 +85,9 @@ tls:
    keyFile: /path/to/other-domain.key
 ```

-!!! important "Alpha restriction"
+!!! important "Restriction"

-    During the alpha version, the `stores` list will actually be ignored and automatically set to `["default"]`.
+    The `stores` list will actually be ignored and automatically set to `["default"]`.

 ### Default Certificate

@@ -139,35 +139,39 @@ tls:
      minVersion: VersionTLS13
 ```

-### Mutual Authentication
+### Client Authentication (mTLS)

-Traefik supports both optional and strict (which is the default) mutual authentication, though the `ClientCA.files` section.
-If present, connections from clients without a certificate will be rejected.
+Traefik supports mutual authentication, through the `clientAuth` section.

-For clients with a certificate, the `optional` option governs the behaviour as follows:
+For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `clientAuth.caFiles`.
+ 
+The `clientAuth.clientAuthType` option governs the behaviour as follows:

- When `optional = false`, Traefik accepts connections only from clients presenting a certificate signed by a CA listed in `ClientCA.files`.
- When `optional = true`, Traefik authorizes connections from clients presenting a certificate signed by an unknown CA.
+- `NoClientCert`: disregards any client certificate.
+- `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
+- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles`.
+- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles`. Otherwise proceeds without any certificate.
+- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`. 

 ```toml tab="TOML"
 [tls.options]
  [tls.options.default]
-    [tls.options.default.clientCA]
+    [tls.options.default.clientAuth]
      # in PEM format. each file can contain multiple CAs.
-      files = ["tests/clientca1.crt", "tests/clientca2.crt"]
-      optional = false
+      caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
+      clientAuthType = "RequireAndVerifyClientCert"
 ```

 ```yaml tab="YAML"
 tls:
  options:
    default:
-      clientCA:
+      clientAuth:
        # in PEM format. each file can contain multiple CAs.
-        files:
+        caFiles:
        - tests/clientca1.crt
        - tests/clientca2.crt
-        optional: false
+        clientAuthType: RequireAndVerifyClientCert
 ```

 ### Cipher Suites
--- a/docs/content/includes/more-on-entrypoints.md
+++ b/docs/content/includes/more-on-entrypoints.md
@@ -1,2 +1,2 @@
-!!! info "More On Entrypoints"
-    Learn more about entrypoints and their configuration options in the dedicated section.
+!!! info "More On Entry Points"
+    Learn more about entry points and their configuration options in the dedicated section.
--- a/docs/content/middlewares/addprefix.md
+++ b/docs/content/middlewares/addprefix.md
@@ -38,13 +38,22 @@ labels:
 - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Prefixing with /foo
 [http.middlewares]
  [http.middlewares.add-foo.addPrefix]
    prefix = "/foo"
 ```

+```yaml tab="File (YAML)"
+# Prefixing with /foo
+http:
+  middlewares:
+    add-foo:
+      addPrefix:
+        prefix: "/foo"
+```
+
 ## Configuration Options

 ### `prefix`
--- a/docs/content/middlewares/basicauth.md
+++ b/docs/content/middlewares/basicauth.md
@@ -16,7 +16,7 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
 # To create user:password pair, it's possible to use this command:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
 labels:
-  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```

 ```yaml tab="Kubernetes"
@@ -27,9 +27,7 @@ metadata:
  name: test-auth
 spec:
  basicAuth:
-    users:
-    - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
-    - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
+    secret: secretName
 ```

 ```json tab="Marathon"
@@ -41,10 +39,10 @@ spec:
 ```yaml tab="Rancher"
 # Declaring the user list
 labels:
-  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Declaring the user list
 [http.middlewares]
  [http.middlewares.test-auth.basicAuth]
@@ -54,6 +52,17 @@ labels:
  ]
 ```

+```yaml tab="File (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        users:
+        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+        - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ## Configuration Options

 ### General
@@ -70,7 +79,74 @@ The `users` option is an array of authorized users. Each user will be declared u

 !!! Note
    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+```yaml tab="Docker"
+# Declaring the user list
+#
+# Note: all dollar signs in the hash need to be doubled for escaping.
+# To create user:password pair, it's possible to use this command:
+# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="Kubernetes"
+# Declaring the user list
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    users = [
+      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+    ]
+```
+
+```yaml tab="File (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        users:
+        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+        - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```

 ### `usersFile`

@@ -78,6 +154,63 @@ The `usersFile` option is the path to an external file that contains the authori

 The file content is a list of `name:encoded-password`.

+!!! Note
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        usersFile: "/path/to/my/usersfile"
+```
+
 ??? example "A file containing test/test and test2/test2"

    ```txt
@@ -85,21 +218,57 @@ The file content is a list of `name:encoded-password`.
    test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
    ```

-!!! Note
-    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-
 ### `realm`

 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 

+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    realm: MyRealm
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.realm": "MyRealm"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    realm = "MyRealm"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        realm: "MyRealm"
+```
+
 ### `headerField`

-You can customize the header field for the authenticated user using the `headerField`option.
+You can define a header field to store the authenticated user using the `headerField`option.

 ```yaml tab="Docker"
 labels:
-  - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
+- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
 ```

 ```yaml tab="Kubernetes"
@@ -119,12 +288,61 @@ spec:
 }
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 [http.middlewares.my-auth.basicAuth]
  # ...
  headerField = "X-WebAuth-User"
 ```

+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    my-auth:
+      basicAuth:
+        # ...
+        headerField: "X-WebAuth-User"
+```
+
 ### `removeHeader`

 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    removeHeader: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    removeHeader = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        removeHeader: true
+```
--- a/docs/content/middlewares/buffering.md
+++ b/docs/content/middlewares/buffering.md
@@ -42,13 +42,22 @@ labels:
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Sets the maximum request body to 2Mb
 [http.middlewares]
  [http.middlewares.limit.buffering]
    maxRequestBodyBytes = 250000
 ```

+```yaml tab="File (YAML)"
+# Sets the maximum request body to 2Mb
+http:
+  middlewares:
+    limit:
+      buffering:
+        maxRequestBodyBytes: 250000
+```
+
 ## Configuration Options

 ### `maxRequestBodyBytes`
@@ -77,7 +86,7 @@ You can have the Buffering middleware replay the request with the help of the `r

 !!! example "Retries once in case of a network error"
    
-    ```
+    ```toml
    retryExpression = "IsNetworkError() && Attempts() < 2"
    ```
    
--- a/docs/content/middlewares/chain.md
+++ b/docs/content/middlewares/chain.md
@@ -51,9 +51,9 @@ metadata:
 spec:
  chain:
    middlewares:
-    - https-only
-    - known-ips
-    - auth-users
+    - name: https-only
+    - name: known-ips
+    - name: auth-users
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
@@ -108,7 +108,7 @@ labels:
 - "http.services.service1.loadbalancer.server.port=80"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # ...    
 [http.routers]
  [http.routers.router1]
@@ -135,3 +135,43 @@ labels:
      [[http.services.service1.loadBalancer.servers]]
        url = "http://127.0.0.1:80"
 ```
+
+```yaml tab="File (YAML)"
+# ...    
+http:
+  routers:
+    router1:
+      service: service1
+      middlewares:
+      - secured
+      rule: "Host(`mydomain`)"
+
+  middlewares:
+    secured:
+      chain:
+        middlewares:
+        - https-only
+        - known-ips
+        - auth-users
+
+    auth-users:
+      basicAuth:
+        users:
+        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+
+    https-only:
+      redirectScheme:
+        scheme: https
+
+    known-ips:
+      ipWhiteList:
+        sourceRange:
+        - "192.168.1.7"
+        - "127.0.0.1/32"
+
+  services:
+    service1:
+      loadBalancer:
+        servers:
+        - url: "http://127.0.0.1:80"
+```
--- a/docs/content/middlewares/circuitbreaker.md
+++ b/docs/content/middlewares/circuitbreaker.md
@@ -52,13 +52,22 @@ labels:
 - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Latency Check
 [http.middlewares]
  [http.middlewares.latency-check.circuitBreaker]
    expression = "LatencyAtQuantileMS(50.0) > 100"
 ```

+```yaml tab="File (YAML)"
+# Latency Check
+http:
+  middlewares:
+    latency-check:
+      circuitBreaker:
+        expression: "LatencyAtQuantileMS(50.0) > 100"
+```
+
 ## Possible States

 There are three possible states for your circuit breaker:
@@ -123,7 +132,7 @@ For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the c

 !!! Note

-    You must provide a float number (with the leading .0) for the quantile value
+    You must provide a float number (with the trailing .0) for the quantile value
 
 #### Using multiple metrics

@@ -144,7 +153,6 @@ Here is the list of supported operators:
 - Greater or equal than (`>=`)
 - Lesser than (`<`)
 - Lesser or equal than (`<=`)
- Not (`!`)
 - Equal (`==`)
 - Not Equal (`!=`)
 
--- a/docs/content/middlewares/compress.md
+++ b/docs/content/middlewares/compress.md
@@ -37,16 +37,24 @@ labels:
 - "traefik.http.middlewares.test-compress.compress=true"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Enable gzip compression
 [http.middlewares]
  [http.middlewares.test-compress.compress]
 ```

+```yaml tab="File (YAML)"
+# Enable gzip compression
+http:
+  middlewares:
+    test-compress:
+      compress: {}
+```
+
 ## Notes

 Responses are compressed when:

-* The response body is larger than `512` bytes.
+* The response body is larger than `1400` bytes.
 * The `Accept-Encoding` request header contains `gzip`.
 * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
--- a/docs/content/middlewares/digestauth.md
+++ b/docs/content/middlewares/digestauth.md
@@ -10,6 +10,7 @@ The DigestAuth middleware is a quick way to restrict access to your services to
 ## Configuration Examples

 ```yaml tab="Docker"
+# Declaring the user list
 labels:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
@@ -22,9 +23,82 @@ metadata:
  name: test-auth
 spec:
  digestAuth:
-    users:
-    - test:traefik:a2688e031edb4be6a3797f3882655c05
-    - test2:traefik:518845800f9e2bfb1f1f740ec24f074e
+    secret: userssecret
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    users = [
+      "test:traefik:a2688e031edb4be6a3797f3882655c05",
+      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+    ]
+```
+
+```yaml tab="File (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        users:
+        - "test:traefik:a2688e031edb4be6a3797f3882655c05"
+        - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+## Configuration Options
+
+!!! tip 
+   
+    Use `htdigest` to generate passwords.
+
+### `users`
+
+The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
+
+!!! Note
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
 ```

 ```json tab="Marathon"
@@ -38,7 +112,7 @@ labels:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.test-auth.digestAuth]
    users = [
@@ -47,19 +121,15 @@ labels:
    ]
 ```

-!!! tip 
-   
-    Use `htdigest` to generate passwords.
-
-## Configuration Options
-
-### `users`
-
-The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
-
-!!! Note
-    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        users:
+        - "test:traefik:a2688e031edb4be6a3797f3882655c05"
+        - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```

 ### `usersFile`

@@ -67,6 +137,63 @@ The `usersFile` option is the path to an external file that contains the authori

 The file content is a list of `name:realm:encoded-password`.

+!!! Note
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        usersFile: "/path/to/my/usersfile"
+```
+
 ??? example "A file containing test/test and test2/test2"

    ```txt
@@ -74,20 +201,54 @@ The file content is a list of `name:realm:encoded-password`.
    test2:traefik:518845800f9e2bfb1f1f740ec24f074e
    ```

-!!! Note
-    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-
 ### `realm`

 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 

+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    realm: MyRealm
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    realm = "MyRealm"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        realm: "MyRealm"
+```
+
 ### `headerField`

 You can customize the header field for the authenticated user using the `headerField`option.

-Example "File -- Passing Authenticated User to Services Via Headers"
-
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
@@ -115,12 +276,61 @@ labels:
 }
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 [http.middlewares.my-auth.digestAuth]
  # ...
  headerField = "X-WebAuth-User"
 ```

+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    my-auth:
+      digestAuth:
+        # ...
+        headerField: "X-WebAuth-User"
+```
+
 ### `removeHeader`

 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    removeHeader: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    removeHeader = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        removeHeader: true
+```
--- a/docs/content/middlewares/errorpages.md
+++ b/docs/content/middlewares/errorpages.md
@@ -29,8 +29,10 @@ spec:
  errors:
    status:
    - 500-599
-    service: serviceError
    query: /{status}.html
+    service:
+      name: whoami
+      port: 80
 ```

 ```json tab="Marathon"
@@ -49,7 +51,7 @@ labels:
 - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Custom Error Page for 5XX
 [http.middlewares]
  [http.middlewares.test-errorpage.errors]
@@ -61,8 +63,23 @@ labels:
  # ... definition of error-handler-service and my-service
 ```

+```yaml tab="File (YAML)"
+# Custom Error Page for 5XX
+http:
+  middlewares:
+    test-errorpage:
+      errors:
+        status:
+        - "500-599"
+        service: serviceError
+        query: "/{status}.html"
+
+[http.services]
+  # ... definition of error-handler-service and my-service
+```
+
 !!! note 
-    In this example, the error page URL is based on the status code (`query=/{status}.html)`.
+    In this example, the error page URL is based on the status code (`query=/{status}.html`).

 ## Configuration Options

@@ -80,6 +97,9 @@ The status code ranges are inclusive (`500-599` will trigger with every code bet

 The service that will serve the new requested error page.

+!!! Note
+    In kubernetes, you need to reference a kubernetes service instead of a traefik service.
+
 ### `query`

 The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.
--- a/docs/content/middlewares/forwardauth.md
+++ b/docs/content/middlewares/forwardauth.md
@@ -15,12 +15,99 @@ Otherwise, the response from the authentication server is returned.
 # Forward authentication to authserver.com
 labels:
 - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
- "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+# Forward authentication to authserver.com
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+}
+```
+
+```yaml tab="Rancher"
+# Forward authentication to authserver.com
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
+```toml tab="File (TOML)"
+# Forward authentication to authserver.com
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+```
+
+```yaml tab="File (YAML)"
+# Forward authentication to authserver.com
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+```
+
+## Configuration Options
+
+### `address`
+
+The `address` option defines the authentication server address.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth 
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+```
+
+### `trustForwardHeader`
+
+Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
+
+```yaml tab="Docker"
+labels:
 - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```

@@ -33,71 +120,381 @@ spec:
  forwardAuth:
    address: https://authserver.com/auth
    trustForwardHeader: true
-    authResponseHeaders:
-    - X-Auth-User
-    - X-Secret
-    tls:
-      ca: path/to/local.crt
-      caOptional: true
-      cert: path/to/foo.cert
-      key: path/to/foo.key  
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth",
-  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key",
  "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
 }
 ```

 ```yaml tab="Rancher"
-# Forward authentication to authserver.com
 labels:
- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
- "traefik.http.middlewares.test-auth.forwardauth.tls.InisecureSkipVerify=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```

-```toml tab="File"
-# Forward authentication to authserver.com
+```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.test-auth.forwardAuth]
    address = "https://authserver.com/auth"
    trustForwardHeader = true
-    authResponseHeaders = ["X-Auth-User", "X-Secret"]
-
-    [http.middlewares.test-auth.forwardAuth.tls]
-      ca = "path/to/local.crt"
-      caOptional = true
-      cert = "path/to/foo.cert"
-      key = "path/to/foo.key"
 ```

-## Configuration Options
-
-### `address`
-
-The `address` option defines the authentication server address.
-
-### `trustForwardHeader`
-
-Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        trustForwardHeader: true
+```

 ### `authResponseHeaders`

 The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.

+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    authResponseHeaders:
+    - X-Auth-User
+    - X-Secret
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    authResponseHeaders = ["X-Auth-User", "X-Secret"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        authResponseHeaders:
+        - "X-Auth-User"
+        - "X-Secret"
+```
+
 ### `tls`

 The `tls` option is the TLS configuration from Traefik to the authentication server.
+
+#### `tls.ca`
+
+TODO add description.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      caSecret: mycasercret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mycasercret
+  namespace: default
+
+data:
+  ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      ca = "path/to/local.crt"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          ca: "path/to/local.crt"
+```
+
+#### `tls.caOptional`
+
+TODO add description.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      caOptional: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      caOptional = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          caOptional: true
+```
+
+#### `tls.cert`
+
+TODO add description.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      certSecret: mytlscert
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mytlscert
+  namespace: default
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          cert: "path/to/foo.cert"
+          key: "path/to/foo.key"
+```
+
+!!! Note
+    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+#### `tls.key`
+
+TODO add description.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      certSecret: mytlscert
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mytlscert
+  namespace: default
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          cert: "path/to/foo.cert"
+          key: "path/to/foo.key"
+```
+
+!!! Note
+    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+#### `tls.insecureSkipVerify`
+
+TODO add description.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    insecureSkipVerify: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    insecureSkipVerify: true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        insecureSkipVerify: true
+```
--- a/docs/content/middlewares/headers.md
+++ b/docs/content/middlewares/headers.md
@@ -16,7 +16,7 @@ Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response
 ```yaml tab="Docker"
 labels:
 - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
- "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=True"
+- "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```

 ```yaml tab="Kubernetes"
@@ -29,29 +29,40 @@ spec:
    customRequestHeaders:
      X-Script-Name: "test"
    customResponseHeaders:
-      X-Custom-Response-Header: "True"
+      X-Custom-Response-Header: "value"
 ```

 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
-  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "True"
+  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "value"
 }
 ```

 ```yaml tab="Rancher"
 labels:
 - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=True"
+- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.testHeader.headers]
    [http.middlewares.testHeader.headers.customRequestHeaders]
        X-Script-Name = "test"
    [http.middlewares.testHeader.headers.customResponseHeaders]
-        X-Custom-Response-Header = "True"
+        X-Custom-Response-Header = "value"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    testHeader:
+      headers:
+        customRequestHeaders:
+          X-Script-Name: "test"
+        customResponseHeaders:
+          X-Custom-Response-Header: "value"
 ```

 ### Adding and Removing Headers
@@ -59,7 +70,12 @@ labels:
 `X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request,
 and the `X-Custom-Response-Header` header removed from the response.

-Please note that is not possible to remove headers through the use of labels (Docker, Rancher, Marathon, ...) for now.
+Please note that it is not possible to remove headers through the use of labels (Docker, Rancher, Marathon, ...) for now.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+```

 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
@@ -75,18 +91,18 @@ spec:
      X-Custom-Response-Header: "" # Removes
 ```

-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
-```
-
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
 }
 ```

-```toml tab="File"    
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+```
+
+```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.testHeader.headers]
    [http.middlewares.testHeader.headers.customRequestHeaders]
@@ -96,9 +112,21 @@ labels:
        X-Custom-Response-Header = "" # Removes
 ```

+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    testHeader:
+      headers:
+        customRequestHeaders:
+          X-Script-Name: "test" # Adds
+          X-Custom-Request-Header: "" # Removes
+        customResponseHeaders:
+          X-Custom-Response-Header: "" # Removes
+```
+
 ### Using Security Headers

-Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured per frontend in a similar manner to the custom headers above.
+Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured in a manner similar to the custom headers above.
 This functionality allows for some easy security features to quickly be set.

 ```yaml tab="Docker"
@@ -118,12 +146,6 @@ spec:
    sslRedirect: "true"
 ```

-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.testheader.headers.framedeny=true"
-  - "traefik.http.middlewares.testheader.headers.sslredirect=true"
-```
-
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.testheader.headers.framedeny": "true",
@@ -131,16 +153,31 @@ labels:
 }
 ```

-```toml tab="File"    
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.framedeny=true"
+  - "traefik.http.middlewares.testheader.headers.sslredirect=true"
+```
+
+```toml tab="File (TOML)"    
 [http.middlewares]
  [http.middlewares.testHeader.headers]
    FrameDeny = true
    SSLRedirect = true
 ```

+```yaml tab="File (YAML)"  
+http:
+  middlewares:
+    testHeader:
+      headers:
+        FrameDeny: true
+        SSLRedirect: true
+```
+
 ### CORS Headers

-CORS (Cross-Origin Resource Sharing) headers can be added and configured per frontend in a similar manner to the custom headers above.
+CORS (Cross-Origin Resource Sharing) headers can be added and configured in a manner similar to the custom headers above.
 This functionality allows for more advanced security features to quickly be set.

 ```yaml tab="Docker"
@@ -167,14 +204,6 @@ spec:
    addVaryHeader: "true"
 ```

-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
-  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
-```
-
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
@@ -184,7 +213,15 @@ labels:
 }
 ```

-```toml tab="File"    
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
+```
+
+```toml tab="File (TOML)"    
 [http.middlewares]
  [http.middlewares.testHeader.headers]
    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
@@ -193,6 +230,20 @@ labels:
    addVaryHeader = true
 ```

+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    testHeader:
+      headers:
+        accessControlAllowMethod:
+        - GET
+        - OPTIONS
+        - PUT
+        accessControlAllowOrigin: "origin-list-or-null"
+        accessControlMaxAge: 100
+        addVaryHeader: true
+```
+
 ## Configuration Options

 ### General
@@ -324,6 +375,10 @@ The `publicKey` implements HPKP to prevent MITM attacks with forged certificates

 The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.

+### `featurePolicy`
+
+The `featurePolicy` allows sites to control browser features.
+
 ### `isDevelopment`

 Set `isDevelopment` to true when developing.
--- a/docs/content/middlewares/inflightreq.md
+++ b/docs/content/middlewares/inflightreq.md
@@ -0,0 +1,247 @@
+# InFlightReq
+
+Limiting the Number of Simultaneous In-Flight Requests
+{: .subtitle }
+
+![InFlightReq](../assets/img/middleware/inflightreq.png)
+
+To proactively prevent services from being overwhelmed with high load, a limit on the number of simultaneous in-flight requests can be applied.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    amount: 10
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections
+labels:
+- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inFlightReq]
+    amount = 10 
+```
+
+```yaml tab="File (YAML)"
+# Limiting to 10 simultaneous connections
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        amount: 10 
+```
+
+## Configuration Options
+
+### `amount`
+
+The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
+The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
+
+### `sourceCriterion`
+ 
+SourceCriterion defines what criterion is used to group requests as originating from a common source.
+The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
+If none are set, the default is to use the `requestHost`.
+
+#### `sourceCriterion.ipStrategy`
+
+The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
+
+##### `ipStrategy.depth`
+
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
+
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
+- `depth` is ignored if its value is lesser than or equal to 0.
+    
+!!! note "Example of Depth & X-Forwarded-For"
+
+    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
+
+    | `X-Forwarded-For`                       | `depth` | clientIP     |
+    |-----------------------------------------|---------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+
+##### `ipStrategy.excludedIPs`
+
+`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
+
+!!! important
+    If `depth` is specified, `excludedIPs` is ignored.
+
+!!! note "Example of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    sourceCriterion:
+      ipStrategy:
+        excludedIPs:
+        - 127.0.0.1/32
+        - 192.168.1.7
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        sourceCriterion:
+          ipStrategy:
+            excludedIPs:
+            - "127.0.0.1/32"
+            - "192.168.1.7"
+```
+
+#### `sourceCriterion.requestHeaderName`
+
+Requests having the same value for the given header are grouped as coming from the same source.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+	sourceCriterion:
+      requestHeaderName: username
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername": "username"
+}
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
+      requestHeaderName = "username"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        sourceCriterion:
+          requestHeaderName: username
+```
+
+#### `sourceCriterion.requestHost`
+
+Whether to consider the request host as the source.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    sourceCriterion:
+      requestHost: true
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost": "true"
+}
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
+      requestHost = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        sourceCriterion:
+          requestHost: true
+```
--- a/docs/content/middlewares/ipwhitelist.md
+++ b/docs/content/middlewares/ipwhitelist.md
@@ -39,13 +39,24 @@ labels:
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Accepts request from defined IP
 [http.middlewares]
  [http.middlewares.test-ipwhitelist.ipWhiteList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
 ```

+```yaml tab="File (YAML)"
+# Accepts request from defined IP
+http:
+  middlewares:
+    test-ipwhitelist:
+      ipWhiteList:
+        sourceRange:
+        - "127.0.0.1/32"
+        - "192.168.1.7"
+```
+
 ## Configuration Options

 ### `sourceRange`
@@ -108,7 +119,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
    }
    ```
    
-    ```toml tab="File"
+    ```toml tab="File (TOML)"
    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
    [http.middlewares]
      [http.middlewares.test-ipwhitelist.ipWhiteList]
@@ -116,11 +127,24 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
        [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
          depth = 2
    ```
+    
+    ```yaml tab="File (YAML)"
+    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
+    http:
+      middlewares:
+        test-ipwhitelist:
+          ipWhiteList:
+            sourceRange:
+            - "127.0.0.1/32"
+            - "192.168.1.7"
+            ipStrategy:
+              depth: 2
+    ```

 !!! note

    - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
-    - `depth` is ignored if its value is is lesser than or equal to 0.
+    - `depth` is ignored if its value is lesser than or equal to 0.

 #### `ipStrategy.excludedIPs`

@@ -171,10 +195,22 @@ labels:
 }
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Exclude from `X-Forwarded-For`
 [http.middlewares]
  [http.middlewares.test-ipwhitelist.ipWhiteList]
    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
+
+```yaml tab="File (YAML)"
+# Exclude from `X-Forwarded-For`
+http:
+  middlewares:
+    test-ipwhitelist:
+      ipWhiteList:
+        ipStrategy:
+          excludedIPs:
+          - "127.0.0.1/32"
+          - "192.168.1.7"
+```
--- a/docs/content/middlewares/maxconnection.md
+++ b/docs/content/middlewares/maxconnection.md
@@ -1,62 +0,0 @@
-# MaxConnection
-
-Limiting the Number of Simultaneous Clients
-{: .subtitle }
-
-![MaxConnection](../assets/img/middleware/maxconnection.png)
-
-To proactively prevent services from being overwhelmed with high load, a maximum connection limit can be applied.
-
-## Configuration Examples
-
-```yaml tab="Docker"
-# Limiting to 10 simultaneous connections
-labels:
- "traefik.http.middlewares.test-maxconn.maxconn.amount=10"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: test-maxconn
-spec:
-  maxConn:
-    amount: 10
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-maxconn.maxconn.amount": "10"
-}
-```
-
-```yaml tab="Rancher"
-# Limiting to 10 simultaneous connections
-labels:
- "traefik.http.middlewares.test-maxconn.maxconn.amount=10"
-```
-
-```toml tab="File"
-# Limiting to 10 simultaneous connections
-[http.middlewares]
-  [http.middlewares.test-maxconn.maxConn]
-    amount = 10 
-```
-
-## Configuration Options
-
-### `amount`
-
-The `amount` option defines the maximum amount of allowed simultaneous connections.
-The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `extractorfunc` strategy).
-
-### extractorfunc
-
-The `extractorfunc` defines the strategy used to categorize requests.
-
-The possible values are:
-
- `request.host` categorizes requests based on the request host.
- `client.ip` categorizes requests based on the client ip.
- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -22,7 +22,7 @@ whoami:
    # Create a middleware named `foo-add-prefix`
    - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
    # Apply the middleware named `foo-add-prefix` to the router named `router1`
-    - "traefik.http.router.router1.middlewares=foo-add-prefix@docker"
+    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```

 ```yaml tab="Kubernetes"
@@ -66,7 +66,7 @@ spec:
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
-  "traefik.http.router.router1.middlewares": "foo-add-prefix@marathon"
+  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
 }
 ```

@@ -76,14 +76,11 @@ labels:
  # Create a middleware named `foo-add-prefix`
  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
  # Apply the middleware named `foo-add-prefix` to the router named `router1`
-  - "traefik.http.router.router1.middlewares=foo-add-prefix@rancher"
+  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
 ```

-```toml tab="File"
-# As Toml Configuration File
-[providers]
-  [providers.file]
-
+```toml tab="File (TOML)"
+# As TOML Configuration File
 [http.routers]
  [http.routers.router1]
    service = "myService"
@@ -102,6 +99,28 @@ labels:
        url = "http://127.0.0.1:80"
 ```

+```yaml tab="File (YAML)"
+# As YAML Configuration File
+http:
+  routers:
+    router1:
+      service: myService
+      middlewares:
+      - "foo-add-prefix"
+      rule: "Host(`example.com`)"
+
+  middlewares:
+    foo-add-prefix:
+      addPrefix:
+        prefix: "/foo"
+
+  services:
+    service1:
+      loadBalancer:
+        servers:
+        - url: "http://127.0.0.1:80"
+```
+
 ## Provider Namespace

 When you declare a middleware, it lives in its provider namespace.
@@ -127,14 +146,19 @@ and therefore this specification would be ignored even if present.

    Declaring the add-foo-prefix in the file provider.

-    ```toml
-    [providers]
-      [providers.file]
-
+    ```toml tab="File (TOML)"
    [http.middlewares]
      [http.middlewares.add-foo-prefix.addPrefix]
        prefix = "/foo"
    ```
+    
+    ```yaml tab="File (YAML)"
+    http:
+      middlewares:
+        add-foo-prefix:
+          addPrefix:
+            prefix: "/foo"
+    ```

    Using the add-foo-prefix middleware from other providers:

@@ -184,7 +208,7 @@ and therefore this specification would be ignored even if present.
 | [ForwardAuth](forwardauth.md)             | Authentication delegation                         | Security, Authentication    |
 | [Headers](headers.md)                     | Add / Update headers                              | Security                    |
 | [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs                      | Security, Request lifecycle |
-| [MaxConnection](maxconnection.md)         | Limit the number of simultaneous connections      | Security, Request lifecycle |
+| [InFlightReq](inflightreq.md)             | Limit the number of simultaneous connections      | Security, Request lifecycle |
 | [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header            | Security                    |
 | [RateLimit](ratelimit.md)                 | Limit the call frequency                          | Security, Request lifecycle |
 | [RedirectScheme](redirectscheme.md)       | Redirect easily the client elsewhere              | Request lifecycle           |
--- a/docs/content/middlewares/passtlsclientcert.md
+++ b/docs/content/middlewares/passtlsclientcert.md
@@ -3,7 +3,9 @@
 Adding Client Certificates in a Header
 {: .subtitle }

-`TODO add schema`
+<!--
+TODO: add schema
+-->

 PassTLSClientCert adds in header the selected data from the passed client tls certificate.

@@ -39,13 +41,22 @@ labels:
 - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 [http.middlewares]
  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
    pem = true
 ```

+```yaml tab="File (YAML)"
+# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+http:
+  middlewares:
+    test-passtlsclientcert:
+      passTLSClientCert:
+        pem: true
+```
+
 ??? example "Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"

    ```yaml tab="Docker"
@@ -144,7 +155,7 @@ labels:
    }
    ```

-    ```toml tab="File"
+    ```toml tab="File (TOML)"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    [http.middlewares]
      [http.middlewares.test-passtlsclientcert.passTLSClientCert]
@@ -170,6 +181,34 @@ labels:
            domainComponent = true
    ```

+    ```yaml tab="File (YAML)"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    http:
+      middlewares:
+        test-passtlsclientcert:
+          passTLSClientCert:
+            info:
+              notAfter: true
+              notBefore: true
+              sans: true
+              subject:
+                country: true
+                province: true
+                locality: true
+                organization: true
+                commonName: true
+                serialNumber: true
+                domainComponent: true
+              issuer:
+                country: true
+                province: true
+                locality: true
+                organization: true
+                commonName: true
+                serialNumber: true
+                domainComponent: true
+    ```
+
 ## Configuration Options

 ### General
@@ -182,7 +221,7 @@ PassTLSClientCert can add two headers to the request:
 !!! note
    The headers are filled with escaped string so it can be safely placed inside a URL query.

-In the following example, you can see a complete certificate. We will use each part of it to explains the middleware options.
+In the following example, you can see a complete certificate. We will use each part of it to explain the middleware options.

 ??? example "A complete client tls certificate"

--- a/docs/content/middlewares/ratelimit.md
+++ b/docs/content/middlewares/ratelimit.md
@@ -1,114 +1,344 @@
 # RateLimit

-Protection from Too Many Calls
+To Control the Number of Requests Going to a Service
 {: .subtitle }

-![RateLimit](../assets/img/middleware/ratelimit.png)
-
 The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows you define what is fair.

 ## Configuration Example

 ```yaml tab="Docker"
-# Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
-# These can "burst" up to 10 and 200 in each period, respectively.
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
 labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.extractorfunc=client.ip"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.period=10s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.burst=200"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.period=3s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.average=5"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.burst=10"
-  		
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```

 ```yaml tab="Kubernetes"
-# Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
-# These can "burst" up to 10 and 200 in each period, respectively.
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
 spec:
  rateLimit:
-    extractorFunc: client.ip
-    rateSet:
-      rate0:
-          period: 10s
-          average: 100
-          burst: 200
-      rate1:
-          period: 3s
-          average: 5
-          burst: 10
+      average: 100
+      burst: 50
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.extractorfunc": "client.ip",
-  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.period": "10s",
-  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.average": "100",
-  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.burst": "200",
-  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.period": "3s",
-  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.average": "5",
-  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.burst": "10"
+  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
+  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "50"
 }
 ```

 ```yaml tab="Rancher"
-# Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
-# These can "burst" up to 10 and 200 in each period, respectively.
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
 labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.extractorfunc=client.ip"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.period=10s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.burst=200"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.period=3s"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.average=5"
- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.burst=10"
-  		
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```

-```toml tab="File"
-# Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
-# These can "burst" up to 10 and 200 in each period, respectively.
+```toml tab="File (TOML)"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
 [http.middlewares]
  [http.middlewares.test-ratelimit.rateLimit]
-    extractorfunc = "client.ip"
-    
-    [http.middlewares.test-ratelimit.rateLimit.rateSet.rate0]
-      period = "10s"
-      average = 100
-      burst = 200
-    
-    [http.middlewares.test-ratelimit.rateLimit.rateSet.rate1]
-      period = "3s"
-      average = 5
-      burst = 10
+    average = 100
+    burst = 50
+```
+
+```yaml tab="File (YAML)"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        average: 100
+        burst: 50
 ```

 ## Configuration Options

-### `extractorfunc`
+### `average`
+
+Average is the maximum rate, in requests/s, allowed for the given source.
+It defaults to 0, which means no rate limiting.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+      average: 100
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 100
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        average: 100
+```
+
+### `burst`
+
+Burst is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
+It defaults to 1.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+      burst: 100
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "100",
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
+  		
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    burst = 100
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        burst: 100
+```
+
+### `sourceCriterion`
 
-The `extractorfunc` option defines the strategy used to categorize requests.
+SourceCriterion defines what criterion is used to group requests as originating from a common source.
+The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
+If none are set, the default is to use the request's remote address field (as an `ipStrategy`).

-The possible values are:
+#### `sourceCriterion.ipStrategy`

- `request.host` categorizes requests based on the request host.
- `client.ip` categorizes requests based on the client ip.
- `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
+The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.

-### `rateSet`
+##### `ipStrategy.depth`

-You can combine multiple rate limits. 
-The rate limit will trigger with the first reached limit.
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).

-Each rate limit has 3 options, `period`, `average`, and `burst`.
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
+- `depth` is ignored if its value is lesser than or equal to 0.

-The rate limit will allow an average of `average` requests every `period`, with a maximum of `burst` request on that period.
+!!! note "Example of Depth & X-Forwarded-For"

-!!! note "Period Format"
+    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).

-    Period is to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
+    | `X-Forwarded-For`                       | `depth` | clientIP     |
+    |-----------------------------------------|---------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+
+##### `ipStrategy.excludedIPs`
+
+`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
+
+!!! important
+    If `depth` is specified, `excludedIPs` is ignored.
+
+!!! note "Example of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    sourceCriterion:
+      ipStrategy:
+        excludedIPs:
+        - 127.0.0.1/32
+        - 192.168.1.7
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        sourceCriterion:
+          ipStrategy:
+            excludedIPs:
+            - "127.0.0.1/32"
+            - "192.168.1.7"
+```
+
+#### `sourceCriterion.requestHeaderName`
+
+Requests having the same value for the given header are grouped as coming from the same source.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+	sourceCriterion:
+      requestHeaderName: username
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername": "username"
+}
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
+      requestHeaderName = "username"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        sourceCriterion:
+          requestHeaderName: username
+```
+
+#### `sourceCriterion.requestHost`
+
+Whether to consider the request host as the source.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    sourceCriterion:
+      requestHost: true
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost": "true"
+}
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
+      requestHost = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        sourceCriterion:
+          requestHost: true
+```
--- a/docs/content/middlewares/redirectregex.md
+++ b/docs/content/middlewares/redirectregex.md
@@ -3,7 +3,9 @@
 Redirecting the Client to a Different Location
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

 RegexRedirect redirect a request from an url to another with regex matching and replacement.

@@ -11,9 +13,10 @@ RegexRedirect redirect a request from an url to another with regex matching and

 ```yaml tab="Docker"
 # Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
 labels:
 - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
+- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```

 ```yaml tab="Kubernetes"
@@ -25,29 +28,40 @@ metadata:
 spec:
  redirectRegex:
    regex: ^http://localhost/(.*)
-    replacement: http://mydomain/$1
+    replacement: http://mydomain/${1}
 ```

 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-redirectregex.redirectregex.regex": "^http://localhost/(.*)",
-  "traefik.http.middlewares.test-redirectregex.redirectregex.replacement": "http://mydomain/$1"
+  "traefik.http.middlewares.test-redirectregex.redirectregex.replacement": "http://mydomain/${1}"
 }
 ```

 ```yaml tab="Rancher"
 # Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
 labels:
 - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
+- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Redirect with domain replacement
 [http.middlewares]
  [http.middlewares.test-redirectregex.redirectRegex]
    regex = "^http://localhost/(.*)"
-    replacement = "http://mydomain/$1"
+    replacement = "http://mydomain/${1}"
+```
+
+```yaml tab="File (YAML)"
+# Redirect with domain replacement
+http:
+  middlewares:
+    test-redirectregex:
+      redirectRegex:
+        regex: "^http://localhost/(.*)"
+        replacement: "http://mydomain/${1}"
 ```

 ## Configuration Options
@@ -70,5 +84,5 @@ The `regex` option is the regular expression to match and capture elements from
    
 ### `replacement`

-The `replacement` option defines how to modify the URl to have the new target URL.
+The `replacement` option defines how to modify the URL to have the new target URL.
 
--- a/docs/content/middlewares/redirectscheme.md
+++ b/docs/content/middlewares/redirectscheme.md
@@ -3,7 +3,9 @@
 Redirecting the Client to a Different Scheme/Port
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

 RegexRedirect redirect request from a scheme to another.

@@ -38,13 +40,22 @@ labels:
 - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Redirect to https
 [http.middlewares]
  [http.middlewares.test-redirectscheme.redirectScheme]
    scheme = "https"
 ```

+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        scheme: https
+```
+
 ## Configuration Options

 ### `permanent`
--- a/docs/content/middlewares/replacepath.md
+++ b/docs/content/middlewares/replacepath.md
@@ -3,7 +3,9 @@
 Updating the Path Before Forwarding the Request
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

 Replace the path of the request url.

@@ -38,13 +40,22 @@ labels:
 - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Replace the path by /foo
 [http.middlewares]
  [http.middlewares.test-replacepath.replacePath]
    path = "/foo"
 ```

+```yaml tab="File (YAML)"
+# Replace the path by /foo
+http:
+  middlewares:
+    test-replacepath:
+      replacePath:
+        path: "/foo"
+```
+
 ## Configuration Options

 ### General
--- a/docs/content/middlewares/replacepathregex.md
+++ b/docs/content/middlewares/replacepathregex.md
@@ -3,7 +3,9 @@
 Updating the Path Before Forwarding the Request (Using a Regex)
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

 The ReplaceRegex replace a path from an url to another with regex matching and replacement.

@@ -42,7 +44,7 @@ labels:
 - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Redirect with domain replacement
 [http.middlewares]
  [http.middlewares.test-replacepathregex.replacePathRegex]
@@ -50,6 +52,16 @@ labels:
    replacement = "/bar/$1"
 ```

+```yaml tab="File (YAML)"
+# Redirect with domain replacement
+http:
+  middlewares:
+    test-replacepathregex:
+      replacePathRegex:
+        regex: "^/foo/(.*)"
+        replacement: "/bar/$1"
+```
+
 ## Configuration Options

 ### General
--- a/docs/content/middlewares/retry.md
+++ b/docs/content/middlewares/retry.md
@@ -3,9 +3,12 @@
 Retrying until it Succeeds
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

-Retry to send request on attempt failure.
+The Retry middleware is in charge of reissuing a request a given number of times to a backend server if that server does not reply.
+To be clear, as soon as the server answers, the middleware stops retrying, regardless of the response status.

 ## Configuration Examples

@@ -38,17 +41,26 @@ labels:
 - "traefik.http.middlewares.test-retry.retry.attempts=4"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Retry to send request 4 times
 [http.middlewares]
  [http.middlewares.test-retry.retry]
     attempts = 4
 ```

+```yaml tab="File (YAML)"
+# Retry to send request 4 times
+http:
+  middlewares:
+    test-retry:
+      retry:
+       attempts: 4
+```
+
 ## Configuration Options

 ### `attempts` 

 _mandatory_

-The `attempts` option defines how many times to try sending the request.
+The `attempts` option defines how many times the request should be retried.
--- a/docs/content/middlewares/stripprefix.md
+++ b/docs/content/middlewares/stripprefix.md
@@ -3,7 +3,9 @@
 Removing Prefixes From the Path Before Forwarding the Request
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

 Remove the specified prefixes from the URL path.

@@ -12,7 +14,7 @@ Remove the specified prefixes from the URL path.
 ```yaml tab="Docker"
 # Strip prefix /foobar and /fiibar
 labels:
- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar, /fiibar"
+- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```

 ```yaml tab="Kubernetes"
@@ -30,23 +32,34 @@ spec:

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar, /fiibar"
+  "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar,/fiibar"
 }
 ```

 ```yaml tab="Rancher"
 # Strip prefix /foobar and /fiibar
 labels:
- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar, /fiibar"
+- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```

-```toml tab="File"
+```toml tab="File (TOML)"
 # Strip prefix /foobar and /fiibar
 [http.middlewares]
  [http.middlewares.test-stripprefix.stripPrefix]
    prefixes = ["/foobar", "/fiibar"]
 ```

+```yaml tab="File (YAML)"
+# Strip prefix /foobar and /fiibar
+http:
+  middlewares:
+    test-stripprefix:
+      stripPrefix:
+        prefixes:
+        - "/foobar"
+        - "/fiibar"
+```
+
 ## Configuration Options

 ### General
--- a/docs/content/middlewares/stripprefixregex.md
+++ b/docs/content/middlewares/stripprefixregex.md
@@ -3,46 +3,50 @@
 Removing Prefixes From the Path Before Forwarding the Request (Using a Regex)
 {: .subtitle }

-`TODO: add schema`
-
 Remove the matching prefixes from the URL path.

 ## Configuration Examples

 ```yaml tab="Docker"
-# Replace the path by /foo
 labels:
- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=^/foo/(.*)",
+- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```

 ```yaml tab="Kubernetes"
-# Replace the path by /foo
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-stripprefixregex
 spec:
  stripPrefixRegex:
-    regex: "^/foo/(.*)"
+    regex:
+    - "/foo/[a-z0-9]+/[0-9]+/"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex": "^/foo/(.*)"
+  "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex": "/foo/[a-z0-9]+/[0-9]+/"
 }
 ```

 ```yaml tab="Rancher"
-# Replace the path by /foo
 labels:
- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=^/foo/(.*)",
+- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```

-```toml tab="File"
-# Replace the path by /foo
+```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.test-stripprefixregex.stripPrefixRegex]
-     regex: "^/foo/(.*)"
+    regex = ["/foo/[a-z0-9]+/[0-9]+/"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-stripprefixregex:
+      stripPrefixRegex:
+        regex:
+        - "/foo/[a-z0-9]+/[0-9]+/"
 ```

 ## Configuration Options
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -0,0 +1,353 @@
+# Migration Guide: From v1 to v2
+
+How to Migrate from Traefik v1 to Traefik v2.
+{: .subtitle }
+
+The version 2 of Traefik introduces a number of breaking changes, 
+which require one to update their configuration when they migrate from v1 to v2.
+The goal of this page is to recapitulate all of these changes, and in particular to give examples, 
+feature by feature, of how the configuration looked like in v1, and how it now looks like in v2.
+
+!!! Note "Migration Helper"
+    
+    We created a tool to help during the migration: [traefik-migration-tool](https://github.com/containous/traefik-migration-tool)
+
+    This tool allows to:
+
+    - convert `Ingress` to Traefik `IngressRoute` resources.
+    - convert `acme.json` file from v1 to v2 format.
+
+## Frontends and Backends Are Dead... <br/>... Long Live Routers, Middlewares, and Services
+
+During the transition from v1 to v2, a number of internal pieces and components of Traefik were rewritten and reorganized.
+As such, the combination of core notions such as frontends and backends has been replaced with the combination of routers, services, and middlewares.
+
+Typically, a router replaces a frontend, and a service assumes the role of a backend, with each router referring to a service.
+However, even though a backend was in charge of applying any desired modification on the fly to the incoming request,
+the router defers that responsibility to another component.
+Instead, a dedicated middleware is now defined for each kind of such modification.
+Then any router can refer to an instance of the wanted middleware.
+
+!!! example "One frontend with basic auth and one backend, become one router, one service, and one basic auth middleware."
+
+    ### v1
+    
+    ```yaml tab="Docker"
+    labels:
+      - "traefik.frontend.rule=Host:test.localhost;PathPrefix:/test"
+      - "traefik.frontend.auth.basic.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+    ```
+
+    ```yaml tab="K8s Ingress"
+    apiVersion: extensions/v1beta1
+    kind: Ingress
+    metadata:
+      name: traefik
+      namespace: kube-system
+      annotations:
+        kubernetes.io/ingress.class: traefik
+        traefik.ingress.kubernetes.io/rule-type: PathPrefix
+    spec:
+      rules:
+      - host: test.locahost
+        http:
+          paths:
+          - path: /test
+            backend:
+              serviceName: server0
+              servicePort: 80
+          - path: /test
+            backend:
+              serviceName: server1
+              servicePort: 80
+    ```
+
+    ```toml tab="File (TOML)"
+    [frontends]
+      [frontends.frontend1]
+        entryPoints = ["http"]
+        backend = "backend1"
+    
+        [frontends.frontend1.routes]
+          [frontends.frontend1.routes.route0]
+            rule = "Host:test.localhost"
+          [frontends.frontend1.routes.route0]
+            rule = "PathPrefix:/test"
+        
+        [frontends.frontend1.auth]
+          [frontends.frontend1.auth.basic]
+            users = [
+              "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+              "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+            ]
+    
+    [backends]
+      [backends.backend1]
+        [backends.backend1.servers.server0]
+          url = "http://10.10.10.1:80"
+        [backends.backend1.servers.server1]
+          url = "http://10.10.10.2:80"
+    
+        [backends.backend1.loadBalancer]
+          method = "wrr"
+    ```
+    
+    ### v2
+    
+    ```yaml tab="Docker"
+    labels:
+      - "traefik.http.routers.router0.rule=Host(`bar.com`) && PathPrefix(`/test`)"
+      - "traefik.http.routers.router0.middlewares=auth"
+      - "traefik.http.middlewares.auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+    ```
+
+    ```yaml tab="K8s IngressRoute"
+    # The definitions below require the definitions for the Middleware and IngressRoute kinds.  
+    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: basicauth
+      namespace: foo
+    
+    spec:
+      basicAuth:
+        users:
+          - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
+          - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
+    
+    ---
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: ingressroutebar
+    
+    spec:
+      entryPoints:
+        - http
+      routes:
+      - match: Host(`test.localhost`) && PathPrefix(`/test`)
+        kind: Rule
+        services:
+        - name: server0
+          port: 80
+        - name: server1
+          port: 80
+        middlewares:
+        - name: basicauth
+          namespace: foo
+    ```
+
+    ```toml tab="File (TOML)"
+    [http.routers]
+      [http.routers.router0]
+        rule = "Host(`test.localhost`) && PathPrefix(`/test`)"
+        middlewares = ["auth"]
+        service = "my-service"
+    
+    [http.services]
+      [[http.services.my-service.loadBalancer.servers]]
+        url = "http://10.10.10.1:80"
+      [[http.services.my-service.loadBalancer.servers]]
+        url = "http://10.10.10.2:80"
+    
+    [http.middlewares]
+      [http.middlewares.auth.basicAuth]
+        users = [
+          "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+          "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+        ]
+    ```
+
+    ```yaml tab="File (YAML)"
+    http:
+      routers:
+        router0:
+          rule: "Host(`test.localhost`) && PathPrefix(`/test`)"
+          service: my-service
+          middlewares:
+          - auth
+    
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+            - url: http://10.10.10.1:80
+            - url: http://10.10.10.2:80
+    
+      middlewares:
+        auth:
+          basicAuth:
+            users:
+            - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+            - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+    ```
+
+## TLS configuration is now dynamic, per router.
+
+TLS parameters used to be specified in the static configuration, as an entryPoint field.
+With Traefik v2, a new dynamic TLS section at the root contains all the desired TLS configurations.
+Then, a router's TLS field can refer to one of the TLS configurations defined at the root, hence defining the TLS configuration for that router.
+
+!!! example "TLS on web-secure entryPoint becomes TLS option on Router-1"
+
+    ### v1
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    [entryPoints]
+      [entryPoints.web-secure]
+        address = ":443"
+    
+        [entryPoints.web-secure.tls]
+          minVersion = "VersionTLS12"
+          cipherSuites = [
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_RSA_WITH_AES_256_GCM_SHA384"
+           ]
+          [[entryPoints.web-secure.tls.certificates]]
+            certFile = "path/to/my.cert"
+            keyFile = "path/to/my.key"
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384'
+    ```
+    
+    ### v2
+    
+    ```toml tab="File (TOML)"
+    # dynamic configuration
+    [http.routers]
+      [http.routers.Router-1]
+        rule = "Host(`bar.com`)"
+        service = "service-id"
+        # will terminate the TLS request
+        [http.routers.Router-1.tls]
+          options = "myTLSOptions"
+    
+    [[tls.certificates]]
+      certFile = "/path/to/domain.cert"
+      keyFile = "/path/to/domain.key"
+    
+    [tls.options]
+      [tls.options.default]
+        minVersion = "VersionTLS12"
+    
+      [tls.options.myTLSOptions]
+        minVersion = "VersionTLS13"
+        cipherSuites = [
+              "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+              "TLS_RSA_WITH_AES_256_GCM_SHA384"
+            ]
+    ```
+    
+    ```yaml tab="File (YAML)"
+    http:
+      routers:
+        Router-1:
+          rule: "Host(`bar.com`)"
+          service: service-id
+          # will terminate the TLS request
+          tls:
+            options: myTLSOptions
+    
+    tls:
+      certificates:
+        - certFile: /path/to/domain.cert
+          keyFile: /path/to/domain.key
+      options:
+        myTLSOptions:
+          minVersion: VersionTLS13
+          cipherSuites:
+          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+          - TLS_RSA_WITH_AES_256_GCM_SHA384
+    ```
+    
+    ```yaml tab="K8s IngressRoute"
+    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.  
+    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: TLSOption
+    metadata:
+      name: mytlsoption
+      namespace: default
+    
+    spec:
+      minVersion: VersionTLS13
+      cipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_RSA_WITH_AES_256_GCM_SHA384
+    
+    ---
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: ingressroutebar
+    
+    spec:
+      entryPoints:
+        - web
+      routes:
+      - match: Host(`bar.com`)
+        kind: Rule
+        services:
+        - name: whoami
+          port: 80
+      tls:
+        options: 
+          name: mytlsoption
+          namespace: default
+    ```
+    
+    ```yaml tab="Docker"
+    labels:
+      # myTLSOptions must be defined by another provider, in this instance in the File Provider.
+      # see the cross provider section
+      - "traefik.http.routers.router0.tls.options=myTLSOptions@file"
+    ```
+
+## HTTP -> HTTPS Redirection
+
+	TODO
+
+## ACME (let's encrypt)
+
+	TODO
+
+## Traefik Logs
+
+	TODO
+
+## Tracing
+
+	TODO
+
+## Metrics
+
+	TODO
+
+## No more root level key/values
+
+	TODO
+
+## Providers
+
+Supported providers, for now:
+
+- [ ] Azure Service Fabric
+- [ ] BoltDB
+- [ ] Consul
+- [ ] Consul Catalog
+- [x] Docker
+- [ ] DynamoDB
+- [ ] ECS
+- [ ] Etcd
+- [ ] Eureka
+- [x] File
+- [x] Kubernetes Ingress (without annotations)
+- [x] Kubernetes IngressRoute
+- [x] Marathon
+- [ ] Mesos
+- [x] Rest
+- [ ] Zookeeper
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -9,12 +9,16 @@ By default, logs are written to stdout, in text format.

 To enable the access logs:

-```toml tab="File"
+```toml tab="File (TOML)"
 [accessLog]
 ```

+```yaml tab="File (YAML)"
+accessLog: {}
+```
+
 ```bash tab="CLI"
--accesslog
+--accesslog=true
 ```

 ### `filePath`
@@ -22,12 +26,11 @@ To enable the access logs:
 By default access logs are written to the standard output.
 To write the logs into a log file, use the `filePath` option.

-in the Common Log Format (CLF), extended with additional fields.
-
 ### `format`
 
 By default, logs are written using the Common Log Format (CLF).
 To write logs in JSON, use `json` in the `format` option.
+If the given format is unsupported, the default (CLF) is used instead.

 !!! note "Common Log Format"
    
@@ -41,16 +44,23 @@ To write the logs in an asynchronous fashion, specify a  `bufferingSize` option.
 This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.
 In some cases, this option can greatly help performances.

-```toml tab="File"
+```toml tab="File (TOML)"
 # Configuring a buffer of 100 lines
 [accessLog]
  filePath = "/path/to/access.log"
  bufferingSize = 100
 ```

+```yaml tab="File (YAML)"
+# Configuring a buffer of 100 lines
+accessLog:
+  filePath: "/path/to/access.log"
+  bufferingSize: 100
+```
+
 ```bash tab="CLI"
 # Configuring a buffer of 100 lines
--accesslog
+--accesslog=true
 --accesslog.filepath="/path/to/access.log"
 --accesslog.bufferingsize=100
 ```
@@ -66,11 +76,11 @@ The available filters are:
 - `retryAttempts`, to keep the access logs when at least one retry has happened
 - `minDuration`, to keep access logs when requests take longer than the specified duration

-```toml tab="File"
+```toml tab="File (TOML)"
 # Configuring Multiple Filters
 [accessLog]
-filePath = "/path/to/access.log"
-format = "json"
+  filePath = "/path/to/access.log"
+  format = "json"

  [accessLog.filters]    
    statusCodes = ["200", "300-302"]
@@ -78,9 +88,22 @@ format = "json"
    minDuration = "10ms"
 ```

+```yaml tab="File (YAML)"
+# Configuring Multiple Filters
+accessLog:
+  filePath: "/path/to/access.log"
+  format: json
+  filters:    
+    statusCodes:
+    - "200"
+    - "300-302"
+    retryAttempts: true
+    minDuration: "10ms"
+```
+
 ```bash tab="CLI"
 # Configuring Multiple Filters
--accesslog
+--accesslog=true
 --accesslog.filepath="/path/to/access.log"
 --accesslog.format="json"
 --accesslog.filters.statuscodes="200, 300-302"
@@ -100,7 +123,7 @@ Each field can be set to:

 The `defaultMode` for `fields.header` is `drop`.

-```toml tab="File"
+```toml tab="File (TOML)"
 # Limiting the Logs to Specific Fields
 [accessLog]
  filePath = "/path/to/access.log"
@@ -121,9 +144,26 @@ The `defaultMode` for `fields.header` is `drop`.
        "Content-Type" = "keep"
 ```

+```yaml tab="File (YAML)"
+# Limiting the Logs to Specific Fields
+accessLog:
+  filePath: "/path/to/access.log"
+  format: json
+  fields:
+    defaultMode: keep
+    names:
+      ClientUsername: drop
+    headers:
+      defaultMode: keep
+      names:
+          User-Agent: redact
+          Authorization: drop
+          Content-Type: keep
+```
+
 ```bash tab="CLI"
 # Limiting the Logs to Specific Fields
--accesslog
+--accesslog=true
 --accesslog.filepath="/path/to/access.log"
 --accesslog.format="json"
 --accesslog.fields.defaultmode="keep"
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@@ -16,12 +16,18 @@ Traefik logs concern everything that happens to Traefik itself (startup, configu
 By default, the logs are written to the standard output.
 You can configure a file path instead using the `filePath` option.

-```toml tab="File"
+```toml tab="File (TOML)"
 # Writing Logs to a File
 [log]
  filePath = "/path/to/traefik.log"
 ```

+```yaml tab="File (YAML)"
+# Writing Logs to a File
+log:
+  filePath: "/path/to/traefik.log"
+```
+
 ```bash tab="CLI"
 # Writing Logs to a File
 --log.filePath="/path/to/traefik.log"
@@ -31,11 +37,18 @@ You can configure a file path instead using the `filePath` option.

 By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option.   

-```toml tab="File"
+```toml tab="File (TOML)"
 # Writing Logs to a File, in JSON
 [log]
  filePath = "/path/to/log-file.log"
-  format   = "json"
+  format = "json"
+```
+
+```yaml tab="File (YAML)"
+# Writing Logs to a File, in JSON
+log:
+  filePath: "/path/to/log-file.log"
+  format: json
 ```

 ```bash tab="CLI"
@@ -48,11 +61,16 @@ By default, the logs use a text format (`common`), but you can also ask for the

 By default, the `level` is set to `ERROR`. Alternative logging levels are `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`. 

-```toml tab="File"
+```toml tab="File (TOML)"
 [log]
  level = "DEBUG"
 ```

+```yaml tab="File (YAML)"
+log:
+  level: DEBUG
+```
+
 ```bash tab="CLI"
 --log.level="DEBUG"
 ```
--- a/docs/content/observability/metrics/datadog.md
+++ b/docs/content/observability/metrics/datadog.md
@@ -0,0 +1,106 @@
+# Datadog
+
+To enable the Datadog:
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  datadog: {}
+```
+
+```bash tab="CLI"
+--metrics.datadog=true
+```
+
+#### `address`
+
+_Required, Default="127.0.0.1:8125"_
+
+Address instructs exporter to send metrics to datadog-agent at this address.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+    address = "127.0.0.1:8125"
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  datadog:
+    address: 127.0.0.1:8125
+```
+
+```bash tab="CLI"
+--metrics.datadog.address="127.0.0.1:8125"
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+    addEntryPointsLabels = true
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  datadog:
+    addEntryPointsLabels: true
+```
+
+```bash tab="CLI"
+--metrics.datadog.addEntryPointsLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+    addServicesLabels = true
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  datadog:
+    addServicesLabels: true
+```
+
+```bash tab="CLI"
+--metrics.datadog.addServicesLabels=true
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+The interval used by the exporter to push metrics to datadog-agent.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+    pushInterval = 10s
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  datadog:
+    pushInterval: 10s
+```
+
+```bash tab="CLI"
+--metrics.datadog.pushInterval=10s
+```
+
--- a/docs/content/observability/metrics/influxdb.md
+++ b/docs/content/observability/metrics/influxdb.md
@@ -0,0 +1,215 @@
+# InfluxDB
+
+To enable the InfluxDB:
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  influxdb: {}
+```
+
+```bash tab="CLI"
+--metrics.influxdb=true
+```
+
+#### `address`
+
+_Required, Default="localhost:8089"_
+
+Address instructs exporter to send metrics to influxdb at this address.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    address = "localhost:8089"
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  influxdb:
+    address: localhost:8089
+```
+
+```bash tab="CLI"
+--metrics.influxdb.address="localhost:8089"
+```
+
+#### `protocol`
+
+_Required, Default="udp"_
+
+InfluxDB's address protocol (udp or http).
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    protocol = "upd"
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  influxdb:
+    protocol: udp
+```
+
+```bash tab="CLI"
+--metrics.influxdb.protocol="udp"
+```
+
+#### `database`
+
+_Optional, Default=""_
+
+InfluxDB database used when protocol is http.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    database = ""
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  influxdb:
+    database: ""
+```
+
+```bash tab="CLI"
+--metrics.influxdb.database=""
+```
+
+#### `retentionPolicy`
+
+_Optional, Default=""_
+
+InfluxDB retention policy used when protocol is http.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    retentionPolicy = ""
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  influxdb:
+    retentionPolicy: ""
+```
+
+```bash tab="CLI"
+--metrics.influxdb.retentionPolicy=""
+```
+
+#### `username`
+
+_Optional, Default=""_
+
+InfluxDB username (only with http).
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    username = ""
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  influxdb:
+    username: ""
+```
+
+```bash tab="CLI"
+--metrics.influxdb.username=""
+```
+
+#### `password`
+
+_Optional, Default=""_
+
+InfluxDB password (only with http).
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    password = ""
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  influxdb:
+    password: ""
+```
+
+```bash tab="CLI"
+--metrics.influxdb.password=""
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    addEntryPointsLabels = true
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  influxdb:
+    addEntryPointsLabels: true
+```
+
+```bash tab="CLI"
+--metrics.influxdb.addEntryPointsLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    addServicesLabels = true
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  influxdb:
+    addServicesLabels: true
+```
+
+```bash tab="CLI"
+--metrics.influxdb.addServicesLabels=true
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+The interval used by the exporter to push metrics to influxdb.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    pushInterval = 10s
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  influxdb:
+    pushInterval: 10s
+```
+
+```bash tab="CLI"
+--metrics.influxdb.pushInterval=10s
+```
--- a/docs/content/observability/metrics/overview.md
+++ b/docs/content/observability/metrics/overview.md
@@ -0,0 +1,26 @@
+# Metrics
+Metrics system
+{: .subtitle }
+
+Traefik supports 4 metrics backends:
+
+- [Datadog](./datadog.md)
+- [InfluxDB](./influxdb.md)
+- [Prometheus](./prometheus.md)
+- [StatsD](./statsd.md)
+
+## Configuration
+
+To enable metrics:
+
+```toml tab="File (TOML)"
+[metrics]
+```
+
+```yaml tab="File (YAML)"
+metrics: {}
+```
+
+```bash tab="CLI"
+--metrics=true
+```
--- a/docs/content/observability/metrics/prometheus.md
+++ b/docs/content/observability/metrics/prometheus.md
@@ -0,0 +1,118 @@
+# Prometheus
+
+To enable the Prometheus:
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  prometheus: {}
+```
+
+```bash tab="CLI"
+--metrics.prometheus=true
+```
+
+#### `buckets`
+
+_Optional, Default="0.100000, 0.300000, 1.200000, 5.000000"_
+
+Buckets for latency metrics.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    buckets = [0.1,0.3,1.2,5.0]
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  prometheus:
+    buckets:
+    - 0.1
+    - 0.3
+    - 1.2
+    - 5.0
+```
+
+```bash tab="CLI"
+--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    addEntryPointsLabels = true
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  prometheus:
+    addEntryPointsLabels: true
+```
+
+```bash tab="CLI"
+--metrics.prometheus.addEntryPointsLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    addServicesLabels = true
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  prometheus:
+    addServicesLabels: true
+```
+
+```bash tab="CLI"
+--metrics.prometheus.addServicesLabels=true
+```
+
+#### `entryPoint`
+
+_Optional, Default=traefik_
+
+Entry point used to expose metrics.
+
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.metrics]
+    address = ":8082"
+
+[metrics]
+  [metrics.prometheus]
+    entryPoint = "metrics"
+```
+
+```yaml tab="File (YAML)"
+entryPoints:
+  metrics:
+    address: ":8082"
+
+metrics:
+  prometheus:
+    entryPoint: metrics
+```
+
+```bash tab="CLI"
+--entryPoints.metrics.address=":8082"
+--metrics.prometheus..entryPoint="metrics"
+```
--- a/docs/content/observability/metrics/statsd.md
+++ b/docs/content/observability/metrics/statsd.md
@@ -0,0 +1,105 @@
+# StatsD
+
+To enable the Statsd:
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsd]
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  statsd: {}
+```
+
+```bash tab="CLI"
+--metrics.statsd=true
+```
+
+#### `address`
+
+_Required, Default="localhost:8125"_
+
+Address instructs exporter to send metrics to statsd at this address.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsd]
+    address = "localhost:8125"
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  statsd:
+    address: localhost:8125
+```
+
+```bash tab="CLI"
+--metrics.statsd.address="localhost:8125"
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsd]
+    addEntryPointsLabels = true
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  statsd:
+    addEntryPointsLabels: true
+```
+
+```bash tab="CLI"
+--metrics.statsd.addEntryPointsLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsd]
+    addServicesLabels = true
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  statsd:
+    addServicesLabels: true
+```
+
+```bash tab="CLI"
+--metrics.statsd.addServicesLabels=true
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+The interval used by the exporter to push metrics to statsD.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsd]
+    pushInterval = 10s
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  statsd:
+    pushInterval: 10s
+```
+
+```bash tab="CLI"
+--metrics.statsd.pushInterval=10s
+```
--- a/docs/content/observability/tracing/datadog.md
+++ b/docs/content/observability/tracing/datadog.md
@@ -1,15 +1,19 @@
-# DataDog
+# Datadog

-To enable the DataDog:
+To enable the Datadog:

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
-  [tracing.dataDog]
+  [tracing.datadog]
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  datadog: {}
 ```

 ```bash tab="CLI"
--tracing
--tracing.datadog
+--tracing.datadog=true
 ```

 #### `localAgentHostPort`
@@ -18,14 +22,19 @@ _Required, Default="127.0.0.1:8126"_

 Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
-  [tracing.dataDog]
+  [tracing.datadog]
    localAgentHostPort = "127.0.0.1:8126"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  datadog:
+    localAgentHostPort: 127.0.0.1:8126
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.datadog.localAgentHostPort="127.0.0.1:8126"
 ```

@@ -33,16 +42,21 @@ Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent

 _Optional, Default=false_

-Enable DataDog debug.
+Enable Datadog debug.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
-  [tracing.dataDog]
+  [tracing.datadog]
    debug = true
 ```

+```yaml tab="File (YAML)"
+tracing:
+  datadog:
+    debug: true
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.datadog.debug=true
 ```

@@ -52,14 +66,19 @@ _Optional, Default=empty_

 Apply shared tag in a form of Key:Value to all the traces.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
-  [tracing.dataDog]
+  [tracing.datadog]
    globalTag = "sample"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  datadog:
+    globalTag: sample
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.datadog.globalTag="sample"
 ```

@@ -70,13 +89,18 @@ _Optional, Default=false_
 Enable priority sampling. When using distributed tracing,
 this option must be enabled in order to get all the parts of a distributed trace sampled.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
-  [tracing.dataDog]
+  [tracing.datadog]
    prioritySampling = true
 ```

+```yaml tab="File (YAML)"
+tracing:
+  datadog:
+    prioritySampling: true
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.datadog.prioritySampling=true
 ```
--- a/docs/content/observability/tracing/haystack.md
+++ b/docs/content/observability/tracing/haystack.md
@@ -2,14 +2,18 @@

 To enable the Haystack:

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.haystack]
 ```

+```yaml tab="File (YAML)"
+tracing:
+  haystack: {}
+```
+
 ```bash tab="CLI"
--tracing
--tracing.haystack
+--tracing.haystack=true
 ```

 #### `localAgentHost`
@@ -18,14 +22,19 @@ _Require, Default="127.0.0.1"_

 Local Agent Host instructs reporter to send spans to haystack-agent at this address.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.haystack]
    localAgentHost = "127.0.0.1"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    localAgentHost: 127.0.0.1
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.haystack.localAgentHost="127.0.0.1"
 ```

@@ -35,14 +44,19 @@ _Require, Default=42699_

 Local Agent port instructs reporter to send spans to the haystack-agent at this port.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.haystack]
    localAgentPort = 42699
 ```

+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    localAgentPort: 42699
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.haystack.localAgentPort=42699
 ```

@@ -52,14 +66,19 @@ _Optional, Default=empty_

 Apply shared tag in a form of Key:Value to all the traces.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.haystack]
    globalTag = "sample:test"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    globalTag: sample:test
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.haystack.globalTag="sample:test"
 ```

@@ -69,14 +88,19 @@ _Optional, Default=empty_

 Specifies the header name that will be used to store the trace ID.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.haystack]
    traceIDHeaderName = "sample"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    traceIDHeaderName: sample
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.haystack.traceIDHeaderName="sample"
 ```

@@ -86,14 +110,19 @@ _Optional, Default=empty_

 Specifies the header name that will be used to store the span ID.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.haystack]
    parentIDHeaderName = "sample"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    parentIDHeaderName: "sample"
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.haystack.parentIDHeaderName="sample"
 ```

@@ -103,15 +132,20 @@ _Optional, Default=empty_

 Apply shared tag in a form of Key:Value to all the traces.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.haystack]
    spanIDHeaderName = "sample:test"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    spanIDHeaderName: "sample:test"
+```
+
 ```bash tab="CLI"
--tracing
--tracing.haystack.spanIDHeaderName="sample:test"
+--tracing.haystack.spanIDHeaderName=sample:test
 ```

 #### `baggagePrefixHeaderName`
@@ -120,13 +154,19 @@ _Optional, Default=empty_

 Specifies the header name prefix that will be used to store baggage items in a map.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.haystack]
    baggagePrefixHeaderName = "sample"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    baggagePrefixHeaderName: "sample"
+```
+
+
 ```bash tab="CLI"
--tracing
 --tracing.haystack.baggagePrefixHeaderName="sample"
 ```
--- a/docs/content/observability/tracing/instana.md
+++ b/docs/content/observability/tracing/instana.md
@@ -2,14 +2,18 @@

 To enable the Instana:

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.instana]
 ```

+```yaml tab="File (YAML)"
+tracing:
+  instana: {}
+```
+
 ```bash tab="CLI"
--tracing
--tracing.instana
+--tracing.instana=true
 ```

 #### `localAgentHost`
@@ -18,14 +22,19 @@ _Require, Default="127.0.0.1"_

 Local Agent Host instructs reporter to send spans to instana-agent at this address.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.instana]
    localAgentHost = "127.0.0.1"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  instana:
+    localAgentHost: 127.0.0.1
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.instana.localAgentHost="127.0.0.1"
 ```

@@ -35,14 +44,19 @@ _Require, Default=42699_

 Local Agent port instructs reporter to send spans to the instana-agent at this port.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.instana]
    localAgentPort = 42699
 ```

+```yaml tab="File (YAML)"
+tracing:
+  instana:
+    localAgentPort: 42699
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.instana.localAgentPort=42699
 ```

@@ -59,13 +73,18 @@ Valid values for logLevel field are:
 - `debug`
 - `info`

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.instana]
    logLevel = "info"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  instana:
+    logLevel: info
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.instana.logLevel="info"
 ```
--- a/docs/content/observability/tracing/jaeger.md
+++ b/docs/content/observability/tracing/jaeger.md
@@ -2,18 +2,23 @@

 To enable the Jaeger:

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.jaeger]
 ```

+```yaml tab="File (YAML)"
+tracing:
+  jaeger: {}
+```
+
 ```bash tab="CLI"
--tracing
--tracing.jaeger
+--tracing.jaeger=true
 ```

 !!! warning
-    Traefik is only able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent).
+    Traefik is able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent)
+    or a [Jaeger collector](https://www.jaegertracing.io/docs/deployment/#collectors).

 #### `samplingServerURL`

@@ -21,14 +26,19 @@ _Required, Default="http://localhost:5778/sampling"_

 Sampling Server URL is the address of jaeger-agent's HTTP sampling server.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.jaeger]
    samplingServerURL = "http://localhost:5778/sampling"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    samplingServerURL: http://localhost:5778/sampling
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.jaeger.samplingServerURL="http://localhost:5778/sampling"
 ```

@@ -38,14 +48,19 @@ _Required, Default="const"_

 Sampling Type specifies the type of the sampler: `const`, `probabilistic`, `rateLimiting`.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.jaeger]
    samplingType = "const"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    samplingType: const
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.jaeger.samplingType="const"
 ```

@@ -61,14 +76,19 @@ Valid values for Param field are:
 - for `probabilistic` sampler, a probability between 0 and 1
 - for `rateLimiting` sampler, the number of spans per second

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.jaeger]
    samplingParam = 1.0
 ```

+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    samplingParam: 1.0
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.jaeger.samplingParam="1.0"
 ```

@@ -78,14 +98,19 @@ _Required, Default="127.0.0.1:6831"_

 Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.jaeger]
    localAgentHostPort = "127.0.0.1:6831"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    localAgentHostPort: 127.0.0.1:6831
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.jaeger.localAgentHostPort="127.0.0.1:6831"
 ```

@@ -95,14 +120,19 @@ _Optional, Default=false_

 Generate 128-bit trace IDs, compatible with OpenCensus.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.jaeger]
    gen128Bit = true
 ```

+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    gen128Bit: true
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.jaeger.gen128Bit
 ```

@@ -116,14 +146,19 @@ This can be either:
 - `jaeger`, jaeger's default trace header.
 - `b3`, compatible with OpenZipkin

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.jaeger]
    propagation = "jaeger"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    propagation: jaeger
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.jaeger.propagation="jaeger"
 ```

@@ -134,13 +169,88 @@ _Required, Default="uber-trace-id"_
 Trace Context Header Name is the http header name used to propagate tracing context.
 This must be in lower-case to avoid mismatches when decoding incoming headers.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.jaeger]
    traceContextHeaderName = "uber-trace-id"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    traceContextHeaderName: uber-trace-id
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.jaeger.traceContextHeaderName="uber-trace-id"
 ```
+
+### `collector`
+#### `endpoint`
+
+_Optional, Default=""_
+
+Collector Endpoint instructs reporter to send spans to jaeger-collector at this URL.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger.collector]
+    endpoint = "http://127.0.0.1:14268/api/traces?format=jaeger.thrift"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    collector:
+        endpoint: http://127.0.0.1:14268/api/traces?format=jaeger.thrift
+```
+
+```bash tab="CLI"
+--tracing.jaeger.collector.endpoint="http://127.0.0.1:14268/api/traces?format=jaeger.thrift"
+```
+
+#### `user`
+
+_Optional, Default=""_
+
+User instructs reporter to include a user for basic http authentication when sending spans to jaeger-collector.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger.collector]
+    user = "my-user"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    collector:
+        user: my-user
+```
+
+```bash tab="CLI"
+--tracing.jaeger.collector.user="my-user"
+```
+
+#### `password`
+
+_Optional, Default=""_
+
+Password instructs reporter to include a password for basic http authentication when sending spans to jaeger-collector.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger.collector]
+    password = "my-password"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    collector:
+        password: my-password
+```
+
+```bash tab="CLI"
+--tracing.jaeger.collector.password="my-password"
+```
--- a/docs/content/observability/tracing/overview.md
+++ b/docs/content/observability/tracing/overview.md
@@ -11,7 +11,7 @@ Traefik supports five tracing backends:

 - [Jaeger](./jaeger.md)
 - [Zipkin](./zipkin.md)
- [DataDog](./datadog.md)
+- [Datadog](./datadog.md)
 - [Instana](./instana.md)
 - [Haystack](./haystack.md)

@@ -21,12 +21,16 @@ By default, Traefik uses Jaeger as tracing backend.

 To enable the tracing:

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
 ```

+```yaml tab="File (YAML)"
+tracing: {}
+```
+
 ```bash tab="CLI"
--tracing
+--tracing=true
 ```

 ### Common Options
@@ -37,13 +41,17 @@ _Required, Default="traefik"_

 Service name used in selected backend.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  serviceName = "traefik"
 ```

+```yaml tab="File (YAML)"
+tracing:
+  serviceName: traefik
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.serviceName="traefik"
 ```

@@ -56,12 +64,16 @@ This can prevent certain tracing providers to drop traces that exceed their leng

 `0` means no truncation will occur.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  spanNameLimit = 150
 ```

+```yaml tab="File (YAML)"
+tracing:
+  spanNameLimit: 150
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.spanNameLimit=150
 ```
--- a/docs/content/observability/tracing/zipkin.md
+++ b/docs/content/observability/tracing/zipkin.md
@@ -2,48 +2,40 @@

 To enable the Zipkin:

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.zipkin]
 ```

+```yaml tab="File (YAML)"
+tracing:
+  zipkin: {}
+```
+
 ```bash tab="CLI"
--tracing
--tracing.zipkin
+--tracing.zipkin=true
 ```

 #### `httpEndpoint`

-_Required, Default="http://localhost:9411/api/v1/spans"_
+_Required, Default="http://localhost:9411/api/v2/spans"_

 Zipkin HTTP endpoint used to send data.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.zipkin]
-    httpEndpoint = "http://localhost:9411/api/v1/spans"
+    httpEndpoint = "http://localhost:9411/api/v2/spans"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  zipkin:
+    httpEndpoint: http://localhost:9411/api/v2/spans
 ```

 ```bash tab="CLI"
--tracing
--tracing.zipkin.httpEndpoint="http://localhost:9411/api/v1/spans"
-```
-
-#### `debug`
-
-_Optional, Default=false_
-
-Enable Zipkin debug.
-
-```toml tab="File"
-[tracing]
-  [tracing.zipkin]
-    debug = true
-```
-
-```bash tab="CLI"
--tracing
--tracing.zipkin.debug=true
+--tracing.zipkin.httpEndpoint="http://localhost:9411/api/v2/spans"
 ```

 #### `sameSpan`
@@ -52,14 +44,19 @@ _Optional, Default=false_

 Use Zipkin SameSpan RPC style traces.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.zipkin]
    sameSpan = true
 ```

+```yaml tab="File (YAML)"
+tracing:
+  zipkin:
+    sameSpan: true
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.zipkin.sameSpan=true
 ```

@@ -67,16 +64,21 @@ Use Zipkin SameSpan RPC style traces.

 _Optional, Default=true_

-Use Zipkin 128 bit root span IDs.
+Use Zipkin 128 bit trace IDs.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.zipkin]
    id128Bit = false
 ```

+```yaml tab="File (YAML)"
+tracing:
+  zipkin:
+    id128Bit: false
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.zipkin.id128Bit=false
 ```

@@ -86,13 +88,18 @@ _Required, Default=1.0_

 The rate between 0.0 and 1.0 of requests to trace.

-```toml tab="File"
+```toml tab="File (TOML)"
 [tracing]
  [tracing.zipkin]
    sampleRate = 0.2
 ```

+```yaml tab="File (YAML)"
+tracing:
+  zipkin:
+    sampleRate: 0.2
+```
+
 ```bash tab="CLI"
--tracing
 --tracing.zipkin.sampleRate="0.2"
-```
+```
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -14,9 +14,6 @@ In production, it should be at least secured by authentication and authorization
 A good sane default (non exhaustive) set of recommendations
 would be to apply the following protection mechanisms:

-* At the application level:  
-  securing with middlewares such as [basic authentication](../middlewares/basicauth.md) or [white listing](../middlewares/ipwhitelist.md).
-
 * At the transport level:  
  NOT publicly exposing the API's port,
  keeping it restricted to internal networks
@@ -24,14 +21,97 @@ would be to apply the following protection mechanisms:

 ## Configuration

+If you enable the API, a new special `service` named `api@internal` is created and then can be reference in a router.
+
 To enable the API handler:

-```toml tab="File"
+```toml tab="File (TOML)"
 [api]
 ```

+```yaml tab="File (YAML)"
+api: {}
+```
+
 ```bash tab="CLI"
--api
+--api=true
+```
+
+And then you will able to reference it like this.
+
+```yaml tab="Docker"
+  - "traefik.http.routers.api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+  - "traefik.http.routers.api.service=api@internal"
+  - "traefik.http.routers.api.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.routers.api.rule": "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+  "traefik.http.routers.api.service": "api@internal"
+  "traefik.http.routers.api.middlewares": "auth"
+  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.routers.api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+    - "traefik.http.routers.api.service=api@internal"
+    - "traefik.http.routers.api.middlewares=auth"
+    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+[http.routers.my-api]
+    rule="PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+    service="api@internal"
+    middlewares=["auth"]
+
+[http.middlewares.auth.basicAuth]
+    users = [
+        "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+        "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+      ]
+```
+
+```yaml tab="File (YAML)"
+http:
+  routers:
+    api:
+      rule: PathPrefix(`/api`) || PathPrefix(`/dashboard`)
+      service: api@internal
+      middlewares:
+        - auth
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+        - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+### `insecure`
+
+Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`.
+
+!!! Note
+    If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080.
+
+```toml tab="File (TOML)"
+[api]
+  insecure = true
+```
+
+```yaml tab="File (YAML)"
+api:
+  insecure: true
+```
+
+```bash tab="CLI"
+--api.insecure=true
 ```

 ### `dashboard`
@@ -40,44 +120,18 @@ _Optional, Default=true_

 Enable the dashboard. More about the dashboard features [here](./dashboard.md).

-```toml tab="File"
+```toml tab="File (TOML)"
 [api]
  dashboard = true
 ```

-```bash tab="CLI"
--api.dashboard
-```
-
-### `entrypoint`
-
-_Optional, Default="traefik"_
-
-The entry point that the API handler will be bound to.
-The default ("traefik") is an internal entry point (which is always defined).
-
-```toml tab="File"
-[api]
-  entrypoint = "web"
+```yaml tab="File (YAML)"
+api:
+  dashboard: true
 ```

 ```bash tab="CLI"
--api.entrypoint="web"
-```
-
-### `middlewares`
-
-_Optional, Default=empty_
-
-The list of [middlewares](../middlewares/overview.md) applied to the API handler.
-
-```toml tab="File"
-[api]
-  middlewares = ["api-auth", "api-prefix"]
-```
-
-```bash tab="CLI"
--api.middlewares="api-auth,api-prefix"
+--api.dashboard=true
 ```

 ### `debug`
@@ -86,11 +140,16 @@ _Optional, Default=false_

 Enable additional endpoints for debugging and profiling, served under `/debug/`.

-```toml tab="File"
+```toml tab="File (TOML)"
 [api]
  debug = true
 ```

+```yaml tab="File (YAML)"
+api:
+  debug: true
+```
+
 ```bash tab="CLI"
 --api.debug=true
 ```
@@ -111,6 +170,8 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                            |
 | `/api/tcp/services`            | Lists all the TCP services information.                                                   |
 | `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                           |
+| `/api/entrypoints`             | Lists all the entry points information.                                                   |
+| `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                           |
 | `/api/version`                 | Returns information about Traefik version.                                                |
 | `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                        |
 | `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.     |
@@ -118,51 +179,3 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation. |
 | `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.   |
 | `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.     |
-
-## Common Configuration Use Cases
-
-### Address / Port
-
-You can define a custom address/port like this:
-
-```toml
-[entryPoints]
-  [entryPoints.web]
-    address = ":80"
-
-  [entryPoints.foo]
-    address = ":8082"
-
-  [entryPoints.bar]
-    address = ":8083"
-
-[ping]
-  entryPoint = "foo"
-
-[api]
-  entryPoint = "bar"
-```
-
-In the above example, you would access a service at /foo, an api endpoint, or the health-check as follows:
-
-* Service: `http://hostname:80/foo`
-* API: `http://hostname:8083/api/http/routers`
-* Ping URL: `http://hostname:8082/ping`
-
-### Authentication
-
-To restrict access to the API handler, one can add authentication with the [basic auth middleware](../middlewares/basicauth.md).
-
-```toml
-[api]
-  middlewares=["api-auth"]
-```
-
-```toml
-[http.middlewares]
-  [http.middlewares.api-auth.basicAuth]
-    users = [
-      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-    ]
-```
--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@@ -5,62 +5,54 @@ See What's Going On

 The dashboard is the central place that shows you the current active routes handled by Traefik. 

-!!! warning "Dashboard WIP"
-    Currently, the dashboard is in a Work In Progress State while being reconstructed for v2. 
-    Therefore, the dashboard is currently not working.
-
 <figure>
-    <img src="../../assets/img/dashboard-main.png" alt="Dashboard - Providers" />
-    <figcaption>The dashboard in action with Traefik listening to 3 different providers</figcaption>
-</figure>
-
-<figure>
-    <img src="../../assets/img/dashboard-health.png" alt="Dashboard - Health" />
-    <figcaption>The dashboard shows the health of the system.</figcaption>
+    <img src="../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
+    <figcaption>The dashboard in action</figcaption>
 </figure>

 By default, the dashboard is available on `/` on port `:8080`.

 !!! tip "Did You Know?"
    It is possible to customize the dashboard endpoint. 
-    To learn how, refer to the `Traefik's API documentation`(TODO: add doc and link).
+    To learn how, refer to the [API documentation](./api.md)
    
 ## Enabling the Dashboard

 To enable the dashboard, you need to enable Traefik's API.

-??? example "Using the Command Line"
+```toml tab="File (TOML)"
+[api]
+  # Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  dashboard = true
+```

-    | Option          | Values          |         Default Value |
-    | --------------- | --------------- | --------------------: |
-    | --api           | \[true\|false\] |                 false |
-    | --api.dashboard | \[true\|false\] | true when api is true |
-    
-    {!more-on-command-line.md!}
+```yaml tab="File (YAML)"
+api:
+  # Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  dashboard: true
+```

-??? example "Using the Configuration File"
+```bash tab="CLI"
+# Dashboard
+#
+# Optional
+# Default: true
+#
+--api.dashboard=true
+```

-    ```toml
-    [api] 
-      # Dashboard
-      #
-      # Optional
-      # Default: true
-      #
-      dashboard = true
-    ```
-    
-    {!more-on-configuration-file.md!}
+{!more-on-command-line.md!}

-??? example "Using a Key/Value Store"
+{!more-on-configuration-file.md!}

-    | Key           | Values          |         Default Value |
-    | ------------- | --------------- | --------------------: |
-    | api           | \[true\|false\] |                 false |
-    | api.dashboard | \[true\|false\] | true when api is true |
-    
-    {!more-on-key-value-store.md!}
-    
 !!! tip "Did You Know?"
    The API provides more features than the Dashboard. 
-    To learn more about it, refer to the `Traefik's API documentation`(TODO: add doc and link).
+    To learn more about it, refer to the [API documentation](./api.md)
--- a/docs/content/operations/ping.md
+++ b/docs/content/operations/ping.md
@@ -5,32 +5,53 @@ Checking the Health of Your Traefik Instances

 ## Configuration Examples

-??? example "Enabling /ping"
+To enable the API handler:

-    ```toml
-    [ping]
-    ```
+```toml tab="File (TOML)"
+[ping]
+```

-??? example "Enabling /ping on a dedicated EntryPoint"
-    
-    ```toml
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-      
-      [entryPoints.ping]
-        address = ":8082"
-    
-    [ping]
-      entryPoint = "ping"
-    ```
+```yaml tab="File (YAML)"
+ping: {}
+```

-| Path    | Method        | Description                                                                                         |
-|---------|---------------|-----------------------------------------------------------------------------------------------------|
-| `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
+```bash tab="CLI"
+--ping=true
+```

 ## Configuration Options

 The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.

-You can customize the `entryPoint` where the `/ping` is active with the `entryPoint` option (default value: `traefik`)
+You can customize the `entryPoint` where the `/ping` is active with the `entryPoint` option (default value: `traefik`)
+
+| Path    | Method        | Description                                                                                         |
+|---------|---------------|-----------------------------------------------------------------------------------------------------|
+| `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
+
+### `entryPoint`
+
+Enabling /ping on a dedicated EntryPoint.
+
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.ping]
+    address = ":8082"
+
+[ping]
+  entryPoint = "ping"
+```
+
+```yaml tab="File (YAML)"
+entryPoints:
+  ping:
+    address: ":8082"
+
+ping:
+  entryPoint: "ping"
+```
+
+```bash tab="CLI"
+--entryPoints.ping.address=":8082"
+--ping.entryPoint="ping"
+```
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -15,10 +15,18 @@ Attach labels to your containers and let Traefik do the rest!
 ??? example "Configuring Docker & Deploying / Exposing Services"

    Enabling the docker provider
-
-    ```toml
+    
+    ```toml tab="File (TOML)"
    [providers.docker]
-      endpoint = "unix:///var/run/docker.sock"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      docker: {}
+    ```
+    
+    ```bash tab="CLI"
+    --providers.docker=true
    ```

    Attaching labels to containers (in your docker compose file)
@@ -36,13 +44,28 @@ Attach labels to your containers and let Traefik do the rest!

    Enabling the docker provider (Swarm Mode)

-    ```toml
+    ```toml tab="File (TOML)"
    [providers.docker]
-    # swarm classic (1.12-)
-    # endpoint = "tcp://127.0.0.1:2375"
-    # docker swarm mode (1.12+)
-    endpoint = "tcp://127.0.0.1:2377"
-    swarmMode = true
+      # swarm classic (1.12-)
+      # endpoint = "tcp://127.0.0.1:2375"
+      # docker swarm mode (1.12+)
+      endpoint = "tcp://127.0.0.1:2377"
+      swarmMode = true
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        # swarm classic (1.12-)
+        # endpoint = "tcp://127.0.0.1:2375"
+        # docker swarm mode (1.12+)
+        endpoint: "tcp://127.0.0.1:2375"
+        swarmMode: true
+    ```
+    
+    ```bash tab="CLI"
+    --providers.docker.endpoint="tcp://127.0.0.1:2375"
+    --providers.docker.swarmMode=true
    ```

    Attach labels to services (not to containers) while in Swarm mode (in your docker compose file)
@@ -54,6 +77,7 @@ Attach labels to your containers and let Traefik do the rest!
        deploy:
          labels:
            - traefik.http.routers.my-container.rule=Host(`my-domain`)
+            - traefik.http.services.my-container-service.loadbalancer.server.port=8080
    ```

    !!! important "Labels in Docker Swarm Mode"
@@ -67,6 +91,23 @@ Attach labels to your containers and let Traefik do the rest!

 ### `endpoint`

+_Required, Default="unix:///var/run/docker.sock"_
+
+```toml tab="File (TOML)"
+[providers.docker]
+  endpoint = "unix:///var/run/docker.sock"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+```
+
+```bash tab="CLI"
+--providers.docker.endpoint="unix:///var/run/docker.sock"
+```
+
 Traefik requires access to the docker socket to get its dynamic configuration.

 ??? warning "Security Notes"
@@ -94,14 +135,10 @@ Traefik requires access to the docker socket to get its dynamic configuration.
    It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:

    - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
-
    - Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
-
    - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
-
    - Accounting at container level, by exposing the socket on a another container than Traefik's.
      With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
-
    - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).

    ??? tip "Additional Resources"
@@ -133,19 +170,48 @@ Traefik requires access to the docker socket to get its dynamic configuration.

    We specify the docker.sock in traefik's configuration file.

-    ```toml
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      endpoint = "unix:///var/run/docker.sock"
+      # ...
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        endpoint: "unix:///var/run/docker.sock"
+         # ...
+    ```
+    
+    ```bash tab="CLI"
+    --providers.docker.endpoint="unix:///var/run/docker.sock"
    # ...
-    [providers]
-      [providers.docker]
-        endpoint = "unix:///var/run/docker.sock"
    ```

-### `usebindportip`
+### `useBindPortIP`

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.docker]
+  useBindPortIP = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    useBindPortIP: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.useBindPortIP=true
+# ...
+```
+
 Traefik routes requests to the IP/Port of the matching container.
-When setting `usebindportip=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
+When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.

 When used in conjunction with the `traefik.http.services.XXX.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
 Traefik tries to find a binding on port `traefik.http.services.XXX.loadbalancer.server.port`.
@@ -171,12 +237,50 @@ but still uses the `traefik.http.services.XXX.loadbalancer.server.port` that is

 _Optional, Default=true_

+```toml tab="File (TOML)"
+[providers.docker]
+  exposedByDefault = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    exposedByDefault: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.exposedByDefault=false
+# ...
+```
+
 Expose containers by default through Traefik.
 If set to false, containers that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.

+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ### `network`

-_Optional_
+_Optional, Default=empty_
+
+```toml tab="File (TOML)"
+[providers.docker]
+  network = "test"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    network: test
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.network=test
+# ...
+```

 Defines a default docker network to use for connections to all containers.

@@ -186,44 +290,105 @@ This option can be overridden on a container basis with the `traefik.docker.netw

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

+```toml tab="File (TOML)"
+[providers.docker]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+# ...
+```
+
 For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
 It must be a valid [Go template](https://golang.org/pkg/text/template/),
 augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
 The container service name can be accessed as the `Name` identifier,
 and the template has access to all the labels defined on this container.

-```toml tab="File"
-[providers.docker]
-  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-  # ...
-```
-
-```txt tab="CLI"
--providers.docker
--providers.docker.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-```
-
 ### `swarmMode`

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.docker]
+  swarmMode = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    swarmMode: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.swarmMode=true
+# ...
+```
+
 Activates the Swarm Mode.

 ### `swarmModeRefreshSeconds`

 _Optional, Default=15_

+```toml tab="File (TOML)"
+[providers.docker]
+  swarmModeRefreshSeconds = "30s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    swarmModeRefreshSeconds: "30s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.swarmModeRefreshSeconds=30s
+# ...
+```
+
 Defines the polling interval (in seconds) in Swarm Mode.

 ### `constraints`

 _Optional, Default=""_

+```toml tab="File (TOML)"
+[providers.docker]
+  constraints = "Label(`a.label.name`, `foo`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    constraints: "Label(`a.label.name`, `foo`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.constraints="Label(`a.label.name`, `foo`)"
+# ...
+```
+
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
 That is to say, if none of the container's labels match the expression, no route for the container is created.
 If the expression is empty, all detected containers are included.

-The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.

 ??? example "Constraints Expression Examples"

@@ -254,9 +419,121 @@ The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp(
    
    ```toml
    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegexp(`a.label.name`, `a.+`)"
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```

+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.docker.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.docker.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.docker.tls.cert=path/to/foo.cert
+--providers.docker.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.docker.tls.cert=path/to/foo.cert
+--providers.docker.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.docker.tls.insecureSkipVerify=true
+```
+
 ## Routing Configuration Options

 ### General
@@ -311,7 +588,7 @@ You can declare TCP Routers and/or Services using labels.
           # ...
           labels:
             - traefik.tcp.routers.my-router.rule="HostSNI(`my-host.com`)"
-             - traefik.tcp.routers.my-router.rule.tls="true"
+             - traefik.tcp.routers.my-router.tls="true"
             - traefik.tcp.services.my-service.loadbalancer.server.port="4123"
    ```

--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@@ -6,7 +6,6 @@ Good Old Configuration File
 The file provider lets you define the [dynamic configuration](./overview.md) in a TOML or YAML file.
 You can write these configuration elements:

-* At the end of the main Traefik configuration file (by default: `traefik.toml`/`traefik.yml`/`traefik.yaml`).
 * In [a dedicated file](#filename)
 * In [several dedicated files](#directory)

@@ -22,13 +21,19 @@ You can write these configuration elements:

    Enabling the file provider:
    
-    ```toml tab="TOML"
+    ```toml tab="File (TOML)"
    [providers.file]
+      filename = "/my/path/to/dynamic-conf.toml"
    ```
    
-    ```yaml tab="YAML"
+    ```yaml tab="File (YAML)"
    providers:
-      file: {}
+      file:
+        filename: "/my/path/to/dynamic-conf.yml"
+    ```
+    
+    ```bash tab="CLI"
+    --providers.file.filename=/my/path/to/dynamic_conf.toml
    ```
    
    Declaring Routers, Middlewares & Services:
@@ -41,7 +46,7 @@ You can write these configuration elements:
          entryPoints = ["web"]
          middlewares = ["my-basic-auth"]
          service = "service-foo"
-          rule = "Path(`foo`)"
+          rule = "Path(`/foo`)"
    
        # Add the middleware
        [http.middlewares]    
@@ -70,7 +75,7 @@ You can write these configuration elements:
          middlewares:
          - my-basic-auth
          service: service-foo
-          rule: Path(`foo`)
+          rule: Path(`/foo`)
      
      # Add the middleware
      middlewares:
@@ -102,16 +107,20 @@ _Optional_

 Defines the path of the configuration file.

-```toml tab="TOML"
+```toml tab="File (TOML)"
 [providers]
  [providers.file]
-    filename = "rules.toml"
+    filename = "dynamic_conf.toml"
 ```

-```yaml tab="YAML"
+```yaml tab="File (YAML)"
 providers:
  file:
-    filename: rules.yaml
+    filename: dynamic_conf.yml
+```
+
+```bash tab="CLI"
+--providers.file.filename=dynamic_conf.toml
 ```

 ### `directory`
@@ -120,18 +129,22 @@ _Optional_

 Defines the directory that contains the configuration files.

-```toml tab="TOML"
+```toml tab="File (TOML)"
 [providers]
  [providers.file]
    directory = "/path/to/config"
 ```

-```yaml tab="YAML"
+```yaml tab="File (YAML)"
 providers:
  file:
    directory: /path/to/config
 ```

+```bash tab="CLI"
+--providers.file.directory=/path/to/config
+```
+
 ### `watch`

 _Optional_
@@ -139,20 +152,25 @@ _Optional_
 Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.  
 It works with both the `filename` and the `directory` options.

-```toml tab="TOML"
+```toml tab="File (TOML)"
 [providers]
  [providers.file]
-    filename = "rules.toml"
+    filename = "dynamic_conf.toml"
    watch = true
 ```

-```yaml tab="YAML"
+```yaml tab="File (YAML)"
 providers:
  file:
-    filename: rules.yml
+    filename: dynamic_conf.yml
    watch: true
 ```

+```bash tab="CLI"
+--providers.file.filename=dynamic_conf.toml
+--providers.file.watch=true
+```
+
 ### Go Templating

 !!! warning
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -3,12 +3,7 @@
 The Kubernetes Ingress Controller, The Custom Resource Way.
 {: .subtitle }

-<!--
- TODO (Link "Kubernetes Ingress controller" to ./kubernetes-ingress.md)
- -->
-
-The Traefik Kubernetes provider used to be a Kubernetes Ingress controller in the strict sense of the term; that is to say,
-it would manage access to a cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
+Traefik used to support Kubernetes only through the [Kubernetes Ingress provider](./kubernetes-ingress.md), which is a Kubernetes Ingress controller in the strict sense of the term.

 However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
 we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
@@ -19,6 +14,23 @@ we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/co

 _Optional, Default=empty_

+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  endpoint = "http://localhost:8080"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    endpoint = "http://localhost:8080"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.endpoint="http://localhost:8080"
+```
+
 The Kubernetes server endpoint as URL.

 When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
@@ -32,107 +44,149 @@ When the environment variables are not found, Traefik will try to connect to the
 In this case, the endpoint is required.
 Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.

-```toml tab="File"
-[providers.kubernetesCRD]
-  endpoint = "http://localhost:8080"
-  # ...
-```
-
-```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.endpoint="http://localhost:8080"
-```
-
 ### `token`

 _Optional, Default=empty_

-Bearer token used for the Kubernetes client configuration.
-
-```toml tab="File"
+```toml tab="File (TOML)"
 [providers.kubernetesCRD]
  token = "mytoken"
  # ...
 ```

-```txt tab="CLI"
--providers.kubernetescrd
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    token = "mytoken"
+    # ...
+```
+
+```bash tab="CLI"
 --providers.kubernetescrd.token="mytoken"
 ```

+Bearer token used for the Kubernetes client configuration.
+
 ### `certAuthFilePath`

 _Optional, Default=empty_

-Path to the certificate authority file.
-Used for the Kubernetes client configuration.
-
-```toml tab="File"
+```toml tab="File (TOML)"
 [providers.kubernetesCRD]
  certAuthFilePath = "/my/ca.crt"
  # ...
 ```

-```txt tab="CLI"
--providers.kubernetescrd
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    certAuthFilePath: "/my/ca.crt"
+    # ...
+```
+
+```bash tab="CLI"
 --providers.kubernetescrd.certauthfilepath="/my/ca.crt"
 ```

+Path to the certificate authority file.
+Used for the Kubernetes client configuration.
+
 ### `namespaces`

 _Optional, Default: all namespaces (empty array)_

-Array of namespaces to watch.
-
-```toml tab="File"
+```toml tab="File (TOML)"
 [providers.kubernetesCRD]
  namespaces = ["default", "production"]
  # ...
 ```

-```txt tab="CLI"
--providers.kubernetescrd
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    namespaces:
+    - "default"
+    - "production"
+    # ...
+```
+
+```bash tab="CLI"
 --providers.kubernetescrd.namespaces="default,production"
 ```

+Array of namespaces to watch.
+
 ### `labelselector`

 _Optional,Default: empty (process all Ingresses)_

+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  labelselector = "A and not B"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    labelselector: "A and not B"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.labelselector="A and not B"
+```
+
 By default, Traefik processes all Ingress objects in the configured namespaces.
 A label selector can be defined to filter on specific Ingress objects only.

 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.

-```toml tab="File"
-[providers.kubernetesCRD]
-  labelselector = "A and not B"
-  # ...
-```
-
-```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.labelselector="A and not B"
-```
-
 ### `ingressClass`

 _Optional, Default: empty_

+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  ingressClass = "traefik-internal"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    ingressClass: "traefik-internal"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.ingressclass="traefik-internal"
+```
+
 Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.

 If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
 Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.

-```toml tab="File"
+### `throttleDuration`
+
+_Optional, Default: 0 (no throttling)_
+
+```toml tab="File (TOML)"
 [providers.kubernetesCRD]
-  ingressClass = "traefik-internal"
+  throttleDuration = "10s"
  # ...
 ```

-```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.ingressclass="traefik-internal"
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    throttleDuration: "10s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.throttleDuration="10s"
 ```

 ## Resource Configuration
@@ -165,11 +219,13 @@ spec:
    # "Parameter", etc, to support simpler forms of rule matching, but for now we
    # only support "Rule".
    kind: Rule
-    # Priority disambiguates rules of the same length, for route matching.
+    # (optional) Priority disambiguates rules of the same length, for route matching.
    priority: 12
    services:
    - name: whoami
      port: 80
+      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+      weight: 1

 ---
 apiVersion: traefik.containo.us/v1alpha1
@@ -258,7 +314,7 @@ metadata:
  namespace: default

 spec:
-  minversion: VersionTLS12
+  minVersion: VersionTLS12

 ---
 apiVersion: traefik.containo.us/v1alpha1
--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -1,6 +1,331 @@
 # Traefik & Kubernetes

-Kubernetes Ingress.
+The Kubernetes Ingress Controller.
 {: .subtitle }

-TODO
+The Traefik Kubernetes Ingress provider is a Kubernetes Ingress controller; that is to say,
+it manages access to a cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
+
+## Enabling and using the provider
+
+As usual, the provider is enabled through the static configuration:
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress: {}
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress=true
+```
+
+The provider then watches for incoming ingresses events, such as the example below, and derives the corresponding dynamic configuration from it, which in turn will create the resulting routers, services, handlers, etc.
+
+```yaml tab="File (YAML)"
+kind: Ingress
+apiVersion: extensions/v1beta1
+metadata:
+  name: "foo"
+  namespace: production
+
+spec:
+  rules:
+  - host: foo.com
+    http:
+      paths:
+      - path: /bar
+        backend:
+          serviceName: service1
+          servicePort: 80
+      - path: /foo
+        backend:
+          serviceName: service1
+          servicePort: 80
+```
+
+## Provider Configuration Options
+
+!!! tip "Browse the Reference"
+    If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) configuration reference.
+
+### `endpoint`
+
+_Optional, Default=empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  endpoint = "http://localhost:8080"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    endpoint = "http://localhost:8080"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.endpoint="http://localhost:8080"
+```
+
+The Kubernetes server endpoint as URL, which is only used when the behavior based on environment variables described below does not apply.
+
+When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
+
+The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+They are both provided automatically as mounts in the pod where Traefik is deployed.
+
+When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
+In which case, the endpoint is required.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
+
+### `token`
+
+_Optional, Default=empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  token = "mytoken"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    token = "mytoken"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.token="mytoken"
+```
+
+Bearer token used for the Kubernetes client configuration.
+
+### `certAuthFilePath`
+
+_Optional, Default=empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  certAuthFilePath = "/my/ca.crt"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    certAuthFilePath: "/my/ca.crt"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.certauthfilepath="/my/ca.crt"
+```
+
+Path to the certificate authority file.
+Used for the Kubernetes client configuration.
+
+### `disablePassHostHeaders`
+
+_Optional, Default=false_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  disablePassHostHeaders = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    disablePassHostHeaders: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.disablepasshostheaders=true
+```
+
+Whether to disable PassHost Headers.
+
+### `namespaces`
+
+_Optional, Default: all namespaces (empty array)_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  namespaces = ["default", "production"]
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    namespaces:
+    - "default"
+    - "production"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.namespaces="default,production"
+```
+
+Array of namespaces to watch.
+
+### `labelSelector`
+
+_Optional,Default: empty (process all Ingresses)_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  labelSelector = "A and not B"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    labelselector: "A and not B"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.labelselector="A and not B"
+```
+
+By default, Traefik processes all Ingress objects in the configured namespaces.
+A label selector can be defined to filter on specific Ingress objects only.
+
+See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
+
+### `ingressClass`
+
+_Optional, Default: empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  ingressClass = "traefik-internal"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    ingressClass: "traefik-internal"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.ingressclass="traefik-internal"
+```
+
+Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
+
+If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
+Otherwise, Ingresses missing the annotation, having an empty value, or with the value `traefik` are processed.
+
+### `ingressEndpoint`
+
+#### `hostname`
+
+_Optional, Default: empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress.ingressEndpoint]
+  hostname = "foo.com"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    ingressEndpoint:
+      hostname: "foo.com"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.ingressendpoint.hostname="foo.com"
+```
+
+Hostname used for Kubernetes Ingress endpoints.
+
+#### `ip`
+
+_Optional, Default: empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress.ingressEndpoint]
+  ip = "1.2.3.4"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    ingressEndpoint:
+      ip: "1.2.3.4"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.ingressendpoint.ip="1.2.3.4"
+```
+
+IP used for Kubernetes Ingress endpoints.
+
+#### `publishedService`
+
+_Optional, Default: empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress.ingressEndpoint]
+  publishedService = "foo-service"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    ingressEndpoint:
+      publishedService: "foo-service"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.ingressendpoint.publishedservice="foo-service"
+```
+
+Published Kubernetes Service to copy status from.
+
+### `throttleDuration`
+
+_Optional, Default: 0 (no throttling)_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  throttleDuration = "10s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    throttleDuration: "10s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.throttleDuration="10s"
+```
+
+## Further
+
+If one wants to know more about the various aspects of the Ingress spec that Traefik supports, many examples of Ingresses definitions are located in the tests [data](https://github.com/containous/traefik/tree/v2.0/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
--- a/docs/content/providers/marathon.md
+++ b/docs/content/providers/marathon.md
@@ -11,14 +11,17 @@ See also [Marathon user guide](../user-guides/marathon.md).

    Enabling the marathon provider

-    ```toml tab="File"
+    ```toml tab="File (TOML)"
    [providers.marathon]
-      endpoint = "http://127.0.0.1:8080"
    ```
    
-    ```txt tab="CLI"
-    --providers.marathon
-    --providers.marathon.endpoint="http://127.0.0.1:8080"
+    ```yaml tab="File (YAML)"
+    providers:
+      marathon: {}
+    ```
+    
+    ```bash tab="CLI"
+    --providers.marathon=true
    ```

    Attaching labels to marathon applications
@@ -55,43 +58,74 @@ See also [Marathon user guide](../user-guides/marathon.md).

 _Optional_

-Enables Marathon basic authentication.
-
-```toml tab="File"
+```toml tab="File (TOML)"
 [providers.marathon.basic]
  httpBasicAuthUser = "foo"
  httpBasicPassword = "bar"
 ```

-```txt tab="CLI"
--providers.marathon
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    basic:
+      httpBasicAuthUser: foo
+      httpBasicPassword: bar
+```
+
+```bash tab="CLI"
 --providers.marathon.basic.httpbasicauthuser="foo"
 --providers.marathon.basic.httpbasicpassword="bar"
 ```

+Enables Marathon basic authentication.
+
 ### `dcosToken`

 _Optional_

-DCOSToken for DCOS environment.
-
-If set, it overrides the Authorization header.
-
-```toml tab="File"
+```toml tab="File (TOML)"
 [providers.marathon]
  dcosToken = "xxxxxx"
  # ...
 ```

-```txt tab="CLI"
--providers.marathon
+```toml tab="File (YAML)"
+providers:
+  marathon:
+    dcosToken: "xxxxxx"
+    # ...
+```
+
+```bash tab="CLI"
 --providers.marathon.dcosToken="xxxxxx"
 ```

+DCOSToken for DCOS environment.
+
+If set, it overrides the Authorization header.
+
 ### `defaultRule`

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

+```toml tab="File (TOML)"
+[providers.marathon]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+# ...
+```
+
 For a given application if no routing rule was defined by a label, it is defined by this defaultRule instead.

 It must be a valid [Go template](https://golang.org/pkg/text/template/),
@@ -100,21 +134,27 @@ augmented with the [sprig template functions](http://masterminds.github.io/sprig
 The app ID can be accessed as the Name identifier,
 and the template has access to all the labels defined on this Marathon application.

-```toml tab="File"
-[providers.marathon]
-  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-  # ...
-```
-
-```txt tab="CLI"
--providers.marathon
--providers.marathon.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-```
-
 ### `dialerTimeout`

 _Optional, Default=5s_

+```toml tab="File (TOML)"
+[providers.marathon]
+  dialerTimeout = "10s"
+  # ...
+```
+
+```toml tab="File (YAML)"
+providers:
+  marathon:
+    dialerTimeout: "10s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.dialerTimeout=10s
+```
+
 Overrides DialerTimeout.

 Amount of time the Marathon provider should wait before timing out,
@@ -127,39 +167,83 @@ or directly as a number of seconds.

 _Optional, Default=http://127.0.0.1:8080_

-Marathon server endpoint.
-
-You can optionally specify multiple endpoints:
-
-```toml tab="File"
+```toml tab="File (TOML)"
 [providers.marathon]
  endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
  # ...
 ```

-```txt tab="CLI"
--providers.marathon
+```toml tab="File (YAML)"
+providers:
+  marathon:
+    endpoint: "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
+    # ...
+```
+
+```bash tab="CLI"
 --providers.marathon.endpoint="http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
 ```

+Marathon server endpoint.
+
+You can optionally specify multiple endpoints:
+
 ### `exposedByDefault`

 _Optional, Default=true_

+```toml tab="File (TOML)"
+[providers.marathon]
+  exposedByDefault = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    exposedByDefault: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.exposedByDefault=false
+# ...
+```
+
 Exposes Marathon applications by default through Traefik.

 If set to false, applications that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.

+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ### `constraints`

 _Optional, Default=""_

+```toml tab="File (TOML)"
+[providers.marathon]
+  constraints = "Label(`a.label.name`, `foo`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    constraints: "Label(`a.label.name`, `foo`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.constraints="Label(`a.label.name`, `foo`)"
+# ...
+```
+
 Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
 That is to say, if none of the application's labels match the expression, no route for the application is created.
 In addition, the expression also matched against the application's constraints, such as described in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
 If the expression is empty, all detected applications are included.

-The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp("key", "value")`, as well as the usual boolean logic.
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")`, as well as the usual boolean logic.
 In addition, to match against marathon constraints, the function `MarathonConstraint("field:operator:value")` can be used, where the field, operator, and value parts are joined together in a single string with the `:` separator.

 ??? example "Constraints Expression Examples"
@@ -191,7 +275,7 @@ In addition, to match against marathon constraints, the function `MarathonConstr
    
    ```toml
    # Includes only applications having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegexp(`a.label.name`, `a.+`)"
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```

    ```toml
@@ -204,10 +288,30 @@ In addition, to match against marathon constraints, the function `MarathonConstr
    constraints = "MarathonConstraint(`A:B:C`) && Label(`a.label.name`, `value`)"
    ```

+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ### `forceTaskHostname`

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.marathon]
+  forceTaskHostname = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    forceTaskHostname: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.forceTaskHostname=true
+# ...
+```
+
 By default, a task's IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
 otherwise, the name of the host running the task is used.
 The latter behavior can be enforced by enabling this switch.
@@ -216,6 +320,24 @@ The latter behavior can be enforced by enabling this switch.

 _Optional, Default=10s_

+```toml tab="File (TOML)"
+[providers.marathon]
+  keepAlive = "30s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    keepAlive: "30s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.keepAlive=30s
+# ...
+```
+
 Set the TCP Keep Alive interval for the Marathon HTTP Client.
 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
 or directly as a number of seconds.
@@ -224,6 +346,24 @@ or directly as a number of seconds.

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.marathon]
+  respectReadinessChecks = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    respectReadinessChecks: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.respectReadinessChecks=true
+# ...
+```
+
 Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
 Enabling respectReadinessChecks causes Traefik to filter out tasks whose readiness checks have not succeeded.
 Note that the checks are only valid at deployment times.
@@ -234,39 +374,164 @@ See the Marathon guide for details.

 _Optional, Default=60s_

+```toml tab="File (TOML)"
+[providers.marathon]
+  responseHeaderTimeout = "66s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    responseHeaderTimeout: "66s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.responseHeaderTimeout="66s"
+# ...
+```
+
 Overrides ResponseHeaderTimeout.
 Amount of time the Marathon provider should wait before timing out,
 when waiting for the first response header from a Marathon master.

 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration), or directly as a number of seconds.

-### `TLS`
+### `tls`

 _Optional_

-TLS client configuration. [tls/#Config](https://golang.org/pkg/crypto/tls/#Config).
+#### `tls.ca`

-```toml tab="File"
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.cert=path/to/foo.cert
+--providers.marathon.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.cert=path/to/foo.cert
+--providers.marathon.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+TODO add description.
+
+```toml tab="File (TOML)"
 [providers.marathon.tls]
-  ca = "/etc/ssl/ca.crt"
-  cert = "/etc/ssl/marathon.cert"
-  key = "/etc/ssl/marathon.key"
  insecureSkipVerify = true
 ```

-```txt tab="CLI"
--providers.marathon.tls
--providers.marathon.tls.ca="/etc/ssl/ca.crt"
--providers.marathon.tls.cert="/etc/ssl/marathon.cert"
--providers.marathon.tls.key="/etc/ssl/marathon.key"
--providers.marathon.tls.insecureskipverify=true
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      insecureSkipVerify: true
 ```

-### `TLSHandshakeTimeout`
+```bash tab="CLI"
+--providers.marathon.tls.insecureSkipVerify=true
+```
+
+### `tlsHandshakeTimeout`

 _Optional, Default=5s_

+```toml tab="File (TOML)"
+[providers.marathon]
+  responseHeaderTimeout = "10s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    responseHeaderTimeout: "10s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.responseHeaderTimeout="10s"
+# ...
+```
+
 Overrides TLSHandshakeTimeout.
+
 Amount of time the Marathon provider should wait before timing out,
 when waiting for the TLS handshake to complete.
 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
@@ -276,12 +541,48 @@ or directly as a number of seconds.

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.marathon]
+  trace = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    trace: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.trace=true
+# ...
+```
+
 Displays additional provider logs (if available).

 ### `watch`

 _Optional, Default=true_

+```toml tab="File (TOML)"
+[providers.marathon]
+  watch = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    watch: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.watch=false
+# ...
+```
+
 Enables watching for Marathon changes.

 ## Routing Configuration Options
--- a/docs/content/providers/rancher.md
+++ b/docs/content/providers/rancher.md
@@ -18,9 +18,18 @@ Attach labels to your services and let Traefik do the rest!

    Enabling the rancher provider

-    ```toml
+    ```toml tab="File (TOML)"
    [providers.rancher]
    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      rancher: {}
+    ```
+    
+    ```bash tab="CLI"
+    --providers.rancher=true
+    ```

    Attaching labels to services

@@ -34,21 +43,69 @@ Attach labels to your services and let Traefik do the rest!
 ??? tip "Browse the Reference"
    If you're in a hurry, maybe you'd rather go through the configuration reference:
    
-    ```toml
+    ```toml tab="File (TOML)"
    --8<-- "content/providers/rancher.toml"
    ```
+    
+    ```yaml tab="File (YAML)"
+    --8<-- "content/providers/rancher.yml"
+    ```
+    
+    ```bash tab="CLI"
+    --8<-- "content/providers/rancher.txt"
+    ```

-### `ExposedByDefault`
+List of all available labels for the [dynamic](../reference/dynamic-configuration/rancher.md) configuration references.
+
+### `exposedByDefault`

 _Optional, Default=true_

+```toml tab="File (TOML)"
+[providers.rancher]
+  exposedByDefault = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    exposedByDefault: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.exposedByDefault=false
+# ...
+```
+
 Expose Rancher services by default in Traefik.
 If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.

-### `DefaultRule`
+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
+### `defaultRule`

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

+```toml tab="File (TOML)"
+[providers.rancher]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+# ...
+```
+
 The default host rule for all services.

 For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
@@ -57,53 +114,132 @@ augmented with the [sprig template functions](http://masterminds.github.io/sprig
 The service name can be accessed as the `Name` identifier,
 and the template has access to all the labels defined on this container.

-```toml tab="File"
-[providers.rancher]
-  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-  # ...
-```
-
-```txt tab="CLI"
--providers.rancher
--providers.rancher.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-```
-
 This option can be overridden on a container basis with the `traefik.http.routers.Router1.rule` label.

-### `EnableServiceHealthFilter`
+### `enableServiceHealthFilter`

 _Optional, Default=true_

+```toml tab="File (TOML)"
+[providers.rancher]
+  enableServiceHealthFilter = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    enableServiceHealthFilter: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.enableServiceHealthFilter=false
+# ...
+```
+
 Filter services with unhealthy states and inactive states.

-### `RefreshSeconds`
+### `refreshSeconds`

 _Optional, Default=15_

+```toml tab="File (TOML)"
+[providers.rancher]
+  refreshSeconds = 30
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    refreshSeconds: 30
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.refreshSeconds=30
+# ...
+```
+
 Defines the polling interval (in seconds).

-### `IntervalPoll`
+### `intervalPoll`

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.rancher]
+  intervalPoll = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    intervalPoll: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.intervalPoll=true
+# ...
+```
+
 Poll the Rancher metadata service for changes every `rancher.refreshSeconds`,
 which is less accurate than the default long polling technique which will provide near instantaneous updates to Traefik.

-### `Prefix`
+### `prefix`

 _Optional, Default=/latest_

+```toml tab="File (TOML)"
+[providers.rancher]
+  prefix = "/test"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    prefix: "/test"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.prefix="/test"
+# ...
+```
+
 Prefix used for accessing the Rancher metadata service

 ### `constraints`

 _Optional, Default=""_

+```toml tab="File (TOML)"
+[providers.rancher]
+  constraints = "Label(`a.label.name`, `foo`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    constraints: "Label(`a.label.name`, `foo`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.constraints="Label(`a.label.name`, `foo`)"
+# ...
+```
+
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
 That is to say, if none of the container's labels match the expression, no route for the container is created.
 If the expression is empty, all detected containers are included.

-The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.

 ??? example "Constraints Expression Examples"

@@ -134,9 +270,11 @@ The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp(
    
    ```toml
    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegexp(`a.label.name`, `a.+`)"
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```

+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ## Routing Configuration Options

 ### General
--- a/docs/content/providers/rancher.toml
+++ b/docs/content/providers/rancher.toml
@@ -11,7 +11,7 @@
  enableServiceHealthFilter = true

  # Defines the polling interval (in seconds).
-  refreshSeconds = true
+  refreshSeconds = 15

  # Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
  intervalPoll = false
--- a/docs/content/providers/rancher.txt
+++ b/docs/content/providers/rancher.txt
@@ -0,0 +1,20 @@
+# Enable Rancher Provider.
+--providers.rancher=true
+
+# Expose Rancher services by default in Traefik.
+--providers.rancher.exposedByDefault=true
+
+# Enable watch Rancher changes.
+--providers.rancher.watch=true
+
+# Filter services with unhealthy states and inactive states.
+--providers.rancher.enableServiceHealthFilter=true
+
+# Defines the polling interval (in seconds).
+--providers.rancher.refreshSeconds=15
+
+# Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
+--providers.rancher.intervalPoll=false
+
+# Prefix used for accessing the Rancher metadata service
+--providers.rancher.prefix="/latest"
--- a/docs/content/providers/rancher.yml
+++ b/docs/content/providers/rancher.yml
@@ -0,0 +1,21 @@
+# Enable Rancher Provider.
+providers:
+  rancher:
+
+  # Expose Rancher services by default in Traefik.
+  exposedByDefault: true
+
+  # Enable watch Rancher changes.
+  watch: true
+
+  # Filter services with unhealthy states and inactive states.
+  enableServiceHealthFilter: true
+
+  # Defines the polling interval (in seconds).
+  refreshSeconds: 15
+
+  # Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
+  intervalPoll: false
+
+  # Prefix used for accessing the Rancher metadata service
+  prefix: "/latest"
--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@@ -0,0 +1,187 @@
+- "traefik.http.middlewares.middleware00.addprefix.prefix=foobar"
+- "traefik.http.middlewares.middleware01.basicauth.headerfield=foobar"
+- "traefik.http.middlewares.middleware01.basicauth.realm=foobar"
+- "traefik.http.middlewares.middleware01.basicauth.removeheader=true"
+- "traefik.http.middlewares.middleware01.basicauth.users=foobar, foobar"
+- "traefik.http.middlewares.middleware01.basicauth.usersfile=foobar"
+- "traefik.http.middlewares.middleware02.buffering.maxrequestbodybytes=42"
+- "traefik.http.middlewares.middleware02.buffering.maxresponsebodybytes=42"
+- "traefik.http.middlewares.middleware02.buffering.memrequestbodybytes=42"
+- "traefik.http.middlewares.middleware02.buffering.memresponsebodybytes=42"
+- "traefik.http.middlewares.middleware02.buffering.retryexpression=foobar"
+- "traefik.http.middlewares.middleware03.chain.middlewares=foobar, foobar"
+- "traefik.http.middlewares.middleware04.circuitbreaker.expression=foobar"
+- "traefik.http.middlewares.middleware05.compress=true"
+- "traefik.http.middlewares.middleware06.digestauth.headerfield=foobar"
+- "traefik.http.middlewares.middleware06.digestauth.realm=foobar"
+- "traefik.http.middlewares.middleware06.digestauth.removeheader=true"
+- "traefik.http.middlewares.middleware06.digestauth.users=foobar, foobar"
+- "traefik.http.middlewares.middleware06.digestauth.usersfile=foobar"
+- "traefik.http.middlewares.middleware07.errors.query=foobar"
+- "traefik.http.middlewares.middleware07.errors.service=foobar"
+- "traefik.http.middlewares.middleware07.errors.status=foobar, foobar"
+- "traefik.http.middlewares.middleware08.forwardauth.address=foobar"
+- "traefik.http.middlewares.middleware08.forwardauth.authresponseheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware08.forwardauth.tls.ca=foobar"
+- "traefik.http.middlewares.middleware08.forwardauth.tls.caoptional=true"
+- "traefik.http.middlewares.middleware08.forwardauth.tls.cert=foobar"
+- "traefik.http.middlewares.middleware08.forwardauth.tls.insecureskipverify=true"
+- "traefik.http.middlewares.middleware08.forwardauth.tls.key=foobar"
+- "traefik.http.middlewares.middleware08.forwardauth.trustforwardheader=true"
+- "traefik.http.middlewares.middleware09.headers.accesscontrolallowcredentials=true"
+- "traefik.http.middlewares.middleware09.headers.accesscontrolallowheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware09.headers.accesscontrolallowmethods=foobar, foobar"
+- "traefik.http.middlewares.middleware09.headers.accesscontrolalloworigin=foobar"
+- "traefik.http.middlewares.middleware09.headers.accesscontrolexposeheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware09.headers.accesscontrolmaxage=42"
+- "traefik.http.middlewares.middleware09.headers.addvaryheader=true"
+- "traefik.http.middlewares.middleware09.headers.allowedhosts=foobar, foobar"
+- "traefik.http.middlewares.middleware09.headers.browserxssfilter=true"
+- "traefik.http.middlewares.middleware09.headers.contentsecuritypolicy=foobar"
+- "traefik.http.middlewares.middleware09.headers.contenttypenosniff=true"
+- "traefik.http.middlewares.middleware09.headers.custombrowserxssvalue=foobar"
+- "traefik.http.middlewares.middleware09.headers.customframeoptionsvalue=foobar"
+- "traefik.http.middlewares.middleware09.headers.customrequestheaders.name0=foobar"
+- "traefik.http.middlewares.middleware09.headers.customrequestheaders.name1=foobar"
+- "traefik.http.middlewares.middleware09.headers.customresponseheaders.name0=foobar"
+- "traefik.http.middlewares.middleware09.headers.customresponseheaders.name1=foobar"
+- "traefik.http.middlewares.middleware09.headers.featurepolicy=foobar"
+- "traefik.http.middlewares.middleware09.headers.forcestsheader=true"
+- "traefik.http.middlewares.middleware09.headers.framedeny=true"
+- "traefik.http.middlewares.middleware09.headers.hostsproxyheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware09.headers.isdevelopment=true"
+- "traefik.http.middlewares.middleware09.headers.publickey=foobar"
+- "traefik.http.middlewares.middleware09.headers.referrerpolicy=foobar"
+- "traefik.http.middlewares.middleware09.headers.sslforcehost=true"
+- "traefik.http.middlewares.middleware09.headers.sslhost=foobar"
+- "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name0=foobar"
+- "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name1=foobar"
+- "traefik.http.middlewares.middleware09.headers.sslredirect=true"
+- "traefik.http.middlewares.middleware09.headers.ssltemporaryredirect=true"
+- "traefik.http.middlewares.middleware09.headers.stsincludesubdomains=true"
+- "traefik.http.middlewares.middleware09.headers.stspreload=true"
+- "traefik.http.middlewares.middleware09.headers.stsseconds=42"
+- "traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware10.ipwhitelist.sourcerange=foobar, foobar"
+- "traefik.http.middlewares.middleware11.inflightreq.amount=42"
+- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requestheadername=foobar"
+- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requesthost=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.commonname=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.country=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.domaincomponent=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.locality=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.organization=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.province=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.serialnumber=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.notafter=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.notbefore=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.sans=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.commonname=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.country=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.domaincomponent=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.locality=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.organization=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.province=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.serialnumber=true"
+- "traefik.http.middlewares.middleware12.passtlsclientcert.pem=true"
+- "traefik.http.middlewares.middleware13.ratelimit.average=42"
+- "traefik.http.middlewares.middleware13.ratelimit.burst=42"
+- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requestheadername=foobar"
+- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requesthost=true"
+- "traefik.http.middlewares.middleware14.redirectregex.permanent=true"
+- "traefik.http.middlewares.middleware14.redirectregex.regex=foobar"
+- "traefik.http.middlewares.middleware14.redirectregex.replacement=foobar"
+- "traefik.http.middlewares.middleware15.redirectscheme.permanent=true"
+- "traefik.http.middlewares.middleware15.redirectscheme.port=foobar"
+- "traefik.http.middlewares.middleware15.redirectscheme.scheme=foobar"
+- "traefik.http.middlewares.middleware16.replacepath.path=foobar"
+- "traefik.http.middlewares.middleware17.replacepathregex.regex=foobar"
+- "traefik.http.middlewares.middleware17.replacepathregex.replacement=foobar"
+- "traefik.http.middlewares.middleware18.retry.attempts=42"
+- "traefik.http.middlewares.middleware19.stripprefix.prefixes=foobar, foobar"
+- "traefik.http.middlewares.middleware20.stripprefixregex.regex=foobar, foobar"
+- "traefik.http.routers.router0.entrypoints=foobar, foobar"
+- "traefik.http.routers.router0.middlewares=foobar, foobar"
+- "traefik.http.routers.router0.priority=42"
+- "traefik.http.routers.router0.rule=foobar"
+- "traefik.http.routers.router0.service=foobar"
+- "traefik.http.routers.router0.tls=true"
+- "traefik.http.routers.router0.tls.certresolver=foobar"
+- "traefik.http.routers.router0.tls.domains[0].main=foobar"
+- "traefik.http.routers.router0.tls.domains[0].sans=foobar, foobar"
+- "traefik.http.routers.router0.tls.domains[1].main=foobar"
+- "traefik.http.routers.router0.tls.domains[1].sans=foobar, foobar"
+- "traefik.http.routers.router0.tls.options=foobar"
+- "traefik.http.routers.router1.entrypoints=foobar, foobar"
+- "traefik.http.routers.router1.middlewares=foobar, foobar"
+- "traefik.http.routers.router1.priority=42"
+- "traefik.http.routers.router1.rule=foobar"
+- "traefik.http.routers.router1.service=foobar"
+- "traefik.http.routers.router1.tls=true"
+- "traefik.http.routers.router1.tls.certresolver=foobar"
+- "traefik.http.routers.router1.tls.domains[0].main=foobar"
+- "traefik.http.routers.router1.tls.domains[0].sans=foobar, foobar"
+- "traefik.http.routers.router1.tls.domains[1].main=foobar"
+- "traefik.http.routers.router1.tls.domains[1].sans=foobar, foobar"
+- "traefik.http.routers.router1.tls.options=foobar"
+- "traefik.http.services.service0.loadbalancer.healthcheck.headers.name0=foobar"
+- "traefik.http.services.service0.loadbalancer.healthcheck.headers.name1=foobar"
+- "traefik.http.services.service0.loadbalancer.healthcheck.hostname=foobar"
+- "traefik.http.services.service0.loadbalancer.healthcheck.interval=foobar"
+- "traefik.http.services.service0.loadbalancer.healthcheck.path=foobar"
+- "traefik.http.services.service0.loadbalancer.healthcheck.port=42"
+- "traefik.http.services.service0.loadbalancer.healthcheck.scheme=foobar"
+- "traefik.http.services.service0.loadbalancer.healthcheck.timeout=foobar"
+- "traefik.http.services.service0.loadbalancer.passhostheader=true"
+- "traefik.http.services.service0.loadbalancer.responseforwarding.flushinterval=foobar"
+- "traefik.http.services.service0.loadbalancer.sticky=true"
+- "traefik.http.services.service0.loadbalancer.sticky.cookie.httponly=true"
+- "traefik.http.services.service0.loadbalancer.sticky.cookie.name=foobar"
+- "traefik.http.services.service0.loadbalancer.sticky.cookie.secure=true"
+- "traefik.http.services.service0.loadbalancer.server.port=foobar"
+- "traefik.http.services.service0.loadbalancer.server.scheme=foobar"
+- "traefik.http.services.service1.loadbalancer.healthcheck.headers.name0=foobar"
+- "traefik.http.services.service1.loadbalancer.healthcheck.headers.name1=foobar"
+- "traefik.http.services.service1.loadbalancer.healthcheck.hostname=foobar"
+- "traefik.http.services.service1.loadbalancer.healthcheck.interval=foobar"
+- "traefik.http.services.service1.loadbalancer.healthcheck.path=foobar"
+- "traefik.http.services.service1.loadbalancer.healthcheck.port=42"
+- "traefik.http.services.service1.loadbalancer.healthcheck.scheme=foobar"
+- "traefik.http.services.service1.loadbalancer.healthcheck.timeout=foobar"
+- "traefik.http.services.service1.loadbalancer.passhostheader=true"
+- "traefik.http.services.service1.loadbalancer.responseforwarding.flushinterval=foobar"
+- "traefik.http.services.service1.loadbalancer.sticky=true"
+- "traefik.http.services.service1.loadbalancer.sticky.cookie.httponly=true"
+- "traefik.http.services.service1.loadbalancer.sticky.cookie.name=foobar"
+- "traefik.http.services.service1.loadbalancer.sticky.cookie.secure=true"
+- "traefik.http.services.service1.loadbalancer.server.port=foobar"
+- "traefik.http.services.service1.loadbalancer.server.scheme=foobar"
+- "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
+- "traefik.tcp.routers.tcprouter0.rule=foobar"
+- "traefik.tcp.routers.tcprouter0.service=foobar"
+- "traefik.tcp.routers.tcprouter0.tls=true"
+- "traefik.tcp.routers.tcprouter0.tls.certresolver=foobar"
+- "traefik.tcp.routers.tcprouter0.tls.domains[0].main=foobar"
+- "traefik.tcp.routers.tcprouter0.tls.domains[0].sans=foobar, foobar"
+- "traefik.tcp.routers.tcprouter0.tls.domains[1].main=foobar"
+- "traefik.tcp.routers.tcprouter0.tls.domains[1].sans=foobar, foobar"
+- "traefik.tcp.routers.tcprouter0.tls.options=foobar"
+- "traefik.tcp.routers.tcprouter0.tls.passthrough=true"
+- "traefik.tcp.routers.tcprouter1.entrypoints=foobar, foobar"
+- "traefik.tcp.routers.tcprouter1.rule=foobar"
+- "traefik.tcp.routers.tcprouter1.service=foobar"
+- "traefik.tcp.routers.tcprouter1.tls=true"
+- "traefik.tcp.routers.tcprouter1.tls.certresolver=foobar"
+- "traefik.tcp.routers.tcprouter1.tls.domains[0].main=foobar"
+- "traefik.tcp.routers.tcprouter1.tls.domains[0].sans=foobar, foobar"
+- "traefik.tcp.routers.tcprouter1.tls.domains[1].main=foobar"
+- "traefik.tcp.routers.tcprouter1.tls.domains[1].sans=foobar, foobar"
+- "traefik.tcp.routers.tcprouter1.tls.options=foobar"
+- "traefik.tcp.routers.tcprouter1.tls.passthrough=true"
+- "traefik.tcp.services.tcpservice0.loadbalancer.server.port=foobar"
+- "traefik.tcp.services.tcpservice1.loadbalancer.server.port=foobar"
--- a/docs/content/reference/dynamic-configuration/docker.md
+++ b/docs/content/reference/dynamic-configuration/docker.md
@@ -6,5 +6,7 @@ Dynamic configuration with Docker Labels
 The labels are case insensitive.

 ```yaml
--8<-- "content/reference/dynamic-configuration/labels.yml"
+labels:
+  --8<-- "content/reference/dynamic-configuration/docker.yml"
+  --8<-- "content/reference/dynamic-configuration/docker-labels.yml"
 ```
--- a/docs/content/reference/dynamic-configuration/docker.yml
+++ b/docs/content/reference/dynamic-configuration/docker.yml
@@ -0,0 +1,3 @@
+- "traefik.enable=true"
+- "traefik.docker.network=foobar"
+- "traefik.docker.lbswarm=true"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@@ -7,126 +7,137 @@
      rule = "foobar"
      priority = 42
      [http.routers.Router0.tls]
-        options = "TLS0"
+        options = "foobar"
+        certResolver = "foobar"
+
+        [[http.routers.Router0.tls.domains]]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
+
+        [[http.routers.Router0.tls.domains]]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
+    [http.routers.Router1]
+      entryPoints = ["foobar", "foobar"]
+      middlewares = ["foobar", "foobar"]
+      service = "foobar"
+      rule = "foobar"
+      priority = 42
+      [http.routers.Router1.tls]
+        options = "foobar"
+        certResolver = "foobar"
+
+        [[http.routers.Router1.tls.domains]]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
+
+        [[http.routers.Router1.tls.domains]]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
+  [http.services]
+    [http.services.Service01]
+      [http.services.Service01.loadBalancer]
+        passHostHeader = true
+        [http.services.Service01.loadBalancer.sticky]
+          [http.services.Service01.loadBalancer.sticky.cookie]
+            name = "foobar"
+            secure = true
+            httpOnly = true
+
+        [[http.services.Service01.loadBalancer.servers]]
+          url = "foobar"
+
+        [[http.services.Service01.loadBalancer.servers]]
+          url = "foobar"
+        [http.services.Service01.loadBalancer.healthCheck]
+          scheme = "foobar"
+          path = "foobar"
+          port = 42
+          interval = "foobar"
+          timeout = "foobar"
+          hostname = "foobar"
+          [http.services.Service01.loadBalancer.healthCheck.headers]
+            name0 = "foobar"
+            name1 = "foobar"
+        [http.services.Service01.loadBalancer.responseForwarding]
+          flushInterval = "foobar"
+    [http.services.Service02]
+      [http.services.Service02.mirroring]
+        service = "foobar"
+
+        [[http.services.Service02.mirroring.mirrors]]
+          name = "foobar"
+          percent = 42
+
+        [[http.services.Service02.mirroring.mirrors]]
+          name = "foobar"
+          percent = 42
+    [http.services.Service03]
+      [http.services.Service03.weighted]
+
+        [[http.services.Service03.weighted.services]]
+          name = "foobar"
+          weight = 42
+
+        [[http.services.Service03.weighted.services]]
+          name = "foobar"
+          weight = 42
+        [http.services.Service03.weighted.sticky]
+          [http.services.Service03.weighted.sticky.cookie]
+            name = "foobar"
+            secure = true
+            httpOnly = true
  [http.middlewares]
-    [http.middlewares.Middleware0]
-      [http.middlewares.Middleware0.addPrefix]
+    [http.middlewares.Middleware00]
+      [http.middlewares.Middleware00.addPrefix]
        prefix = "foobar"
-    [http.middlewares.Middleware1]
-      [http.middlewares.Middleware1.stripPrefix]
-        prefixes = ["foobar", "foobar"]
-    [http.middlewares.Middleware10]
-      [http.middlewares.Middleware10.rateLimit]
-        extractorFunc = "foobar"
-        [http.middlewares.Middleware10.rateLimit.rateSet]
-          [http.middlewares.Middleware10.rateLimit.rateSet.Rate0]
-            period = 42
-            average = 42
-            burst = 42
-          [http.middlewares.Middleware10.rateLimit.rateSet.Rate1]
-            period = 42
-            average = 42
-            burst = 42
-    [http.middlewares.Middleware11]
-      [http.middlewares.Middleware11.redirectRegex]
-        regex = "foobar"
-        replacement = "foobar"
-        permanent = true
-    [http.middlewares.Middleware12]
-      [http.middlewares.Middleware12.redirectScheme]
-        scheme = "foobar"
-        port = "foobar"
-        permanent = true
-    [http.middlewares.Middleware13]
-      [http.middlewares.Middleware13.basicAuth]
+    [http.middlewares.Middleware01]
+      [http.middlewares.Middleware01.basicAuth]
        users = ["foobar", "foobar"]
        usersFile = "foobar"
        realm = "foobar"
        removeHeader = true
        headerField = "foobar"
-    [http.middlewares.Middleware14]
-      [http.middlewares.Middleware14.digestAuth]
-        users = ["foobar", "foobar"]
-        usersFile = "foobar"
-        removeHeader = true
-        realm = "foobar"
-        headerField = "foobar"
-    [http.middlewares.Middleware15]
-      [http.middlewares.Middleware15.forwardAuth]
-        address = "foobar"
-        trustForwardHeader = true
-        authResponseHeaders = ["foobar", "foobar"]
-        [http.middlewares.Middleware15.forwardAuth.tls]
-          ca = "foobar"
-          caOptional = true
-          cert = "foobar"
-          key = "foobar"
-          insecureSkipVerify = true
-    [http.middlewares.Middleware16]
-      [http.middlewares.Middleware16.maxConn]
-        amount = 42
-        extractorFunc = "foobar"
-    [http.middlewares.Middleware17]
-      [http.middlewares.Middleware17.buffering]
+    [http.middlewares.Middleware02]
+      [http.middlewares.Middleware02.buffering]
        maxRequestBodyBytes = 42
        memRequestBodyBytes = 42
        maxResponseBodyBytes = 42
        memResponseBodyBytes = 42
        retryExpression = "foobar"
-    [http.middlewares.Middleware18]
-      [http.middlewares.Middleware18.circuitBreaker]
-        expression = "foobar"
-    [http.middlewares.Middleware19]
-      [http.middlewares.Middleware19.compress]
-    [http.middlewares.Middleware2]
-      [http.middlewares.Middleware2.stripPrefixRegex]
-        regex = ["foobar", "foobar"]
-    [http.middlewares.Middleware20]
-      [http.middlewares.Middleware20.passTLSClientCert]
-        pem = true
-        [http.middlewares.Middleware20.passTLSClientCert.info]
-          notAfter = true
-          notBefore = true
-          sans = true
-          [http.middlewares.Middleware20.passTLSClientCert.info.subject]
-            country = true
-            province = true
-            locality = true
-            organization = true
-            commonName = true
-            serialNumber = true
-            domainComponent = true
-          [http.middlewares.Middleware20.passTLSClientCert.info.issuer]
-            country = true
-            province = true
-            locality = true
-            organization = true
-            commonName = true
-            serialNumber = true
-            domainComponent = true
-    [http.middlewares.Middleware21]
-      [http.middlewares.Middleware21.retry]
-        attemps = 42
-    [http.middlewares.Middleware3]
-      [http.middlewares.Middleware3.replacePath]
-        path = "foobar"
-    [http.middlewares.Middleware4]
-      [http.middlewares.Middleware4.replacePathRegex]
-        regex = "foobar"
-        replacement = "foobar"
-    [http.middlewares.Middleware5]
-      [http.middlewares.Middleware5.chain]
+    [http.middlewares.Middleware03]
+      [http.middlewares.Middleware03.chain]
        middlewares = ["foobar", "foobar"]
-    [http.middlewares.Middleware6]
-      [http.middlewares.Middleware6.ipWhiteList]
-        sourceRange = ["foobar", "foobar"]
-    [http.middlewares.Middleware7]
-      [http.middlewares.Middleware7.ipWhiteList]
-        [http.middlewares.Middleware7.ipWhiteList.ipStrategy]
-          depth = 42
-          excludedIPs = ["foobar", "foobar"]
-    [http.middlewares.Middleware8]
-      [http.middlewares.Middleware8.headers]
+    [http.middlewares.Middleware04]
+      [http.middlewares.Middleware04.circuitBreaker]
+        expression = "foobar"
+    [http.middlewares.Middleware05]
+      [http.middlewares.Middleware05.compress]
+    [http.middlewares.Middleware06]
+      [http.middlewares.Middleware06.digestAuth]
+        users = ["foobar", "foobar"]
+        usersFile = "foobar"
+        removeHeader = true
+        realm = "foobar"
+        headerField = "foobar"
+    [http.middlewares.Middleware07]
+      [http.middlewares.Middleware07.errors]
+        status = ["foobar", "foobar"]
+        service = "foobar"
+        query = "foobar"
+    [http.middlewares.Middleware08]
+      [http.middlewares.Middleware08.forwardAuth]
+        address = "foobar"
+        trustForwardHeader = true
+        authResponseHeaders = ["foobar", "foobar"]
+        [http.middlewares.Middleware08.forwardAuth.tls]
+          ca = "foobar"
+          caOptional = true
+          cert = "foobar"
+          key = "foobar"
+          insecureSkipVerify = true
+    [http.middlewares.Middleware09]
+      [http.middlewares.Middleware09.headers]
        accessControlAllowCredentials = true
        accessControlAllowHeaders = ["foobar", "foobar"]
        accessControlAllowMethods = ["foobar", "foobar"]
@@ -152,45 +163,91 @@
        contentSecurityPolicy = "foobar"
        publicKey = "foobar"
        referrerPolicy = "foobar"
+        featurePolicy = "foobar"
        isDevelopment = true
-        [http.middlewares.Middleware8.headers.customRequestHeaders]
+        [http.middlewares.Middleware09.headers.customRequestHeaders]
          name0 = "foobar"
          name1 = "foobar"
-        [http.middlewares.Middleware8.headers.customResponseHeaders]
+        [http.middlewares.Middleware09.headers.customResponseHeaders]
          name0 = "foobar"
          name1 = "foobar"
-        [http.middlewares.Middleware8.headers.sslProxyHeaders]
+        [http.middlewares.Middleware09.headers.sslProxyHeaders]
          name0 = "foobar"
          name1 = "foobar"
-    [http.middlewares.Middleware9]
-      [http.middlewares.Middleware9.errors]
-        status = ["foobar", "foobar"]
-        service = "foobar"
-        query = "foobar"
-  [http.services]
-    [http.services.Service0]
-      [http.services.Service0.loadBalancer]
-        passHostHeader = true
-        [http.services.Service0.loadBalancer.stickiness]
-          cookieName = "foobar"
-
-        [[http.services.Service0.loadBalancer.servers]]
-          url = "foobar"
-
-        [[http.services.Service0.loadBalancer.servers]]
-          url = "foobar"
-        [http.services.Service0.loadBalancer.healthCheck]
-          scheme = "foobar"
-          path = "foobar"
-          port = 42
-          interval = "foobar"
-          timeout = "foobar"
-          hostname = "foobar"
-          [http.services.Service0.loadBalancer.healthCheck.headers]
-            name0 = "foobar"
-            name1 = "foobar"
-        [http.services.Service0.loadBalancer.responseForwarding]
-          flushInterval = "foobar"
+    [http.middlewares.Middleware10]
+      [http.middlewares.Middleware10.ipWhiteList]
+        sourceRange = ["foobar", "foobar"]
+        [http.middlewares.Middleware10.ipWhiteList.ipStrategy]
+          depth = 42
+          excludedIPs = ["foobar", "foobar"]
+    [http.middlewares.Middleware11]
+      [http.middlewares.Middleware11.inFlightReq]
+        amount = 42
+        [http.middlewares.Middleware11.inFlightReq.sourceCriterion]
+          requestHeaderName = "foobar"
+          requestHost = true
+          [http.middlewares.Middleware11.inFlightReq.sourceCriterion.ipStrategy]
+            depth = 42
+            excludedIPs = ["foobar", "foobar"]
+    [http.middlewares.Middleware12]
+      [http.middlewares.Middleware12.passTLSClientCert]
+        pem = true
+        [http.middlewares.Middleware12.passTLSClientCert.info]
+          notAfter = true
+          notBefore = true
+          sans = true
+          [http.middlewares.Middleware12.passTLSClientCert.info.subject]
+            country = true
+            province = true
+            locality = true
+            organization = true
+            commonName = true
+            serialNumber = true
+            domainComponent = true
+          [http.middlewares.Middleware12.passTLSClientCert.info.issuer]
+            country = true
+            province = true
+            locality = true
+            organization = true
+            commonName = true
+            serialNumber = true
+            domainComponent = true
+    [http.middlewares.Middleware13]
+      [http.middlewares.Middleware13.rateLimit]
+        average = 42
+        burst = 42
+        [http.middlewares.Middleware13.rateLimit.sourceCriterion]
+          requestHeaderName = "foobar"
+          requestHost = true
+          [http.middlewares.Middleware13.rateLimit.sourceCriterion.ipStrategy]
+            depth = 42
+            excludedIPs = ["foobar", "foobar"]
+    [http.middlewares.Middleware14]
+      [http.middlewares.Middleware14.redirectRegex]
+        regex = "foobar"
+        replacement = "foobar"
+        permanent = true
+    [http.middlewares.Middleware15]
+      [http.middlewares.Middleware15.redirectScheme]
+        scheme = "foobar"
+        port = "foobar"
+        permanent = true
+    [http.middlewares.Middleware16]
+      [http.middlewares.Middleware16.replacePath]
+        path = "foobar"
+    [http.middlewares.Middleware17]
+      [http.middlewares.Middleware17.replacePathRegex]
+        regex = "foobar"
+        replacement = "foobar"
+    [http.middlewares.Middleware18]
+      [http.middlewares.Middleware18.retry]
+        attempts = 42
+    [http.middlewares.Middleware19]
+      [http.middlewares.Middleware19.stripPrefix]
+        prefixes = ["foobar", "foobar"]
+    [http.middlewares.Middleware20]
+      [http.middlewares.Middleware20.stripPrefixRegex]
+        regex = ["foobar", "foobar"]

 [tcp]
  [tcp.routers]
@@ -200,7 +257,32 @@
      rule = "foobar"
      [tcp.routers.TCPRouter0.tls]
        passthrough = true
-        options = "TLS1"
+        options = "foobar"
+        certResolver = "foobar"
+
+        [[tcp.routers.TCPRouter0.tls.domains]]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
+
+        [[tcp.routers.TCPRouter0.tls.domains]]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
+    [tcp.routers.TCPRouter1]
+      entryPoints = ["foobar", "foobar"]
+      service = "foobar"
+      rule = "foobar"
+      [tcp.routers.TCPRouter1.tls]
+        passthrough = true
+        options = "foobar"
+        certResolver = "foobar"
+
+        [[tcp.routers.TCPRouter1.tls.domains]]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
+
+        [[tcp.routers.TCPRouter1.tls.domains]]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
  [tcp.services]
    [tcp.services.TCPService0]
      [tcp.services.TCPService0.loadBalancer]
@@ -210,6 +292,14 @@

        [[tcp.services.TCPService0.loadBalancer.servers]]
          address = "foobar"
+    [tcp.services.TCPService1]
+      [tcp.services.TCPService1.loadBalancer]
+
+        [[tcp.services.TCPService1.loadBalancer.servers]]
+          address = "foobar"
+
+        [[tcp.services.TCPService1.loadBalancer.servers]]
+          address = "foobar"

 [tls]

@@ -223,20 +313,20 @@
    keyFile = "foobar"
    stores = ["foobar", "foobar"]
  [tls.options]
-    [tls.options.TLS0]
+    [tls.options.Options0]
      minVersion = "foobar"
      cipherSuites = ["foobar", "foobar"]
      sniStrict = true
-      [tls.options.TLS0.clientCA]
-        files = ["foobar", "foobar"]
-        optional = true
-    [tls.options.TLS1]
+      [tls.options.Options0.clientAuth]
+        caFiles = ["foobar", "foobar"]
+        clientAuthType = "foobar"
+    [tls.options.Options1]
      minVersion = "foobar"
      cipherSuites = ["foobar", "foobar"]
      sniStrict = true
-      [tls.options.TLS1.clientCA]
-        files = ["foobar", "foobar"]
-        optional = true
+      [tls.options.Options1.clientAuth]
+        caFiles = ["foobar", "foobar"]
+        clientAuthType = "foobar"
  [tls.stores]
    [tls.stores.Store0]
      [tls.stores.Store0.defaultCertificate]
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@@ -2,54 +2,152 @@ http:
  routers:
    Router0:
      entryPoints:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
      middlewares:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
      service: foobar
      rule: foobar
      priority: 42
-      tls: {}
+      tls:
+        options: foobar
+        certResolver: foobar
+        domains:
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+    Router1:
+      entryPoints:
+      - foobar
+      - foobar
+      middlewares:
+      - foobar
+      - foobar
+      service: foobar
+      rule: foobar
+      priority: 42
+      tls:
+        options: foobar
+        certResolver: foobar
+        domains:
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+  services:
+    Service01:
+      loadBalancer:
+        sticky:
+          cookie:
+            name: foobar
+            secure: true
+            httpOnly: true
+        servers:
+        - url: foobar
+        - url: foobar
+        healthCheck:
+          scheme: foobar
+          path: foobar
+          port: 42
+          interval: foobar
+          timeout: foobar
+          hostname: foobar
+          headers:
+            name0: foobar
+            name1: foobar
+        passHostHeader: true
+        responseForwarding:
+          flushInterval: foobar
+    Service02:
+      mirroring:
+        service: foobar
+        mirrors:
+        - name: foobar
+          percent: 42
+        - name: foobar
+          percent: 42
+    Service03:
+      weighted:
+        services:
+        - name: foobar
+          weight: 42
+        - name: foobar
+          weight: 42
+        sticky:
+          cookie:
+            name: foobar
+            secure: true
+            httpOnly: true
  middlewares:
-    Middleware0:
+    Middleware00:
      addPrefix:
        prefix: foobar
-    Middleware1:
-      stripPrefix:
-        prefixes:
-          - foobar
-          - foobar
-    Middleware2:
-      stripPrefixRegex:
-        regex:
-          - foobar
-          - foobar
-    Middleware3:
-      replacePath:
-        path: foobar
-    Middleware4:
-      replacePathRegex:
-        regex: foobar
-        replacement: foobar
-    Middleware5:
+    Middleware01:
+      basicAuth:
+        users:
+        - foobar
+        - foobar
+        usersFile: foobar
+        realm: foobar
+        removeHeader: true
+        headerField: foobar
+    Middleware02:
+      buffering:
+        maxRequestBodyBytes: 42
+        memRequestBodyBytes: 42
+        maxResponseBodyBytes: 42
+        memResponseBodyBytes: 42
+        retryExpression: foobar
+    Middleware03:
      chain:
        middlewares:
-          - foobar
-          - foobar
-    Middleware6:
-      ipWhiteList:
-        sourceRange:
-          - foobar
-          - foobar
-    Middleware7:
-      ipWhiteList:
-        ipStrategy:
-          depth: 42
-          excludedIPs:
-            - foobar
-            - foobar
-    Middleware8:
+        - foobar
+        - foobar
+    Middleware04:
+      circuitBreaker:
+        expression: foobar
+    Middleware05:
+      compress: {}
+    Middleware06:
+      digestAuth:
+        users:
+        - foobar
+        - foobar
+        usersFile: foobar
+        removeHeader: true
+        realm: foobar
+        headerField: foobar
+    Middleware07:
+      errors:
+        status:
+        - foobar
+        - foobar
+        service: foobar
+        query: foobar
+    Middleware08:
+      forwardAuth:
+        address: foobar
+        tls:
+          ca: foobar
+          caOptional: true
+          cert: foobar
+          key: foobar
+          insecureSkipVerify: true
+        trustForwardHeader: true
+        authResponseHeaders:
+        - foobar
+        - foobar
+    Middleware09:
      headers:
        customRequestHeaders:
          name0: foobar
@@ -59,23 +157,23 @@ http:
          name1: foobar
        accessControlAllowCredentials: true
        accessControlAllowHeaders:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
        accessControlAllowMethods:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
        accessControlAllowOrigin: foobar
        accessControlExposeHeaders:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
        accessControlMaxAge: 42
        addVaryHeader: true
        allowedHosts:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
        hostsProxyHeaders:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
        sslRedirect: true
        sslTemporaryRedirect: true
        sslHost: foobar
@@ -95,84 +193,30 @@ http:
        contentSecurityPolicy: foobar
        publicKey: foobar
        referrerPolicy: foobar
+        featurePolicy: foobar
        isDevelopment: true
-    Middleware9:
-      errors:
-        status:
-          - foobar
-          - foobar
-        service: foobar
-        query: foobar
    Middleware10:
-      rateLimit:
-        rateSet:
-          Rate0:
-            period: 42000000000
-            average: 42
-            burst: 42
-          Rate1:
-            period: 42000000000
-            average: 42
-            burst: 42
-        extractorFunc: foobar
+      ipWhiteList:
+        sourceRange:
+        - foobar
+        - foobar
+        ipStrategy:
+          depth: 42
+          excludedIPs:
+          - foobar
+          - foobar
    Middleware11:
-      redirectRegex:
-        regex: foobar
-        replacement: foobar
-        permanent: true
-    Middleware12:
-      redirectScheme:
-        scheme: foobar
-        port: foobar
-        permanent: true
-    Middleware13:
-      basicAuth:
-        users:
-          - foobar
-          - foobar
-        usersFile: foobar
-        realm: foobar
-        removeHeader: true
-        headerField: foobar
-    Middleware14:
-      digestAuth:
-        users:
-          - foobar
-          - foobar
-        usersFile: foobar
-        removeHeader: true
-        realm: foobar
-        headerField: foobar
-    Middleware15:
-      forwardAuth:
-        address: foobar
-        tls:
-          ca: foobar
-          caOptional: true
-          cert: foobar
-          key: foobar
-          insecureSkipVerify: true
-        trustForwardHeader: true
-        authResponseHeaders:
-          - foobar
-          - foobar
-    Middleware16:
-      maxConn:
+      inFlightReq:
        amount: 42
-        extractorFunc: foobar
-    Middleware17:
-      buffering:
-        maxRequestBodyBytes: 42
-        memRequestBodyBytes: 42
-        maxResponseBodyBytes: 42
-        memResponseBodyBytes: 42
-        retryExpression: foobar
-    Middleware18:
-      circuitBreaker:
-        expression: foobar
-    Middleware19:
-      compress: {}
-    Middleware20:
+        sourceCriterion:
+          ipstrategy:
+            depth: 42
+            excludedIPs:
+            - foobar
+            - foobar
+          requestHeaderName: foobar
+          requestHost: true
+    Middleware12:
      passTLSClientCert:
        pem: true
        info:
@@ -195,80 +239,133 @@ http:
            commonName: true
            serialNumber: true
            domainComponent: true
-    Middleware21:
+    Middleware13:
+      rateLimit:
+        average: 42
+        burst: 42
+        sourceCriterion:
+          ipstrategy:
+            depth: 42
+            excludedIPs:
+            - foobar
+            - foobar
+          requestHeaderName: foobar
+          requestHost: true
+    Middleware14:
+      redirectRegex:
+        regex: foobar
+        replacement: foobar
+        permanent: true
+    Middleware15:
+      redirectScheme:
+        scheme: foobar
+        port: foobar
+        permanent: true
+    Middleware16:
+      replacePath:
+        path: foobar
+    Middleware17:
+      replacePathRegex:
+        regex: foobar
+        replacement: foobar
+    Middleware18:
      retry:
-        attemps: 42
-  services:
-    Service0:
-      loadBalancer:
-        stickiness:
-          cookieName: foobar
-        servers:
-          - url: foobar
-          - url: foobar
-        healthCheck:
-          scheme: foobar
-          path: foobar
-          port: 42
-          interval: foobar
-          timeout: foobar
-          hostname: foobar
-          headers:
-            name0: foobar
-            name1: foobar
-        passHostHeader: true
-        responseForwarding:
-          flushInterval: foobar
+        attempts: 42
+    Middleware19:
+      stripPrefix:
+        prefixes:
+        - foobar
+        - foobar
+    Middleware20:
+      stripPrefixRegex:
+        regex:
+        - foobar
+        - foobar
 tcp:
  routers:
    TCPRouter0:
      entryPoints:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
      service: foobar
      rule: foobar
      tls:
        passthrough: true
+        options: foobar
+        certResolver: foobar
+        domains:
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+    TCPRouter1:
+      entryPoints:
+      - foobar
+      - foobar
+      service: foobar
+      rule: foobar
+      tls:
+        passthrough: true
+        options: foobar
+        certResolver: foobar
+        domains:
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
  services:
    TCPService0:
      loadBalancer:
        servers:
-          - address: foobar
-          - address: foobar
+        - address: foobar
+        - address: foobar
+    TCPService1:
+      loadBalancer:
+        servers:
+        - address: foobar
+        - address: foobar
 tls:
  certificates:
-    - certFile: foobar
-      keyFile: foobar
-      stores:
-        - foobar
-        - foobar
-    - certFile: foobar
-      keyFile: foobar
-      stores:
-        - foobar
-        - foobar
+  - certFile: foobar
+    keyFile: foobar
+    stores:
+    - foobar
+    - foobar
+  - certFile: foobar
+    keyFile: foobar
+    stores:
+    - foobar
+    - foobar
  options:
-    TLS0:
+    Options0:
      minVersion: foobar
      cipherSuites:
+      - foobar
+      - foobar
+      clientAuth:
+        caFiles:
        - foobar
        - foobar
-      clientCA:
-        files:
-          - foobar
-          - foobar
-        optional: true
+        clientAuthType: foobar
      sniStrict: true
-    TLS1:
+    Options1:
      minVersion: foobar
      cipherSuites:
+      - foobar
+      - foobar
+      clientAuth:
+        caFiles:
        - foobar
        - foobar
-      clientCA:
-        files:
-          - foobar
-          - foobar
-        optional: true
+        clientAuthType: foobar
      sniStrict: true
  stores:
    Store0:
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd.yml
@@ -97,6 +97,12 @@ spec:
      middlewares:
        - name: stripprefix
        - name: addprefix
+    - match: PathPrefix(`/misc`)
+      services:
+        - name: s3
+          port: 8443
+          # scheme allow to override the scheme for the service. (ex: https or h2c)
+          scheme: https
  # use an empty tls object for TLS with Let's Encrypt
  tls:
    secretName: supersecret
--- a/docs/content/reference/dynamic-configuration/labels.yml
+++ b/docs/content/reference/dynamic-configuration/labels.yml
@@ -1,154 +0,0 @@
-labels:
- "traefik.http.middlewares.Middleware0.addprefix.prefix=foobar"
- "traefik.http.middlewares.Middleware1.basicauth.headerfield=foobar"
- "traefik.http.middlewares.Middleware1.basicauth.realm=foobar"
- "traefik.http.middlewares.Middleware1.basicauth.removeheader=true"
- "traefik.http.middlewares.Middleware1.basicauth.users=foobar, fiibar"
- "traefik.http.middlewares.Middleware1.basicauth.usersfile=foobar"
- "traefik.http.middlewares.Middleware2.buffering.maxrequestbodybytes=42"
- "traefik.http.middlewares.Middleware2.buffering.maxresponsebodybytes=42"
- "traefik.http.middlewares.Middleware2.buffering.memrequestbodybytes=42"
- "traefik.http.middlewares.Middleware2.buffering.memresponsebodybytes=42"
- "traefik.http.middlewares.Middleware2.buffering.retryexpression=foobar"
- "traefik.http.middlewares.Middleware3.chain.middlewares=foobar, fiibar"
- "traefik.http.middlewares.Middleware4.circuitbreaker.expression=foobar"
- "traefik.http.middlewares.Middleware5.digestauth.headerfield=foobar"
- "traefik.http.middlewares.Middleware5.digestauth.realm=foobar"
- "traefik.http.middlewares.Middleware5.digestauth.removeheader=true"
- "traefik.http.middlewares.Middleware5.digestauth.users=foobar, fiibar"
- "traefik.http.middlewares.Middleware5.digestauth.usersfile=foobar"
- "traefik.http.middlewares.Middleware6.errors.query=foobar"
- "traefik.http.middlewares.Middleware6.errors.service=foobar"
- "traefik.http.middlewares.Middleware6.errors.status=foobar, fiibar"
- "traefik.http.middlewares.Middleware7.forwardauth.address=foobar"
- "traefik.http.middlewares.Middleware7.forwardauth.authresponseheaders=foobar, fiibar"
- "traefik.http.middlewares.Middleware7.forwardauth.tls.ca=foobar"
- "traefik.http.middlewares.Middleware7.forwardauth.tls.caoptional=true"
- "traefik.http.middlewares.Middleware7.forwardauth.tls.cert=foobar"
- "traefik.http.middlewares.Middleware7.forwardauth.tls.insecureskipverify=true"
- "traefik.http.middlewares.Middleware7.forwardauth.tls.key=foobar"
- "traefik.http.middlewares.Middleware7.forwardauth.trustforwardheader=true"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolallowcredentials=true"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolallowheaders=x-foobar, x-fiibar"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolallowmethods=get, put"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolalloworigin=foobar"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolexposeheaders=x-foobar, x-fiibar"
- "traefik.http.middlewares.Middleware8.headers.accesscontrolmaxage=200"
- "traefik.http.middlewares.Middleware8.headers.addvaryheader=true"
- "traefik.http.middlewares.Middleware8.headers.allowedhosts=foobar, fiibar"
- "traefik.http.middlewares.Middleware8.headers.browserxssfilter=true"
- "traefik.http.middlewares.Middleware8.headers.contentsecuritypolicy=foobar"
- "traefik.http.middlewares.Middleware8.headers.contenttypenosniff=true"
- "traefik.http.middlewares.Middleware8.headers.custombrowserxssvalue=foobar"
- "traefik.http.middlewares.Middleware8.headers.customframeoptionsvalue=foobar"
- "traefik.http.middlewares.Middleware8.headers.customrequestheaders.name0=foobar"
- "traefik.http.middlewares.Middleware8.headers.customrequestheaders.name1=foobar"
- "traefik.http.middlewares.Middleware8.headers.customresponseheaders.name0=foobar"
- "traefik.http.middlewares.Middleware8.headers.customresponseheaders.name1=foobar"
- "traefik.http.middlewares.Middleware8.headers.forcestsheader=true"
- "traefik.http.middlewares.Middleware8.headers.framedeny=true"
- "traefik.http.middlewares.Middleware8.headers.hostsproxyheaders=foobar, fiibar"
- "traefik.http.middlewares.Middleware8.headers.isdevelopment=true"
- "traefik.http.middlewares.Middleware8.headers.publickey=foobar"
- "traefik.http.middlewares.Middleware8.headers.referrerpolicy=foobar"
- "traefik.http.middlewares.Middleware8.headers.sslforcehost=true"
- "traefik.http.middlewares.Middleware8.headers.sslhost=foobar"
- "traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name0=foobar"
- "traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name1=foobar"
- "traefik.http.middlewares.Middleware8.headers.sslredirect=true"
- "traefik.http.middlewares.Middleware8.headers.ssltemporaryredirect=true"
- "traefik.http.middlewares.Middleware8.headers.stsincludesubdomains=true"
- "traefik.http.middlewares.Middleware8.headers.stspreload=true"
- "traefik.http.middlewares.Middleware8.headers.stsseconds=42"
- "traefik.http.middlewares.Middleware9.ipwhitelist.ipstrategy.depth=42"
- "traefik.http.middlewares.Middleware9.ipwhitelist.ipstrategy.excludedips=foobar, fiibar"
- "traefik.http.middlewares.Middleware9.ipwhitelist.sourcerange=foobar, fiibar"
- "traefik.http.middlewares.Middleware10.maxconn.amount=42"
- "traefik.http.middlewares.Middleware10.maxconn.extractorfunc=foobar"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.notafter=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.notbefore=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.sans=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.country=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.province=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.locality=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.organization=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.commonname=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.serialnumber=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.domaincomponent=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.country=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.province=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.locality=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.organization=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.commonname=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.serialnumber=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.info.issuer.domaincomponent=true"
- "traefik.http.middlewares.Middleware11.passtlsclientcert.pem=true"
- "traefik.http.middlewares.Middleware12.ratelimit.extractorfunc=foobar"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate0.average=42"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate0.burst=42"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate0.period=42"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate1.average=42"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate1.burst=42"
- "traefik.http.middlewares.Middleware12.ratelimit.rateset.rate1.period=42"
- "traefik.http.middlewares.Middleware13.redirectregex.regex=foobar"
- "traefik.http.middlewares.Middleware13.redirectregex.replacement=foobar"
- "traefik.http.middlewares.Middleware13.redirectregex.permanent=true"
- "traefik.http.middlewares.Middleware13b.redirectscheme.scheme=https"
- "traefik.http.middlewares.Middleware13b.redirectscheme.port=80"
- "traefik.http.middlewares.Middleware13b.redirectscheme.permanent=true"
- "traefik.http.middlewares.Middleware14.replacepath.path=foobar"
- "traefik.http.middlewares.Middleware15.replacepathregex.regex=foobar"
- "traefik.http.middlewares.Middleware15.replacepathregex.replacement=foobar"
- "traefik.http.middlewares.Middleware16.retry.attempts=42"
- "traefik.http.middlewares.Middleware17.stripprefix.prefixes=foobar, fiibar"
- "traefik.http.middlewares.Middleware18.stripprefixregex.regex=foobar, fiibar"
- "traefik.http.middlewares.Middleware19.compress=true"
- "traefik.http.routers.Router0.entrypoints=foobar, fiibar"
- "traefik.http.routers.Router0.middlewares=foobar, fiibar"
- "traefik.http.routers.Router0.priority=42"
- "traefik.http.routers.Router0.rule=foobar"
- "traefik.http.routers.Router0.service=foobar"
- "traefik.http.routers.Router0.tls=true"
- "traefik.http.routers.Router0.tls.options=foo"
- "traefik.http.routers.Router1.entrypoints=foobar, fiibar"
- "traefik.http.routers.Router1.middlewares=foobar, fiibar"
- "traefik.http.routers.Router1.priority=42"
- "traefik.http.routers.Router1.rule=foobar"
- "traefik.http.routers.Router1.service=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.headers.name0=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.headers.name1=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.hostname=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.interval=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.path=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.port=42"
- "traefik.http.services.Service0.loadbalancer.healthcheck.scheme=foobar"
- "traefik.http.services.Service0.loadbalancer.healthcheck.timeout=foobar"
- "traefik.http.services.Service0.loadbalancer.passhostheader=true"
- "traefik.http.services.Service0.loadbalancer.responseforwarding.flushinterval=foobar"
- "traefik.http.services.Service0.loadbalancer.server.port=8080"
- "traefik.http.services.Service0.loadbalancer.server.scheme=foobar"
- "traefik.http.services.Service0.loadbalancer.stickiness.cookiename=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.headers.name0=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.headers.name1=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.hostname=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.interval=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.path=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.port=42"
- "traefik.http.services.Service1.loadbalancer.healthcheck.scheme=foobar"
- "traefik.http.services.Service1.loadbalancer.healthcheck.timeout=foobar"
- "traefik.http.services.Service1.loadbalancer.passhostheader=true"
- "traefik.http.services.Service1.loadbalancer.responseforwarding.flushinterval=foobar"
- "traefik.http.services.Service1.loadbalancer.server.port=8080"
- "traefik.http.services.Service1.loadbalancer.server.scheme=foobar"
- "traefik.tcp.routers.Router0.rule=foobar"
- "traefik.tcp.routers.Router0.entrypoints=foobar, fiibar"
- "traefik.tcp.routers.Router0.service=foobar"
- "traefik.tcp.routers.Router0.tls.passthrough=false"
- "traefik.tcp.routers.Router0.tls.options=bar"
- "traefik.tcp.routers.Router1.rule=foobar"
- "traefik.tcp.routers.Router1.entrypoints=foobar, fiibar"
- "traefik.tcp.routers.Router1.service=foobar"
- "traefik.tcp.routers.Router1.tls.passthrough=false"
- "traefik.tcp.routers.Router1.tls.options=foobar"
- "traefik.tcp.services.Service0.loadbalancer.server.port=42"
- "traefik.tcp.services.Service1.loadbalancer.server.port=42"
--- a/docs/content/reference/dynamic-configuration/marathon-labels.json
+++ b/docs/content/reference/dynamic-configuration/marathon-labels.json
@@ -0,0 +1,187 @@
+"traefik.http.middlewares.middleware00.addprefix.prefix": "foobar",
+"traefik.http.middlewares.middleware01.basicauth.headerfield": "foobar",
+"traefik.http.middlewares.middleware01.basicauth.realm": "foobar",
+"traefik.http.middlewares.middleware01.basicauth.removeheader": "true",
+"traefik.http.middlewares.middleware01.basicauth.users": "foobar, foobar",
+"traefik.http.middlewares.middleware01.basicauth.usersfile": "foobar",
+"traefik.http.middlewares.middleware02.buffering.maxrequestbodybytes": "42",
+"traefik.http.middlewares.middleware02.buffering.maxresponsebodybytes": "42",
+"traefik.http.middlewares.middleware02.buffering.memrequestbodybytes": "42",
+"traefik.http.middlewares.middleware02.buffering.memresponsebodybytes": "42",
+"traefik.http.middlewares.middleware02.buffering.retryexpression": "foobar",
+"traefik.http.middlewares.middleware03.chain.middlewares": "foobar, foobar",
+"traefik.http.middlewares.middleware04.circuitbreaker.expression": "foobar",
+"traefik.http.middlewares.middleware05.compress": "true",
+"traefik.http.middlewares.middleware06.digestauth.headerfield": "foobar",
+"traefik.http.middlewares.middleware06.digestauth.realm": "foobar",
+"traefik.http.middlewares.middleware06.digestauth.removeheader": "true",
+"traefik.http.middlewares.middleware06.digestauth.users": "foobar, foobar",
+"traefik.http.middlewares.middleware06.digestauth.usersfile": "foobar",
+"traefik.http.middlewares.middleware07.errors.query": "foobar",
+"traefik.http.middlewares.middleware07.errors.service": "foobar",
+"traefik.http.middlewares.middleware07.errors.status": "foobar, foobar",
+"traefik.http.middlewares.middleware08.forwardauth.address": "foobar",
+"traefik.http.middlewares.middleware08.forwardauth.authresponseheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware08.forwardauth.tls.ca": "foobar",
+"traefik.http.middlewares.middleware08.forwardauth.tls.caoptional": "true",
+"traefik.http.middlewares.middleware08.forwardauth.tls.cert": "foobar",
+"traefik.http.middlewares.middleware08.forwardauth.tls.insecureskipverify": "true",
+"traefik.http.middlewares.middleware08.forwardauth.tls.key": "foobar",
+"traefik.http.middlewares.middleware08.forwardauth.trustforwardheader": "true",
+"traefik.http.middlewares.middleware09.headers.accesscontrolallowcredentials": "true",
+"traefik.http.middlewares.middleware09.headers.accesscontrolallowheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware09.headers.accesscontrolallowmethods": "foobar, foobar",
+"traefik.http.middlewares.middleware09.headers.accesscontrolalloworigin": "foobar",
+"traefik.http.middlewares.middleware09.headers.accesscontrolexposeheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware09.headers.accesscontrolmaxage": "42",
+"traefik.http.middlewares.middleware09.headers.addvaryheader": "true",
+"traefik.http.middlewares.middleware09.headers.allowedhosts": "foobar, foobar",
+"traefik.http.middlewares.middleware09.headers.browserxssfilter": "true",
+"traefik.http.middlewares.middleware09.headers.contentsecuritypolicy": "foobar",
+"traefik.http.middlewares.middleware09.headers.contenttypenosniff": "true",
+"traefik.http.middlewares.middleware09.headers.custombrowserxssvalue": "foobar",
+"traefik.http.middlewares.middleware09.headers.customframeoptionsvalue": "foobar",
+"traefik.http.middlewares.middleware09.headers.customrequestheaders.name0": "foobar",
+"traefik.http.middlewares.middleware09.headers.customrequestheaders.name1": "foobar",
+"traefik.http.middlewares.middleware09.headers.customresponseheaders.name0": "foobar",
+"traefik.http.middlewares.middleware09.headers.customresponseheaders.name1": "foobar",
+"traefik.http.middlewares.middleware09.headers.featurepolicy": "foobar",
+"traefik.http.middlewares.middleware09.headers.forcestsheader": "true",
+"traefik.http.middlewares.middleware09.headers.framedeny": "true",
+"traefik.http.middlewares.middleware09.headers.hostsproxyheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware09.headers.isdevelopment": "true",
+"traefik.http.middlewares.middleware09.headers.publickey": "foobar",
+"traefik.http.middlewares.middleware09.headers.referrerpolicy": "foobar",
+"traefik.http.middlewares.middleware09.headers.sslforcehost": "true",
+"traefik.http.middlewares.middleware09.headers.sslhost": "foobar",
+"traefik.http.middlewares.middleware09.headers.sslproxyheaders.name0": "foobar",
+"traefik.http.middlewares.middleware09.headers.sslproxyheaders.name1": "foobar",
+"traefik.http.middlewares.middleware09.headers.sslredirect": "true",
+"traefik.http.middlewares.middleware09.headers.ssltemporaryredirect": "true",
+"traefik.http.middlewares.middleware09.headers.stsincludesubdomains": "true",
+"traefik.http.middlewares.middleware09.headers.stspreload": "true",
+"traefik.http.middlewares.middleware09.headers.stsseconds": "42",
+"traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware10.ipwhitelist.sourcerange": "foobar, foobar",
+"traefik.http.middlewares.middleware11.inflightreq.amount": "42",
+"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requestheadername": "foobar",
+"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requesthost": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.commonname": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.country": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.domaincomponent": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.locality": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.organization": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.province": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.serialnumber": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.notafter": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.notbefore": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.sans": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.commonname": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.country": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.domaincomponent": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.locality": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.organization": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.province": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.serialnumber": "true",
+"traefik.http.middlewares.middleware12.passtlsclientcert.pem": "true",
+"traefik.http.middlewares.middleware13.ratelimit.average": "42",
+"traefik.http.middlewares.middleware13.ratelimit.burst": "42",
+"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requestheadername": "foobar",
+"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requesthost": "true",
+"traefik.http.middlewares.middleware14.redirectregex.permanent": "true",
+"traefik.http.middlewares.middleware14.redirectregex.regex": "foobar",
+"traefik.http.middlewares.middleware14.redirectregex.replacement": "foobar",
+"traefik.http.middlewares.middleware15.redirectscheme.permanent": "true",
+"traefik.http.middlewares.middleware15.redirectscheme.port": "foobar",
+"traefik.http.middlewares.middleware15.redirectscheme.scheme": "foobar",
+"traefik.http.middlewares.middleware16.replacepath.path": "foobar",
+"traefik.http.middlewares.middleware17.replacepathregex.regex": "foobar",
+"traefik.http.middlewares.middleware17.replacepathregex.replacement": "foobar",
+"traefik.http.middlewares.middleware18.retry.attempts": "42",
+"traefik.http.middlewares.middleware19.stripprefix.prefixes": "foobar, foobar",
+"traefik.http.middlewares.middleware20.stripprefixregex.regex": "foobar, foobar",
+"traefik.http.routers.router0.entrypoints": "foobar, foobar",
+"traefik.http.routers.router0.middlewares": "foobar, foobar",
+"traefik.http.routers.router0.priority": "42",
+"traefik.http.routers.router0.rule": "foobar",
+"traefik.http.routers.router0.service": "foobar",
+"traefik.http.routers.router0.tls": "true",
+"traefik.http.routers.router0.tls.certresolver": "foobar",
+"traefik.http.routers.router0.tls.domains[0].main": "foobar",
+"traefik.http.routers.router0.tls.domains[0].sans": "foobar, foobar",
+"traefik.http.routers.router0.tls.domains[1].main": "foobar",
+"traefik.http.routers.router0.tls.domains[1].sans": "foobar, foobar",
+"traefik.http.routers.router0.tls.options": "foobar",
+"traefik.http.routers.router1.entrypoints": "foobar, foobar",
+"traefik.http.routers.router1.middlewares": "foobar, foobar",
+"traefik.http.routers.router1.priority": "42",
+"traefik.http.routers.router1.rule": "foobar",
+"traefik.http.routers.router1.service": "foobar",
+"traefik.http.routers.router1.tls": "true",
+"traefik.http.routers.router1.tls.certresolver": "foobar",
+"traefik.http.routers.router1.tls.domains[0].main": "foobar",
+"traefik.http.routers.router1.tls.domains[0].sans": "foobar, foobar",
+"traefik.http.routers.router1.tls.domains[1].main": "foobar",
+"traefik.http.routers.router1.tls.domains[1].sans": "foobar, foobar",
+"traefik.http.routers.router1.tls.options": "foobar",
+"traefik.http.services.service0.loadbalancer.healthcheck.headers.name0": "foobar",
+"traefik.http.services.service0.loadbalancer.healthcheck.headers.name1": "foobar",
+"traefik.http.services.service0.loadbalancer.healthcheck.hostname": "foobar",
+"traefik.http.services.service0.loadbalancer.healthcheck.interval": "foobar",
+"traefik.http.services.service0.loadbalancer.healthcheck.path": "foobar",
+"traefik.http.services.service0.loadbalancer.healthcheck.port": "42",
+"traefik.http.services.service0.loadbalancer.healthcheck.scheme": "foobar",
+"traefik.http.services.service0.loadbalancer.healthcheck.timeout": "foobar",
+"traefik.http.services.service0.loadbalancer.passhostheader": "true",
+"traefik.http.services.service0.loadbalancer.responseforwarding.flushinterval": "foobar",
+"traefik.http.services.service0.loadbalancer.sticky": "true",
+"traefik.http.services.service0.loadbalancer.sticky.cookie.httponly": "true",
+"traefik.http.services.service0.loadbalancer.sticky.cookie.name": "foobar",
+"traefik.http.services.service0.loadbalancer.sticky.cookie.secure": "true",
+"traefik.http.services.service0.loadbalancer.server.port": "foobar",
+"traefik.http.services.service0.loadbalancer.server.scheme": "foobar",
+"traefik.http.services.service1.loadbalancer.healthcheck.headers.name0": "foobar",
+"traefik.http.services.service1.loadbalancer.healthcheck.headers.name1": "foobar",
+"traefik.http.services.service1.loadbalancer.healthcheck.hostname": "foobar",
+"traefik.http.services.service1.loadbalancer.healthcheck.interval": "foobar",
+"traefik.http.services.service1.loadbalancer.healthcheck.path": "foobar",
+"traefik.http.services.service1.loadbalancer.healthcheck.port": "42",
+"traefik.http.services.service1.loadbalancer.healthcheck.scheme": "foobar",
+"traefik.http.services.service1.loadbalancer.healthcheck.timeout": "foobar",
+"traefik.http.services.service1.loadbalancer.passhostheader": "true",
+"traefik.http.services.service1.loadbalancer.responseforwarding.flushinterval": "foobar",
+"traefik.http.services.service1.loadbalancer.sticky": "true",
+"traefik.http.services.service1.loadbalancer.sticky.cookie.httponly": "true",
+"traefik.http.services.service1.loadbalancer.sticky.cookie.name": "foobar",
+"traefik.http.services.service1.loadbalancer.sticky.cookie.secure": "true",
+"traefik.http.services.service1.loadbalancer.server.port": "foobar",
+"traefik.http.services.service1.loadbalancer.server.scheme": "foobar",
+"traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",
+"traefik.tcp.routers.tcprouter0.rule": "foobar",
+"traefik.tcp.routers.tcprouter0.service": "foobar",
+"traefik.tcp.routers.tcprouter0.tls": "true",
+"traefik.tcp.routers.tcprouter0.tls.certresolver": "foobar",
+"traefik.tcp.routers.tcprouter0.tls.domains[0].main": "foobar",
+"traefik.tcp.routers.tcprouter0.tls.domains[0].sans": "foobar, foobar",
+"traefik.tcp.routers.tcprouter0.tls.domains[1].main": "foobar",
+"traefik.tcp.routers.tcprouter0.tls.domains[1].sans": "foobar, foobar",
+"traefik.tcp.routers.tcprouter0.tls.options": "foobar",
+"traefik.tcp.routers.tcprouter0.tls.passthrough": "true",
+"traefik.tcp.routers.tcprouter1.entrypoints": "foobar, foobar",
+"traefik.tcp.routers.tcprouter1.rule": "foobar",
+"traefik.tcp.routers.tcprouter1.service": "foobar",
+"traefik.tcp.routers.tcprouter1.tls": "true",
+"traefik.tcp.routers.tcprouter1.tls.certresolver": "foobar",
+"traefik.tcp.routers.tcprouter1.tls.domains[0].main": "foobar",
+"traefik.tcp.routers.tcprouter1.tls.domains[0].sans": "foobar, foobar",
+"traefik.tcp.routers.tcprouter1.tls.domains[1].main": "foobar",
+"traefik.tcp.routers.tcprouter1.tls.domains[1].sans": "foobar, foobar",
+"traefik.tcp.routers.tcprouter1.tls.options": "foobar",
+"traefik.tcp.routers.tcprouter1.tls.passthrough": "true",
+"traefik.tcp.services.tcpservice0.loadbalancer.server.port": "foobar",
+"traefik.tcp.services.tcpservice1.loadbalancer.server.port": "foobar"
--- a/docs/content/reference/dynamic-configuration/marathon.json
+++ b/docs/content/reference/dynamic-configuration/marathon.json
@@ -0,0 +1,2 @@
+"traefik.enable": "true",
+"traefik.marathon.ipaddressidx": "42",
--- a/docs/content/reference/dynamic-configuration/marathon.md
+++ b/docs/content/reference/dynamic-configuration/marathon.md
@@ -3,6 +3,9 @@
 Dynamic configuration with Marathon Labels
 {: .subtitle }

-```yaml
--8<-- "content/reference/dynamic-configuration/labels.yml"
+```json
+"labels": {
+  --8<-- "content/reference/dynamic-configuration/marathon.json"
+  --8<-- "content/reference/dynamic-configuration/marathon-labels.json"
+}
 ```
--- a/docs/content/reference/dynamic-configuration/rancher.md
+++ b/docs/content/reference/dynamic-configuration/rancher.md
@@ -0,0 +1,12 @@
+# Rancher Configuration Reference
+
+Dynamic configuration with Rancher Labels
+{: .subtitle }
+
+The labels are case insensitive.
+
+```yaml
+labels:
+  --8<-- "content/reference/dynamic-configuration/rancher.yml"
+  --8<-- "content/reference/dynamic-configuration/docker-labels.yml"
+```
--- a/docs/content/reference/dynamic-configuration/rancher.yml
+++ b/docs/content/reference/dynamic-configuration/rancher.yml
@@ -0,0 +1 @@
+- "traefik.enable=true"
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -0,0 +1,592 @@
+<!--
+CODE GENERATED AUTOMATICALLY
+THIS FILE MUST NOT BE EDITED BY HAND
+-->
+
+`--accesslog`:  
+Access log settings. (Default: ```false```)
+
+`--accesslog.bufferingsize`:  
+Number of access log lines to process in a buffered way. (Default: ```0```)
+
+`--accesslog.fields.defaultmode`:  
+Default mode for fields: keep | drop (Default: ```keep```)
+
+`--accesslog.fields.headers.defaultmode`:  
+Default mode for fields: keep | drop | redact (Default: ```drop```)
+
+`--accesslog.fields.headers.names.<name>`:  
+Override mode for headers
+
+`--accesslog.fields.names.<name>`:  
+Override mode for fields
+
+`--accesslog.filepath`:  
+Access log file path. Stdout is used when omitted or empty.
+
+`--accesslog.filters.minduration`:  
+Keep access logs when request took longer than the specified duration. (Default: ```0```)
+
+`--accesslog.filters.retryattempts`:  
+Keep access logs when at least one retry happened. (Default: ```false```)
+
+`--accesslog.filters.statuscodes`:  
+Keep access logs with status codes in the specified range.
+
+`--accesslog.format`:  
+Access log format: json | common (Default: ```common```)
+
+`--api`:  
+Enable api/dashboard. (Default: ```false```)
+
+`--api.dashboard`:  
+Activate dashboard. (Default: ```true```)
+
+`--api.debug`:  
+Enable additional endpoints for debugging and profiling. (Default: ```false```)
+
+`--api.insecure`:  
+Activate API directly on the entryPoint named traefik. (Default: ```false```)
+
+`--certificatesresolvers.<name>`:  
+Certificates resolvers configuration. (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.caserver`:  
+CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge`:  
+Activate DNS-01 Challenge. (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.delaybeforecheck`:  
+Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.disablepropagationcheck`:  
+Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.provider`:  
+Use a DNS-01 based challenge provider rather than HTTPS.
+
+`--certificatesresolvers.<name>.acme.dnschallenge.resolvers`:  
+Use following DNS servers to resolve the FQDN authority.
+
+`--certificatesresolvers.<name>.acme.email`:  
+Email address used for registration.
+
+`--certificatesresolvers.<name>.acme.httpchallenge`:  
+Activate HTTP-01 Challenge. (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.httpchallenge.entrypoint`:  
+HTTP challenge EntryPoint
+
+`--certificatesresolvers.<name>.acme.keytype`:  
+KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
+
+`--certificatesresolvers.<name>.acme.storage`:  
+Storage to use. (Default: ```acme.json```)
+
+`--certificatesresolvers.<name>.acme.tlschallenge`:  
+Activate TLS-ALPN-01 Challenge. (Default: ```true```)
+
+`--entrypoints.<name>`:  
+Entry points definition. (Default: ```false```)
+
+`--entrypoints.<name>.address`:  
+Entry point address.
+
+`--entrypoints.<name>.forwardedheaders.insecure`:  
+Trust all forwarded headers. (Default: ```false```)
+
+`--entrypoints.<name>.forwardedheaders.trustedips`:  
+Trust only forwarded headers from selected IPs.
+
+`--entrypoints.<name>.proxyprotocol`:  
+Proxy-Protocol configuration. (Default: ```false```)
+
+`--entrypoints.<name>.proxyprotocol.insecure`:  
+Trust all. (Default: ```false```)
+
+`--entrypoints.<name>.proxyprotocol.trustedips`:  
+Trust only selected IPs.
+
+`--entrypoints.<name>.transport.lifecycle.gracetimeout`:  
+Duration to give active requests a chance to finish before Traefik stops. (Default: ```10```)
+
+`--entrypoints.<name>.transport.lifecycle.requestacceptgracetimeout`:  
+Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. (Default: ```0```)
+
+`--entrypoints.<name>.transport.respondingtimeouts.idletimeout`:  
+IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: ```180```)
+
+`--entrypoints.<name>.transport.respondingtimeouts.readtimeout`:  
+ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```0```)
+
+`--entrypoints.<name>.transport.respondingtimeouts.writetimeout`:  
+WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: ```0```)
+
+`--global.checknewversion`:  
+Periodically check if a new version has been released. (Default: ```false```)
+
+`--global.sendanonymoususage`:  
+Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)
+
+`--hostresolver`:  
+Enable CNAME Flattening. (Default: ```false```)
+
+`--hostresolver.cnameflattening`:  
+A flag to enable/disable CNAME flattening (Default: ```false```)
+
+`--hostresolver.resolvconfig`:  
+resolv.conf used for DNS resolving (Default: ```/etc/resolv.conf```)
+
+`--hostresolver.resolvdepth`:  
+The maximal depth of DNS recursive resolving (Default: ```5```)
+
+`--log`:  
+Traefik log settings. (Default: ```false```)
+
+`--log.filepath`:  
+Traefik log file path. Stdout is used when omitted or empty.
+
+`--log.format`:  
+Traefik log format: json | common (Default: ```common```)
+
+`--log.level`:  
+Log level set to traefik logs. (Default: ```ERROR```)
+
+`--metrics.datadog`:  
+Datadog metrics exporter type. (Default: ```false```)
+
+`--metrics.datadog.addentrypointslabels`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`--metrics.datadog.address`:  
+Datadog's address. (Default: ```localhost:8125```)
+
+`--metrics.datadog.addserviceslabels`:  
+Enable metrics on services. (Default: ```true```)
+
+`--metrics.datadog.pushinterval`:  
+Datadog push interval. (Default: ```10```)
+
+`--metrics.influxdb`:  
+InfluxDB metrics exporter type. (Default: ```false```)
+
+`--metrics.influxdb.addentrypointslabels`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`--metrics.influxdb.address`:  
+InfluxDB address. (Default: ```localhost:8089```)
+
+`--metrics.influxdb.addserviceslabels`:  
+Enable metrics on services. (Default: ```true```)
+
+`--metrics.influxdb.database`:  
+InfluxDB database used when protocol is http.
+
+`--metrics.influxdb.password`:  
+InfluxDB password (only with http).
+
+`--metrics.influxdb.protocol`:  
+InfluxDB address protocol (udp or http). (Default: ```udp```)
+
+`--metrics.influxdb.pushinterval`:  
+InfluxDB push interval. (Default: ```10```)
+
+`--metrics.influxdb.retentionpolicy`:  
+InfluxDB retention policy used when protocol is http.
+
+`--metrics.influxdb.username`:  
+InfluxDB username (only with http).
+
+`--metrics.prometheus`:  
+Prometheus metrics exporter type. (Default: ```false```)
+
+`--metrics.prometheus.addentrypointslabels`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`--metrics.prometheus.addserviceslabels`:  
+Enable metrics on services. (Default: ```true```)
+
+`--metrics.prometheus.buckets`:  
+Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)
+
+`--metrics.prometheus.entrypoint`:  
+EntryPoint (Default: ```traefik```)
+
+`--metrics.statsd`:  
+StatsD metrics exporter type. (Default: ```false```)
+
+`--metrics.statsd.addentrypointslabels`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`--metrics.statsd.address`:  
+StatsD address. (Default: ```localhost:8125```)
+
+`--metrics.statsd.addserviceslabels`:  
+Enable metrics on services. (Default: ```true```)
+
+`--metrics.statsd.pushinterval`:  
+StatsD push interval. (Default: ```10```)
+
+`--ping`:  
+Enable ping. (Default: ```false```)
+
+`--ping.entrypoint`:  
+EntryPoint (Default: ```traefik```)
+
+`--providers.docker`:  
+Enable Docker backend with default settings. (Default: ```false```)
+
+`--providers.docker.constraints`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`--providers.docker.defaultrule`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`--providers.docker.endpoint`:  
+Docker server endpoint. Can be a tcp or a unix socket endpoint. (Default: ```unix:///var/run/docker.sock```)
+
+`--providers.docker.exposedbydefault`:  
+Expose containers by default. (Default: ```true```)
+
+`--providers.docker.network`:  
+Default Docker network used.
+
+`--providers.docker.swarmmode`:  
+Use Docker on Swarm Mode. (Default: ```false```)
+
+`--providers.docker.swarmmoderefreshseconds`:  
+Polling interval for swarm mode. (Default: ```15```)
+
+`--providers.docker.tls.ca`:  
+TLS CA
+
+`--providers.docker.tls.caoptional`:  
+TLS CA.Optional (Default: ```false```)
+
+`--providers.docker.tls.cert`:  
+TLS cert
+
+`--providers.docker.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--providers.docker.tls.key`:  
+TLS key
+
+`--providers.docker.usebindportip`:  
+Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
+
+`--providers.docker.watch`:  
+Watch provider. (Default: ```true```)
+
+`--providers.file.debugloggeneratedtemplate`:  
+Enable debug logging of generated configuration template. (Default: ```false```)
+
+`--providers.file.directory`:  
+Load configuration from one or more .toml files in a directory.
+
+`--providers.file.filename`:  
+Override default configuration template. For advanced users :)
+
+`--providers.file.watch`:  
+Watch provider. (Default: ```true```)
+
+`--providers.kubernetescrd`:  
+Enable Kubernetes backend with default settings. (Default: ```false```)
+
+`--providers.kubernetescrd.certauthfilepath`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`--providers.kubernetescrd.disablepasshostheaders`:  
+Kubernetes disable PassHost Headers. (Default: ```false```)
+
+`--providers.kubernetescrd.endpoint`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`--providers.kubernetescrd.ingressclass`:  
+Value of kubernetes.io/ingress.class annotation to watch for.
+
+`--providers.kubernetescrd.labelselector`:  
+Kubernetes label selector to use.
+
+`--providers.kubernetescrd.namespaces`:  
+Kubernetes namespaces.
+
+`--providers.kubernetescrd.throttleduration`:  
+Ingress refresh throttle duration (Default: ```0```)
+
+`--providers.kubernetescrd.token`:  
+Kubernetes bearer token (not needed for in-cluster client).
+
+`--providers.kubernetesingress`:  
+Enable Kubernetes backend with default settings. (Default: ```false```)
+
+`--providers.kubernetesingress.certauthfilepath`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`--providers.kubernetesingress.disablepasshostheaders`:  
+Kubernetes disable PassHost Headers. (Default: ```false```)
+
+`--providers.kubernetesingress.endpoint`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`--providers.kubernetesingress.ingressclass`:  
+Value of kubernetes.io/ingress.class annotation to watch for.
+
+`--providers.kubernetesingress.ingressendpoint.hostname`:  
+Hostname used for Kubernetes Ingress endpoints.
+
+`--providers.kubernetesingress.ingressendpoint.ip`:  
+IP used for Kubernetes Ingress endpoints.
+
+`--providers.kubernetesingress.ingressendpoint.publishedservice`:  
+Published Kubernetes Service to copy status from.
+
+`--providers.kubernetesingress.labelselector`:  
+Kubernetes Ingress label selector to use.
+
+`--providers.kubernetesingress.namespaces`:  
+Kubernetes namespaces.
+
+`--providers.kubernetesingress.throttleduration`:  
+Ingress refresh throttle duration (Default: ```0```)
+
+`--providers.kubernetesingress.token`:  
+Kubernetes bearer token (not needed for in-cluster client).
+
+`--providers.marathon`:  
+Enable Marathon backend with default settings. (Default: ```false```)
+
+`--providers.marathon.basic.httpbasicauthuser`:  
+Basic authentication User.
+
+`--providers.marathon.basic.httpbasicpassword`:  
+Basic authentication Password.
+
+`--providers.marathon.constraints`:  
+Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
+
+`--providers.marathon.dcostoken`:  
+DCOSToken for DCOS environment, This will override the Authorization header.
+
+`--providers.marathon.defaultrule`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`--providers.marathon.dialertimeout`:  
+Set a dialer timeout for Marathon. (Default: ```5```)
+
+`--providers.marathon.endpoint`:  
+Marathon server endpoint. You can also specify multiple endpoint for Marathon. (Default: ```http://127.0.0.1:8080```)
+
+`--providers.marathon.exposedbydefault`:  
+Expose Marathon apps by default. (Default: ```true```)
+
+`--providers.marathon.forcetaskhostname`:  
+Force to use the task's hostname. (Default: ```false```)
+
+`--providers.marathon.keepalive`:  
+Set a TCP Keep Alive time. (Default: ```10```)
+
+`--providers.marathon.respectreadinesschecks`:  
+Filter out tasks with non-successful readiness checks during deployments. (Default: ```false```)
+
+`--providers.marathon.responseheadertimeout`:  
+Set a response header timeout for Marathon. (Default: ```60```)
+
+`--providers.marathon.tls.ca`:  
+TLS CA
+
+`--providers.marathon.tls.caoptional`:  
+TLS CA.Optional (Default: ```false```)
+
+`--providers.marathon.tls.cert`:  
+TLS cert
+
+`--providers.marathon.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--providers.marathon.tls.key`:  
+TLS key
+
+`--providers.marathon.tlshandshaketimeout`:  
+Set a TLS handshake timeout for Marathon. (Default: ```5```)
+
+`--providers.marathon.trace`:  
+Display additional provider logs. (Default: ```false```)
+
+`--providers.marathon.watch`:  
+Watch provider. (Default: ```true```)
+
+`--providers.providersthrottleduration`:  
+Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. (Default: ```0```)
+
+`--providers.rancher`:  
+Enable Rancher backend with default settings. (Default: ```false```)
+
+`--providers.rancher.constraints`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`--providers.rancher.defaultrule`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`--providers.rancher.enableservicehealthfilter`:  
+Filter services with unhealthy states and inactive states. (Default: ```true```)
+
+`--providers.rancher.exposedbydefault`:  
+Expose containers by default. (Default: ```true```)
+
+`--providers.rancher.intervalpoll`:  
+Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate). (Default: ```false```)
+
+`--providers.rancher.prefix`:  
+Prefix used for accessing the Rancher metadata service. (Default: ```latest```)
+
+`--providers.rancher.refreshseconds`:  
+Defines the polling interval in seconds. (Default: ```15```)
+
+`--providers.rancher.watch`:  
+Watch provider. (Default: ```true```)
+
+`--providers.rest`:  
+Enable Rest backend with default settings. (Default: ```false```)
+
+`--providers.rest.insecure`:  
+Activate REST Provider directly on the entryPoint named traefik. (Default: ```false```)
+
+`--serverstransport.forwardingtimeouts.dialtimeout`:  
+The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
+
+`--serverstransport.forwardingtimeouts.idleconntimeout`:  
+The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself (Default: ```90```)
+
+`--serverstransport.forwardingtimeouts.responseheadertimeout`:  
+The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. (Default: ```0```)
+
+`--serverstransport.insecureskipverify`:  
+Disable SSL certificate verification. (Default: ```false```)
+
+`--serverstransport.maxidleconnsperhost`:  
+If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used (Default: ```0```)
+
+`--serverstransport.rootcas`:  
+Add cert file for self-signed certificate.
+
+`--tracing`:  
+OpenTracing configuration. (Default: ```false```)
+
+`--tracing.datadog`:  
+Settings for Datadog. (Default: ```false```)
+
+`--tracing.datadog.bagageprefixheadername`:  
+Specifies the header name prefix that will be used to store baggage items in a map.
+
+`--tracing.datadog.debug`:  
+Enable Datadog debug. (Default: ```false```)
+
+`--tracing.datadog.globaltag`:  
+Key:Value tag to be set on all the spans.
+
+`--tracing.datadog.localagenthostport`:  
+Set datadog-agent's host:port that the reporter will used. (Default: ```localhost:8126```)
+
+`--tracing.datadog.parentidheadername`:  
+Specifies the header name that will be used to store the parent ID.
+
+`--tracing.datadog.prioritysampling`:  
+Enable priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: ```false```)
+
+`--tracing.datadog.samplingpriorityheadername`:  
+Specifies the header name that will be used to store the sampling priority.
+
+`--tracing.datadog.traceidheadername`:  
+Specifies the header name that will be used to store the trace ID.
+
+`--tracing.haystack`:  
+Settings for Haystack. (Default: ```false```)
+
+`--tracing.haystack.baggageprefixheadername`:  
+Specifies the header name prefix that will be used to store baggage items in a map.
+
+`--tracing.haystack.globaltag`:  
+Key:Value tag to be set on all the spans.
+
+`--tracing.haystack.localagenthost`:  
+Set haystack-agent's host that the reporter will used. (Default: ```LocalAgentHost```)
+
+`--tracing.haystack.localagentport`:  
+Set haystack-agent's port that the reporter will used. (Default: ```35000```)
+
+`--tracing.haystack.parentidheadername`:  
+Specifies the header name that will be used to store the parent ID.
+
+`--tracing.haystack.spanidheadername`:  
+Specifies the header name that will be used to store the span ID.
+
+`--tracing.haystack.traceidheadername`:  
+Specifies the header name that will be used to store the trace ID.
+
+`--tracing.instana`:  
+Settings for Instana. (Default: ```false```)
+
+`--tracing.instana.localagenthost`:  
+Set instana-agent's host that the reporter will used. (Default: ```localhost```)
+
+`--tracing.instana.localagentport`:  
+Set instana-agent's port that the reporter will used. (Default: ```42699```)
+
+`--tracing.instana.loglevel`:  
+Set instana-agent's log level. ('error','warn','info','debug') (Default: ```info```)
+
+`--tracing.jaeger`:  
+Settings for Jaeger. (Default: ```false```)
+
+`--tracing.jaeger.collector.endpoint`:  
+Instructs reporter to send spans to jaeger-collector at this URL.
+
+`--tracing.jaeger.collector.password`:  
+Password for basic http authentication when sending spans to jaeger-collector.
+
+`--tracing.jaeger.collector.user`:  
+User for basic http authentication when sending spans to jaeger-collector.
+
+`--tracing.jaeger.gen128bit`:  
+Generate 128 bit span IDs. (Default: ```false```)
+
+`--tracing.jaeger.localagenthostport`:  
+Set jaeger-agent's host:port that the reporter will used. (Default: ```127.0.0.1:6831```)
+
+`--tracing.jaeger.propagation`:  
+Which propagation format to use (jaeger/b3). (Default: ```jaeger```)
+
+`--tracing.jaeger.samplingparam`:  
+Set the sampling parameter. (Default: ```1.000000```)
+
+`--tracing.jaeger.samplingserverurl`:  
+Set the sampling server url. (Default: ```http://localhost:5778/sampling```)
+
+`--tracing.jaeger.samplingtype`:  
+Set the sampling type. (Default: ```const```)
+
+`--tracing.jaeger.tracecontextheadername`:  
+Set the header to use for the trace-id. (Default: ```uber-trace-id```)
+
+`--tracing.servicename`:  
+Set the name for this service. (Default: ```traefik```)
+
+`--tracing.spannamelimit`:  
+Set the maximum character limit for Span names (default 0 = no limit). (Default: ```0```)
+
+`--tracing.zipkin`:  
+Settings for Zipkin. (Default: ```false```)
+
+`--tracing.zipkin.httpendpoint`:  
+HTTP Endpoint to report traces to. (Default: ```http://localhost:9411/api/v2/spans```)
+
+`--tracing.zipkin.id128bit`:  
+Use Zipkin 128 bit root span IDs. (Default: ```true```)
+
+`--tracing.zipkin.samespan`:  
+Use Zipkin SameSpan RPC style traces. (Default: ```false```)
+
+`--tracing.zipkin.samplerate`:  
+The rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
--- a/docs/content/reference/static-configuration/cli.md
+++ b/docs/content/reference/static-configuration/cli.md
@@ -1,5 +1,4 @@
 # Static Configuration: CLI

-```txt
--8<-- "content/reference/static-configuration/cli.txt"
-```
+--8<-- "content/reference/static-configuration/cli-ref.md"
+
--- a/docs/content/reference/static-configuration/cli.txt
+++ b/docs/content/reference/static-configuration/cli.txt
@@ -1,609 +0,0 @@
--accesslog  (Default: "false")
-    Access log settings.
-
--accesslog.bufferingsize  (Default: "0")
-    Number of access log lines to process in a buffered way.
-
--accesslog.fields.defaultmode  (Default: "keep")
-    Default mode for fields: keep | drop
-
--accesslog.fields.headers.defaultmode  (Default: "keep")
-    Default mode for fields: keep | drop | redact
-
--accesslog.fields.headers.names.<name>  (Default: "")
-    Override mode for headers
-
--accesslog.fields.names.<name>  (Default: "")
-    Override mode for fields
-
--accesslog.filepath  (Default: "")
-    Access log file path. Stdout is used when omitted or empty.
-
--accesslog.filters.minduration  (Default: "0")
-    Keep access logs when request took longer than the specified duration.
-
--accesslog.filters.retryattempts  (Default: "false")
-    Keep access logs when at least one retry happened.
-
--accesslog.filters.statuscodes  (Default: "")
-    Keep access logs with status codes in the specified range.
-
--accesslog.format  (Default: "common")
-    Access log format: json | common
-
--acme.acmelogging  (Default: "false")
-    Enable debug logging of ACME actions.
-
--acme.caserver  (Default: "https://acme-v02.api.letsencrypt.org/directory")
-    CA server to use.
-
--acme.dnschallenge  (Default: "false")
-    Activate DNS-01 Challenge.
-
--acme.dnschallenge.delaybeforecheck  (Default: "0")
-    Assume DNS propagates after a delay in seconds rather than finding and querying
-    nameservers.
-
--acme.dnschallenge.disablepropagationcheck  (Default: "false")
-    Disable the DNS propagation checks before notifying ACME that the DNS challenge
-    is ready. [not recommended]
-
--acme.dnschallenge.provider  (Default: "")
-    Use a DNS-01 based challenge provider rather than HTTPS.
-
--acme.dnschallenge.resolvers  (Default: "")
-    Use following DNS servers to resolve the FQDN authority.
-
--acme.domains  (Default: "")
-    The list of domains for which certificates are generated on startup. Wildcard
-    domains only accepted with DNSChallenge.
-
--acme.domains[n].main  (Default: "")
-    Default subject name.
-
--acme.domains[n].sans  (Default: "")
-    Subject alternative names.
-
--acme.email  (Default: "")
-    Email address used for registration.
-
--acme.entrypoint  (Default: "")
-    EntryPoint to use.
-
--acme.httpchallenge  (Default: "false")
-    Activate HTTP-01 Challenge.
-
--acme.httpchallenge.entrypoint  (Default: "")
-    HTTP challenge EntryPoint
-
--acme.keytype  (Default: "RSA4096")
-    KeyType used for generating certificate private key. Allow value 'EC256',
-    'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
-
--acme.onhostrule  (Default: "false")
-    Enable certificate generation on router Host rules.
-
--acme.storage  (Default: "acme.json")
-    Storage to use.
-
--acme.tlschallenge  (Default: "true")
-    Activate TLS-ALPN-01 Challenge.
-
--api  (Default: "false")
-    Enable api/dashboard.
-
--api.dashboard  (Default: "true")
-    Activate dashboard.
-
--api.debug  (Default: "false")
-    Enable additional endpoints for debugging and profiling.
-
--api.entrypoint  (Default: "traefik")
-    The entry point that the API handler will be bound to.
-
--api.middlewares  (Default: "")
-    Middleware list.
-
--api.statistics  (Default: "false")
-    Enable more detailed statistics.
-
--api.statistics.recenterrors  (Default: "10")
-    Number of recent errors logged.
-
--configfile  (Default: "")
-    Configuration file to use. If specified all other flags are ignored.
-
--entrypoints.<name>  (Default: "false")
-    Entry points definition.
-
--entrypoints.<name>.address  (Default: "")
-    Entry point address.
-
--entrypoints.<name>.forwardedheaders.insecure  (Default: "false")
-    Trust all forwarded headers.
-
--entrypoints.<name>.forwardedheaders.trustedips  (Default: "")
-    Trust only forwarded headers from selected IPs.
-
--entrypoints.<name>.proxyprotocol  (Default: "false")
-    Proxy-Protocol configuration.
-
--entrypoints.<name>.proxyprotocol.insecure  (Default: "false")
-    Trust all.
-
--entrypoints.<name>.proxyprotocol.trustedips  (Default: "")
-    Trust only selected IPs.
-
--entrypoints.<name>.transport.lifecycle.gracetimeout  (Default: "10")
-    Duration to give active requests a chance to finish before Traefik stops.
-
--entrypoints.<name>.transport.lifecycle.requestacceptgracetimeout  (Default: "0")
-    Duration to keep accepting requests before Traefik initiates the graceful
-    shutdown procedure.
-
--entrypoints.<name>.transport.respondingtimeouts.idletimeout  (Default: "180")
-    IdleTimeout is the maximum amount duration an idle (keep-alive) connection will
-    remain idle before closing itself. If zero, no timeout is set.
-
--entrypoints.<name>.transport.respondingtimeouts.readtimeout  (Default: "0")
-    ReadTimeout is the maximum duration for reading the entire request, including
-    the body. If zero, no timeout is set.
-
--entrypoints.<name>.transport.respondingtimeouts.writetimeout  (Default: "0")
-    WriteTimeout is the maximum duration before timing out writes of the response.
-    If zero, no timeout is set.
-
--global.checknewversion  (Default: "true")
-    Periodically check if a new version has been released.
-
--global.sendanonymoususage
-    Periodically send anonymous usage statistics. If the option is not specified, it
-    will be enabled by default.
-
--hostresolver  (Default: "false")
-    Enable CNAME Flattening.
-
--hostresolver.cnameflattening  (Default: "false")
-    A flag to enable/disable CNAME flattening
-
--hostresolver.resolvconfig  (Default: "/etc/resolv.conf")
-    resolv.conf used for DNS resolving
-
--hostresolver.resolvdepth  (Default: "5")
-    The maximal depth of DNS recursive resolving
-
--log  (Default: "false")
-    Traefik log settings.
-
--log.filepath  (Default: "")
-    Traefik log file path. Stdout is used when omitted or empty.
-
--log.format  (Default: "common")
-    Traefik log format: json | common
-
--log.level  (Default: "ERROR")
-    Log level set to traefik logs.
-
--metrics.datadog  (Default: "false")
-    DataDog metrics exporter type.
-
--metrics.datadog.address  (Default: "localhost:8125")
-    DataDog's address.
-
--metrics.datadog.pushinterval  (Default: "10")
-    DataDog push interval.
-
--metrics.influxdb  (Default: "false")
-    InfluxDB metrics exporter type.
-
--metrics.influxdb.address  (Default: "localhost:8089")
-    InfluxDB address.
-
--metrics.influxdb.database  (Default: "")
-    InfluxDB database used when protocol is http.
-
--metrics.influxdb.password  (Default: "")
-    InfluxDB password (only with http).
-
--metrics.influxdb.protocol  (Default: "udp")
-    InfluxDB address protocol (udp or http).
-
--metrics.influxdb.pushinterval  (Default: "10")
-    InfluxDB push interval.
-
--metrics.influxdb.retentionpolicy  (Default: "")
-    InfluxDB retention policy used when protocol is http.
-
--metrics.influxdb.username  (Default: "")
-    InfluxDB username (only with http).
-
--metrics.prometheus  (Default: "false")
-    Prometheus metrics exporter type.
-
--metrics.prometheus.buckets  (Default: "0.100000, 0.300000, 1.200000, 5.000000")
-    Buckets for latency metrics.
-
--metrics.prometheus.entrypoint  (Default: "traefik")
-    EntryPoint.
-
--metrics.prometheus.middlewares  (Default: "")
-    Middlewares.
-
--metrics.statsd  (Default: "false")
-    StatsD metrics exporter type.
-
--metrics.statsd.address  (Default: "localhost:8125")
-    StatsD address.
-
--metrics.statsd.pushinterval  (Default: "10")
-    StatsD push interval.
-
--ping  (Default: "false")
-    Enable ping.
-
--ping.entrypoint  (Default: "traefik")
-    Ping entryPoint.
-
--ping.middlewares  (Default: "")
-    Middleware list.
-
--providers.docker  (Default: "false")
-    Enable Docker backend with default settings.
-
--providers.docker.constraints  (Default: "")
-    Constraints is an expression that Traefik matches against the container's labels
-    to determine whether to create any route for that container.
-
--providers.docker.defaultrule  (Default: "Host(`{{ normalize .Name }}`)")
-    Default rule.
-
--providers.docker.endpoint  (Default: "unix:///var/run/docker.sock")
-    Docker server endpoint. Can be a tcp or a unix socket endpoint.
-
--providers.docker.exposedbydefault  (Default: "true")
-    Expose containers by default.
-
--providers.docker.network  (Default: "")
-    Default Docker network used.
-
--providers.docker.swarmmode  (Default: "false")
-    Use Docker on Swarm Mode.
-
--providers.docker.swarmmoderefreshseconds  (Default: "15")
-    Polling interval for swarm mode.
-
--providers.docker.tls.ca  (Default: "")
-    TLS CA
-
--providers.docker.tls.caoptional  (Default: "false")
-    TLS CA.Optional
-
--providers.docker.tls.cert  (Default: "")
-    TLS cert
-
--providers.docker.tls.insecureskipverify  (Default: "false")
-    TLS insecure skip verify
-
--providers.docker.tls.key  (Default: "")
-    TLS key
-
--providers.docker.usebindportip  (Default: "false")
-    Use the ip address from the bound port, rather than from the inner network.
-
--providers.docker.watch  (Default: "true")
-    Watch provider.
-
--providers.file  (Default: "false")
-    Enable File backend with default settings.
-
--providers.file.debugloggeneratedtemplate  (Default: "false")
-    Enable debug logging of generated configuration template.
-
--providers.file.directory  (Default: "")
-    Load configuration from one or more .toml files in a directory.
-
--providers.file.filename  (Default: "")
-    Override default configuration template. For advanced users :)
-
--providers.file.watch  (Default: "true")
-    Watch provider.
-
--providers.kubernetes  (Default: "false")
-    Enable Kubernetes backend with default settings.
-
--providers.kubernetes.certauthfilepath  (Default: "")
-    Kubernetes certificate authority file path (not needed for in-cluster client).
-
--providers.kubernetes.disablepasshostheaders  (Default: "false")
-    Kubernetes disable PassHost Headers.
-
--providers.kubernetes.endpoint  (Default: "")
-    Kubernetes server endpoint (required for external cluster client).
-
--providers.kubernetes.ingressclass  (Default: "")
-    Value of kubernetes.io/ingress.class annotation to watch for.
-
--providers.kubernetes.ingressendpoint.hostname  (Default: "")
-    Hostname used for Kubernetes Ingress endpoints.
-
--providers.kubernetes.ingressendpoint.ip  (Default: "")
-    IP used for Kubernetes Ingress endpoints.
-
--providers.kubernetes.ingressendpoint.publishedservice  (Default: "")
-    Published Kubernetes Service to copy status from.
-
--providers.kubernetes.labelselector  (Default: "")
-    Kubernetes Ingress label selector to use.
-
--providers.kubernetes.namespaces  (Default: "")
-    Kubernetes namespaces.
-
--providers.kubernetes.token  (Default: "")
-    Kubernetes bearer token (not needed for in-cluster client).
-
--providers.kubernetescrd  (Default: "false")
-    Enable Kubernetes backend with default settings.
-
--providers.kubernetescrd.certauthfilepath  (Default: "")
-    Kubernetes certificate authority file path (not needed for in-cluster client).
-
--providers.kubernetescrd.disablepasshostheaders  (Default: "false")
-    Kubernetes disable PassHost Headers.
-
--providers.kubernetescrd.endpoint  (Default: "")
-    Kubernetes server endpoint (required for external cluster client).
-
--providers.kubernetescrd.ingressclass  (Default: "")
-    Value of kubernetes.io/ingress.class annotation to watch for.
-
--providers.kubernetescrd.labelselector  (Default: "")
-    Kubernetes label selector to use.
-
--providers.kubernetescrd.namespaces  (Default: "")
-    Kubernetes namespaces.
-
--providers.kubernetescrd.token  (Default: "")
-    Kubernetes bearer token (not needed for in-cluster client).
-
--providers.marathon  (Default: "false")
-    Enable Marathon backend with default settings.
-
--providers.marathon.basic.httpbasicauthuser  (Default: "")
-    Basic authentication User.
-
--providers.marathon.basic.httpbasicpassword  (Default: "")
-    Basic authentication Password.
-
--providers.marathon.constraints  (Default: "")
-    Constraints is an expression that Traefik matches against the application's
-    labels to determine whether to create any route for that application.
-
--providers.marathon.dcostoken  (Default: "")
-    DCOSToken for DCOS environment, This will override the Authorization header.
-
--providers.marathon.defaultrule  (Default: "Host(`{{ normalize .Name }}`)")
-    Default rule.
-
--providers.marathon.dialertimeout  (Default: "5")
-    Set a dialer timeout for Marathon.
-
--providers.marathon.endpoint  (Default: "http://127.0.0.1:8080")
-    Marathon server endpoint. You can also specify multiple endpoint for Marathon.
-
--providers.marathon.exposedbydefault  (Default: "true")
-    Expose Marathon apps by default.
-
--providers.marathon.forcetaskhostname  (Default: "false")
-    Force to use the task's hostname.
-
--providers.marathon.keepalive  (Default: "10")
-    Set a TCP Keep Alive time.
-
--providers.marathon.respectreadinesschecks  (Default: "false")
-    Filter out tasks with non-successful readiness checks during deployments.
-
--providers.marathon.responseheadertimeout  (Default: "60")
-    Set a response header timeout for Marathon.
-
--providers.marathon.tls.ca  (Default: "")
-    TLS CA
-
--providers.marathon.tls.caoptional  (Default: "false")
-    TLS CA.Optional
-
--providers.marathon.tls.cert  (Default: "")
-    TLS cert
-
--providers.marathon.tls.insecureskipverify  (Default: "false")
-    TLS insecure skip verify
-
--providers.marathon.tls.key  (Default: "")
-    TLS key
-
--providers.marathon.tlshandshaketimeout  (Default: "5")
-    Set a TLS handshake timeout for Marathon.
-
--providers.marathon.trace  (Default: "false")
-    Display additional provider logs.
-
--providers.marathon.watch  (Default: "true")
-    Watch provider.
-
--providers.providersthrottleduration  (Default: "2")
-    Backends throttle duration: minimum duration between 2 events from providers
-    before applying a new configuration. It avoids unnecessary reloads if multiples
-    events are sent in a short amount of time.
-
--providers.rancher  (Default: "false")
-    Enable Rancher backend with default settings.
-
--providers.rancher.constraints  (Default: "")
-    Constraints is an expression that Traefik matches against the container's labels
-    to determine whether to create any route for that container.
-
--providers.rancher.defaultrule  (Default: "Host(`{{ normalize .Name }}`)")
-    Default rule.
-
--providers.rancher.enableservicehealthfilter  (Default: "true")
-    Filter services with unhealthy states and inactive states.
-
--providers.rancher.exposedbydefault  (Default: "true")
-    Expose containers by default.
-
--providers.rancher.intervalpoll  (Default: "false")
-    Poll the Rancher metadata service every 'rancher.refreshseconds' (less
-    accurate).
-
--providers.rancher.prefix  (Default: "latest")
-    Prefix used for accessing the Rancher metadata service.
-
--providers.rancher.refreshseconds  (Default: "15")
-    Defines the polling interval in seconds.
-
--providers.rancher.watch  (Default: "true")
-    Watch provider.
-
--providers.rest  (Default: "false")
-    Enable Rest backend with default settings.
-
--providers.rest.entrypoint  (Default: "traefik")
-    EntryPoint.
-
--serverstransport.forwardingtimeouts.dialtimeout  (Default: "30")
-    The amount of time to wait until a connection to a backend server can be
-    established. If zero, no timeout exists.
-
--serverstransport.forwardingtimeouts.responseheadertimeout  (Default: "0")
-    The amount of time to wait for a server's response headers after fully writing
-    the request (including its body, if any). If zero, no timeout exists.
-
--serverstransport.forwardingtimeouts.idleconntimeout  (Default: "90s")
-	The maximum period for which an idle HTTP keep-alive connection to a backend
-	server will remain open before closing itself.
-
--serverstransport.insecureskipverify  (Default: "false")
-    Disable SSL certificate verification.
-
--serverstransport.maxidleconnsperhost  (Default: "200")
-    If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero,
-    DefaultMaxIdleConnsPerHost is used
-
--serverstransport.rootcas  (Default: "")
-    Add cert file for self-signed certificate.
-
--tracing  (Default: "false")
-    OpenTracing configuration.
-
--tracing.datadog  (Default: "false")
-    Settings for DataDog.
-
--tracing.datadog.bagageprefixheadername  (Default: "")
-    Specifies the header name prefix that will be used to store baggage items in a
-    map.
-
--tracing.datadog.debug  (Default: "false")
-    Enable DataDog debug.
-
--tracing.datadog.globaltag  (Default: "")
-    Key:Value tag to be set on all the spans.
-
--tracing.datadog.localagenthostport  (Default: "localhost:8126")
-    Set datadog-agent's host:port that the reporter will used.
-
--tracing.datadog.parentidheadername  (Default: "")
-    Specifies the header name that will be used to store the parent ID.
-
--tracing.datadog.prioritysampling  (Default: "false")
-    Enable priority sampling. When using distributed tracing, this option must be
-    enabled in order to get all the parts of a distributed trace sampled.
-
--tracing.datadog.samplingpriorityheadername  (Default: "")
-    Specifies the header name that will be used to store the sampling priority.
-
--tracing.datadog.traceidheadername  (Default: "")
-    Specifies the header name that will be used to store the trace ID.
-
--tracing.haystack  (Default: "false")
-    Settings for Haystack.
-
--tracing.haystack.baggageprefixheadername  (Default: "")
-    Specifies the header name prefix that will be used to store baggage items in a
-    map.
-
--tracing.haystack.globaltag  (Default: "")
-    Key:Value tag to be set on all the spans.
-
--tracing.haystack.localagenthost  (Default: "LocalAgentHost")
-    Set haystack-agent's host that the reporter will used.
-
--tracing.haystack.localagentport  (Default: "35000")
-    Set haystack-agent's port that the reporter will used.
-
--tracing.haystack.parentidheadername  (Default: "")
-    Specifies the header name that will be used to store the parent ID.
-
--tracing.haystack.spanidheadername  (Default: "")
-    Specifies the header name that will be used to store the span ID.
-
--tracing.haystack.traceidheadername  (Default: "")
-    Specifies the header name that will be used to store the trace ID.
-
--tracing.instana  (Default: "false")
-    Settings for Instana.
-
--tracing.instana.localagenthost  (Default: "localhost")
-    Set instana-agent's host that the reporter will used.
-
--tracing.instana.localagentport  (Default: "42699")
-    Set instana-agent's port that the reporter will used.
-
--tracing.instana.loglevel  (Default: "info")
-    Set instana-agent's log level. ('error','warn','info','debug')
-
--tracing.jaeger  (Default: "false")
-    Settings for jaeger.
-
--tracing.jaeger.gen128bit  (Default: "false")
-    Generate 128 bit span IDs.
-
--tracing.jaeger.localagenthostport  (Default: "127.0.0.1:6831")
-    Set jaeger-agent's host:port that the reporter will used.
-
--tracing.jaeger.propagation  (Default: "jaeger")
-    Which propgation format to use (jaeger/b3).
-
--tracing.jaeger.samplingparam  (Default: "1.000000")
-    Set the sampling parameter.
-
--tracing.jaeger.samplingserverurl  (Default: "http://localhost:5778/sampling")
-    Set the sampling server url.
-
--tracing.jaeger.samplingtype  (Default: "const")
-    Set the sampling type.
-
--tracing.jaeger.tracecontextheadername  (Default: "uber-trace-id")
-    Set the header to use for the trace-id.
-
--tracing.servicename  (Default: "traefik")
-    Set the name for this service.
-
--tracing.spannamelimit  (Default: "0")
-    Set the maximum character limit for Span names (default 0 = no limit).
-
--tracing.zipkin  (Default: "false")
-    Settings for zipkin.
-
--tracing.zipkin.debug  (Default: "false")
-    Enable Zipkin debug.
-
--tracing.zipkin.httpendpoint  (Default: "http://localhost:9411/api/v1/spans")
-    HTTP Endpoint to report traces to.
-
--tracing.zipkin.id128bit  (Default: "true")
-    Use Zipkin 128 bit root span IDs.
-
--tracing.zipkin.samespan  (Default: "false")
-    Use Zipkin SameSpan RPC style traces.
-
--tracing.zipkin.samplerate  (Default: "1.000000")
-    The rate between 0.0 and 1.0 of requests to trace.
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -0,0 +1,592 @@
+<!--
+CODE GENERATED AUTOMATICALLY
+THIS FILE MUST NOT BE EDITED BY HAND
+-->
+
+`TRAEFIK_ACCESSLOG`:  
+Access log settings. (Default: ```false```)
+
+`TRAEFIK_ACCESSLOG_BUFFERINGSIZE`:  
+Number of access log lines to process in a buffered way. (Default: ```0```)
+
+`TRAEFIK_ACCESSLOG_FIELDS_DEFAULTMODE`:  
+Default mode for fields: keep | drop (Default: ```keep```)
+
+`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_DEFAULTMODE`:  
+Default mode for fields: keep | drop | redact (Default: ```drop```)
+
+`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_NAMES_<NAME>`:  
+Override mode for headers
+
+`TRAEFIK_ACCESSLOG_FIELDS_NAMES_<NAME>`:  
+Override mode for fields
+
+`TRAEFIK_ACCESSLOG_FILEPATH`:  
+Access log file path. Stdout is used when omitted or empty.
+
+`TRAEFIK_ACCESSLOG_FILTERS_MINDURATION`:  
+Keep access logs when request took longer than the specified duration. (Default: ```0```)
+
+`TRAEFIK_ACCESSLOG_FILTERS_RETRYATTEMPTS`:  
+Keep access logs when at least one retry happened. (Default: ```false```)
+
+`TRAEFIK_ACCESSLOG_FILTERS_STATUSCODES`:  
+Keep access logs with status codes in the specified range.
+
+`TRAEFIK_ACCESSLOG_FORMAT`:  
+Access log format: json | common (Default: ```common```)
+
+`TRAEFIK_API`:  
+Enable api/dashboard. (Default: ```false```)
+
+`TRAEFIK_API_DASHBOARD`:  
+Activate dashboard. (Default: ```true```)
+
+`TRAEFIK_API_DEBUG`:  
+Enable additional endpoints for debugging and profiling. (Default: ```false```)
+
+`TRAEFIK_API_INSECURE`:  
+Activate API directly on the entryPoint named traefik. (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>`:  
+Certificates resolvers configuration. (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CASERVER`:  
+CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`:  
+Activate DNS-01 Challenge. (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DELAYBEFORECHECK`:  
+Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:  
+Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROVIDER`:  
+Use a DNS-01 based challenge provider rather than HTTPS.
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_RESOLVERS`:  
+Use following DNS servers to resolve the FQDN authority.
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_EMAIL`:  
+Email address used for registration.
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE`:  
+Activate HTTP-01 Challenge. (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_ENTRYPOINT`:  
+HTTP challenge EntryPoint
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_KEYTYPE`:  
+KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_STORAGE`:  
+Storage to use. (Default: ```acme.json```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_TLSCHALLENGE`:  
+Activate TLS-ALPN-01 Challenge. (Default: ```true```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>`:  
+Entry points definition. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_ADDRESS`:  
+Entry point address.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`:  
+Trust all forwarded headers. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_TRUSTEDIPS`:  
+Trust only forwarded headers from selected IPs.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL`:  
+Proxy-Protocol configuration. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL_INSECURE`:  
+Trust all. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL_TRUSTEDIPS`:  
+Trust only selected IPs.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_LIFECYCLE_GRACETIMEOUT`:  
+Duration to give active requests a chance to finish before Traefik stops. (Default: ```10```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_LIFECYCLE_REQUESTACCEPTGRACETIMEOUT`:  
+Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. (Default: ```0```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_IDLETIMEOUT`:  
+IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: ```180```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_READTIMEOUT`:  
+ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```0```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_WRITETIMEOUT`:  
+WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: ```0```)
+
+`TRAEFIK_GLOBAL_CHECKNEWVERSION`:  
+Periodically check if a new version has been released. (Default: ```false```)
+
+`TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE`:  
+Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)
+
+`TRAEFIK_HOSTRESOLVER`:  
+Enable CNAME Flattening. (Default: ```false```)
+
+`TRAEFIK_HOSTRESOLVER_CNAMEFLATTENING`:  
+A flag to enable/disable CNAME flattening (Default: ```false```)
+
+`TRAEFIK_HOSTRESOLVER_RESOLVCONFIG`:  
+resolv.conf used for DNS resolving (Default: ```/etc/resolv.conf```)
+
+`TRAEFIK_HOSTRESOLVER_RESOLVDEPTH`:  
+The maximal depth of DNS recursive resolving (Default: ```5```)
+
+`TRAEFIK_LOG`:  
+Traefik log settings. (Default: ```false```)
+
+`TRAEFIK_LOG_FILEPATH`:  
+Traefik log file path. Stdout is used when omitted or empty.
+
+`TRAEFIK_LOG_FORMAT`:  
+Traefik log format: json | common (Default: ```common```)
+
+`TRAEFIK_LOG_LEVEL`:  
+Log level set to traefik logs. (Default: ```ERROR```)
+
+`TRAEFIK_METRICS_DATADOG`:  
+Datadog metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_DATADOG_ADDENTRYPOINTSLABELS`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`TRAEFIK_METRICS_DATADOG_ADDRESS`:  
+Datadog's address. (Default: ```localhost:8125```)
+
+`TRAEFIK_METRICS_DATADOG_ADDSERVICESLABELS`:  
+Enable metrics on services. (Default: ```true```)
+
+`TRAEFIK_METRICS_DATADOG_PUSHINTERVAL`:  
+Datadog push interval. (Default: ```10```)
+
+`TRAEFIK_METRICS_INFLUXDB`:  
+InfluxDB metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_INFLUXDB_ADDENTRYPOINTSLABELS`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`TRAEFIK_METRICS_INFLUXDB_ADDRESS`:  
+InfluxDB address. (Default: ```localhost:8089```)
+
+`TRAEFIK_METRICS_INFLUXDB_ADDSERVICESLABELS`:  
+Enable metrics on services. (Default: ```true```)
+
+`TRAEFIK_METRICS_INFLUXDB_DATABASE`:  
+InfluxDB database used when protocol is http.
+
+`TRAEFIK_METRICS_INFLUXDB_PASSWORD`:  
+InfluxDB password (only with http).
+
+`TRAEFIK_METRICS_INFLUXDB_PROTOCOL`:  
+InfluxDB address protocol (udp or http). (Default: ```udp```)
+
+`TRAEFIK_METRICS_INFLUXDB_PUSHINTERVAL`:  
+InfluxDB push interval. (Default: ```10```)
+
+`TRAEFIK_METRICS_INFLUXDB_RETENTIONPOLICY`:  
+InfluxDB retention policy used when protocol is http.
+
+`TRAEFIK_METRICS_INFLUXDB_USERNAME`:  
+InfluxDB username (only with http).
+
+`TRAEFIK_METRICS_PROMETHEUS`:  
+Prometheus metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_PROMETHEUS_ADDENTRYPOINTSLABELS`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`TRAEFIK_METRICS_PROMETHEUS_ADDSERVICESLABELS`:  
+Enable metrics on services. (Default: ```true```)
+
+`TRAEFIK_METRICS_PROMETHEUS_BUCKETS`:  
+Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)
+
+`TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT`:  
+EntryPoint (Default: ```traefik```)
+
+`TRAEFIK_METRICS_STATSD`:  
+StatsD metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_STATSD_ADDENTRYPOINTSLABELS`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`TRAEFIK_METRICS_STATSD_ADDRESS`:  
+StatsD address. (Default: ```localhost:8125```)
+
+`TRAEFIK_METRICS_STATSD_ADDSERVICESLABELS`:  
+Enable metrics on services. (Default: ```true```)
+
+`TRAEFIK_METRICS_STATSD_PUSHINTERVAL`:  
+StatsD push interval. (Default: ```10```)
+
+`TRAEFIK_PING`:  
+Enable ping. (Default: ```false```)
+
+`TRAEFIK_PING_ENTRYPOINT`:  
+EntryPoint (Default: ```traefik```)
+
+`TRAEFIK_PROVIDERS_DOCKER`:  
+Enable Docker backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_CONSTRAINTS`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`TRAEFIK_PROVIDERS_DOCKER_DEFAULTRULE`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`TRAEFIK_PROVIDERS_DOCKER_ENDPOINT`:  
+Docker server endpoint. Can be a tcp or a unix socket endpoint. (Default: ```unix:///var/run/docker.sock```)
+
+`TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT`:  
+Expose containers by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_DOCKER_NETWORK`:  
+Default Docker network used.
+
+`TRAEFIK_PROVIDERS_DOCKER_SWARMMODE`:  
+Use Docker on Swarm Mode. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_SWARMMODEREFRESHSECONDS`:  
+Polling interval for swarm mode. (Default: ```15```)
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_CAOPTIONAL`:  
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_KEY`:  
+TLS key
+
+`TRAEFIK_PROVIDERS_DOCKER_USEBINDPORTIP`:  
+Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_WATCH`:  
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_FILE_DEBUGLOGGENERATEDTEMPLATE`:  
+Enable debug logging of generated configuration template. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_FILE_DIRECTORY`:  
+Load configuration from one or more .toml files in a directory.
+
+`TRAEFIK_PROVIDERS_FILE_FILENAME`:  
+Override default configuration template. For advanced users :)
+
+`TRAEFIK_PROVIDERS_FILE_WATCH`:  
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD`:  
+Enable Kubernetes backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_CERTAUTHFILEPATH`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_DISABLEPASSHOSTHEADERS`:  
+Kubernetes disable PassHost Headers. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_ENDPOINT`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_INGRESSCLASS`:  
+Value of kubernetes.io/ingress.class annotation to watch for.
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_LABELSELECTOR`:  
+Kubernetes label selector to use.
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_NAMESPACES`:  
+Kubernetes namespaces.
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_THROTTLEDURATION`:  
+Ingress refresh throttle duration (Default: ```0```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_TOKEN`:  
+Kubernetes bearer token (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS`:  
+Enable Kubernetes backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_CERTAUTHFILEPATH`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_DISABLEPASSHOSTHEADERS`:  
+Kubernetes disable PassHost Headers. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_ENDPOINT`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_INGRESSCLASS`:  
+Value of kubernetes.io/ingress.class annotation to watch for.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_INGRESSENDPOINT_HOSTNAME`:  
+Hostname used for Kubernetes Ingress endpoints.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_INGRESSENDPOINT_IP`:  
+IP used for Kubernetes Ingress endpoints.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_INGRESSENDPOINT_PUBLISHEDSERVICE`:  
+Published Kubernetes Service to copy status from.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_LABELSELECTOR`:  
+Kubernetes Ingress label selector to use.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_NAMESPACES`:  
+Kubernetes namespaces.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_THROTTLEDURATION`:  
+Ingress refresh throttle duration (Default: ```0```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_TOKEN`:  
+Kubernetes bearer token (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_MARATHON`:  
+Enable Marathon backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_BASIC_HTTPBASICAUTHUSER`:  
+Basic authentication User.
+
+`TRAEFIK_PROVIDERS_MARATHON_BASIC_HTTPBASICPASSWORD`:  
+Basic authentication Password.
+
+`TRAEFIK_PROVIDERS_MARATHON_CONSTRAINTS`:  
+Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
+
+`TRAEFIK_PROVIDERS_MARATHON_DCOSTOKEN`:  
+DCOSToken for DCOS environment, This will override the Authorization header.
+
+`TRAEFIK_PROVIDERS_MARATHON_DEFAULTRULE`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`TRAEFIK_PROVIDERS_MARATHON_DIALERTIMEOUT`:  
+Set a dialer timeout for Marathon. (Default: ```5```)
+
+`TRAEFIK_PROVIDERS_MARATHON_ENDPOINT`:  
+Marathon server endpoint. You can also specify multiple endpoint for Marathon. (Default: ```http://127.0.0.1:8080```)
+
+`TRAEFIK_PROVIDERS_MARATHON_EXPOSEDBYDEFAULT`:  
+Expose Marathon apps by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_MARATHON_FORCETASKHOSTNAME`:  
+Force to use the task's hostname. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_KEEPALIVE`:  
+Set a TCP Keep Alive time. (Default: ```10```)
+
+`TRAEFIK_PROVIDERS_MARATHON_RESPECTREADINESSCHECKS`:  
+Filter out tasks with non-successful readiness checks during deployments. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_RESPONSEHEADERTIMEOUT`:  
+Set a response header timeout for Marathon. (Default: ```60```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLSHANDSHAKETIMEOUT`:  
+Set a TLS handshake timeout for Marathon. (Default: ```5```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_CAOPTIONAL`:  
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_KEY`:  
+TLS key
+
+`TRAEFIK_PROVIDERS_MARATHON_TRACE`:  
+Display additional provider logs. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_WATCH`:  
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_PROVIDERSTHROTTLEDURATION`:  
+Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. (Default: ```0```)
+
+`TRAEFIK_PROVIDERS_RANCHER`:  
+Enable Rancher backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_RANCHER_CONSTRAINTS`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`TRAEFIK_PROVIDERS_RANCHER_DEFAULTRULE`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`TRAEFIK_PROVIDERS_RANCHER_ENABLESERVICEHEALTHFILTER`:  
+Filter services with unhealthy states and inactive states. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_RANCHER_EXPOSEDBYDEFAULT`:  
+Expose containers by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_RANCHER_INTERVALPOLL`:  
+Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate). (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_RANCHER_PREFIX`:  
+Prefix used for accessing the Rancher metadata service. (Default: ```latest```)
+
+`TRAEFIK_PROVIDERS_RANCHER_REFRESHSECONDS`:  
+Defines the polling interval in seconds. (Default: ```15```)
+
+`TRAEFIK_PROVIDERS_RANCHER_WATCH`:  
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_REST`:  
+Enable Rest backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_REST_INSECURE`:  
+Activate REST Provider directly on the entryPoint named traefik. (Default: ```false```)
+
+`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_DIALTIMEOUT`:  
+The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
+
+`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_IDLECONNTIMEOUT`:  
+The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself (Default: ```90```)
+
+`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_RESPONSEHEADERTIMEOUT`:  
+The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. (Default: ```0```)
+
+`TRAEFIK_SERVERSTRANSPORT_INSECURESKIPVERIFY`:  
+Disable SSL certificate verification. (Default: ```false```)
+
+`TRAEFIK_SERVERSTRANSPORT_MAXIDLECONNSPERHOST`:  
+If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used (Default: ```0```)
+
+`TRAEFIK_SERVERSTRANSPORT_ROOTCAS`:  
+Add cert file for self-signed certificate.
+
+`TRAEFIK_TRACING`:  
+OpenTracing configuration. (Default: ```false```)
+
+`TRAEFIK_TRACING_DATADOG`:  
+Settings for Datadog. (Default: ```false```)
+
+`TRAEFIK_TRACING_DATADOG_BAGAGEPREFIXHEADERNAME`:  
+Specifies the header name prefix that will be used to store baggage items in a map.
+
+`TRAEFIK_TRACING_DATADOG_DEBUG`:  
+Enable Datadog debug. (Default: ```false```)
+
+`TRAEFIK_TRACING_DATADOG_GLOBALTAG`:  
+Key:Value tag to be set on all the spans.
+
+`TRAEFIK_TRACING_DATADOG_LOCALAGENTHOSTPORT`:  
+Set datadog-agent's host:port that the reporter will used. (Default: ```localhost:8126```)
+
+`TRAEFIK_TRACING_DATADOG_PARENTIDHEADERNAME`:  
+Specifies the header name that will be used to store the parent ID.
+
+`TRAEFIK_TRACING_DATADOG_PRIORITYSAMPLING`:  
+Enable priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: ```false```)
+
+`TRAEFIK_TRACING_DATADOG_SAMPLINGPRIORITYHEADERNAME`:  
+Specifies the header name that will be used to store the sampling priority.
+
+`TRAEFIK_TRACING_DATADOG_TRACEIDHEADERNAME`:  
+Specifies the header name that will be used to store the trace ID.
+
+`TRAEFIK_TRACING_HAYSTACK`:  
+Settings for Haystack. (Default: ```false```)
+
+`TRAEFIK_TRACING_HAYSTACK_BAGGAGEPREFIXHEADERNAME`:  
+Specifies the header name prefix that will be used to store baggage items in a map.
+
+`TRAEFIK_TRACING_HAYSTACK_GLOBALTAG`:  
+Key:Value tag to be set on all the spans.
+
+`TRAEFIK_TRACING_HAYSTACK_LOCALAGENTHOST`:  
+Set haystack-agent's host that the reporter will used. (Default: ```LocalAgentHost```)
+
+`TRAEFIK_TRACING_HAYSTACK_LOCALAGENTPORT`:  
+Set haystack-agent's port that the reporter will used. (Default: ```35000```)
+
+`TRAEFIK_TRACING_HAYSTACK_PARENTIDHEADERNAME`:  
+Specifies the header name that will be used to store the parent ID.
+
+`TRAEFIK_TRACING_HAYSTACK_SPANIDHEADERNAME`:  
+Specifies the header name that will be used to store the span ID.
+
+`TRAEFIK_TRACING_HAYSTACK_TRACEIDHEADERNAME`:  
+Specifies the header name that will be used to store the trace ID.
+
+`TRAEFIK_TRACING_INSTANA`:  
+Settings for Instana. (Default: ```false```)
+
+`TRAEFIK_TRACING_INSTANA_LOCALAGENTHOST`:  
+Set instana-agent's host that the reporter will used. (Default: ```localhost```)
+
+`TRAEFIK_TRACING_INSTANA_LOCALAGENTPORT`:  
+Set instana-agent's port that the reporter will used. (Default: ```42699```)
+
+`TRAEFIK_TRACING_INSTANA_LOGLEVEL`:  
+Set instana-agent's log level. ('error','warn','info','debug') (Default: ```info```)
+
+`TRAEFIK_TRACING_JAEGER`:  
+Settings for Jaeger. (Default: ```false```)
+
+`TRAEFIK_TRACING_JAEGER_COLLECTOR_ENDPOINT`:  
+Instructs reporter to send spans to jaeger-collector at this URL.
+
+`TRAEFIK_TRACING_JAEGER_COLLECTOR_PASSWORD`:  
+Password for basic http authentication when sending spans to jaeger-collector.
+
+`TRAEFIK_TRACING_JAEGER_COLLECTOR_USER`:  
+User for basic http authentication when sending spans to jaeger-collector.
+
+`TRAEFIK_TRACING_JAEGER_GEN128BIT`:  
+Generate 128 bit span IDs. (Default: ```false```)
+
+`TRAEFIK_TRACING_JAEGER_LOCALAGENTHOSTPORT`:  
+Set jaeger-agent's host:port that the reporter will used. (Default: ```127.0.0.1:6831```)
+
+`TRAEFIK_TRACING_JAEGER_PROPAGATION`:  
+Which propagation format to use (jaeger/b3). (Default: ```jaeger```)
+
+`TRAEFIK_TRACING_JAEGER_SAMPLINGPARAM`:  
+Set the sampling parameter. (Default: ```1.000000```)
+
+`TRAEFIK_TRACING_JAEGER_SAMPLINGSERVERURL`:  
+Set the sampling server url. (Default: ```http://localhost:5778/sampling```)
+
+`TRAEFIK_TRACING_JAEGER_SAMPLINGTYPE`:  
+Set the sampling type. (Default: ```const```)
+
+`TRAEFIK_TRACING_JAEGER_TRACECONTEXTHEADERNAME`:  
+Set the header to use for the trace-id. (Default: ```uber-trace-id```)
+
+`TRAEFIK_TRACING_SERVICENAME`:  
+Set the name for this service. (Default: ```traefik```)
+
+`TRAEFIK_TRACING_SPANNAMELIMIT`:  
+Set the maximum character limit for Span names (default 0 = no limit). (Default: ```0```)
+
+`TRAEFIK_TRACING_ZIPKIN`:  
+Settings for Zipkin. (Default: ```false```)
+
+`TRAEFIK_TRACING_ZIPKIN_HTTPENDPOINT`:  
+HTTP Endpoint to report traces to. (Default: ```http://localhost:9411/api/v2/spans```)
+
+`TRAEFIK_TRACING_ZIPKIN_ID128BIT`:  
+Use Zipkin 128 bit root span IDs. (Default: ```true```)
+
+`TRAEFIK_TRACING_ZIPKIN_SAMESPAN`:  
+Use Zipkin SameSpan RPC style traces. (Default: ```false```)
+
+`TRAEFIK_TRACING_ZIPKIN_SAMPLERATE`:  
+The rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
--- a/docs/content/reference/static-configuration/env.md
+++ b/docs/content/reference/static-configuration/env.md
@@ -1,590 +1,3 @@
 # Static Configuration: Environment variables

-`TRAEFIK_ACCESSLOG`:  
-Access log settings. (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_BUFFERINGSIZE`:  
-Number of access log lines to process in a buffered way. (Default: ```0```)
-
-`TRAEFIK_ACCESSLOG_FIELDS_DEFAULTMODE`:  
-Default mode for fields: keep | drop (Default: ```keep```)
-
-`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_DEFAULTMODE`:  
-Default mode for fields: keep | drop | redact (Default: ```keep```)
-
-`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_NAMES_<NAME>`:  
-Override mode for headers
-
-`TRAEFIK_ACCESSLOG_FIELDS_NAMES_<NAME>`:  
-Override mode for fields
-
-`TRAEFIK_ACCESSLOG_FILEPATH`:  
-Access log file path. Stdout is used when omitted or empty.
-
-`TRAEFIK_ACCESSLOG_FILTERS_MINDURATION`:  
-Keep access logs when request took longer than the specified duration. (Default: ```0```)
-
-`TRAEFIK_ACCESSLOG_FILTERS_RETRYATTEMPTS`:  
-Keep access logs when at least one retry happened. (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_FILTERS_STATUSCODES`:  
-Keep access logs with status codes in the specified range.
-
-`TRAEFIK_ACCESSLOG_FORMAT`:  
-Access log format: json | common (Default: ```common```)
-
-`TRAEFIK_ACME_ACMELOGGING`:  
-Enable debug logging of ACME actions. (Default: ```false```)
-
-`TRAEFIK_ACME_CASERVER`:  
-CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
-
-`TRAEFIK_ACME_DNSCHALLENGE`:  
-Activate DNS-01 Challenge. (Default: ```false```)
-
-`TRAEFIK_ACME_DNSCHALLENGE_DELAYBEFORECHECK`:  
-Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
-
-`TRAEFIK_ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:  
-Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
-
-`TRAEFIK_ACME_DNSCHALLENGE_PROVIDER`:  
-Use a DNS-01 based challenge provider rather than HTTPS.
-
-`TRAEFIK_ACME_DNSCHALLENGE_RESOLVERS`:  
-Use following DNS servers to resolve the FQDN authority.
-
-`TRAEFIK_ACME_DOMAINS`:  
-The list of domains for which certificates are generated on startup. Wildcard domains only accepted with DNSChallenge.
-
-`TRAEFIK_ACME_DOMAINS[n]_MAIN`:  
-Default subject name.
-
-`TRAEFIK_ACME_DOMAINS[n]_SANS`:  
-Subject alternative names.
-
-`TRAEFIK_ACME_EMAIL`:  
-Email address used for registration.
-
-`TRAEFIK_ACME_ENTRYPOINT`:  
-EntryPoint to use.
-
-`TRAEFIK_ACME_HTTPCHALLENGE`:  
-Activate HTTP-01 Challenge. (Default: ```false```)
-
-`TRAEFIK_ACME_HTTPCHALLENGE_ENTRYPOINT`:  
-HTTP challenge EntryPoint
-
-`TRAEFIK_ACME_KEYTYPE`:  
-KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
-
-`TRAEFIK_ACME_ONHOSTRULE`:  
-Enable certificate generation on router Host rules. (Default: ```false```)
-
-`TRAEFIK_ACME_STORAGE`:  
-Storage to use. (Default: ```acme.json```)
-
-`TRAEFIK_ACME_TLSCHALLENGE`:  
-Activate TLS-ALPN-01 Challenge. (Default: ```true```)
-
-`TRAEFIK_API`:  
-Enable api/dashboard. (Default: ```false```)
-
-`TRAEFIK_API_DASHBOARD`:  
-Activate dashboard. (Default: ```true```)
-
-`TRAEFIK_API_DEBUG`:  
-Enable additional endpoints for debugging and profiling. (Default: ```false```)
-
-`TRAEFIK_API_ENTRYPOINT`:  
-The entry point that the API handler will be bound to. (Default: ```traefik```)
-
-`TRAEFIK_API_MIDDLEWARES`:  
-Middleware list.
-
-`TRAEFIK_API_STATISTICS`:  
-Enable more detailed statistics. (Default: ```false```)
-
-`TRAEFIK_API_STATISTICS_RECENTERRORS`:  
-Number of recent errors logged. (Default: ```10```)
-
-`TRAEFIK_CONFIGFILE`:  
-Configuration file to use. If specified all other flags are ignored. (Default: "")
-
-`TRAEFIK_ENTRYPOINTS_<NAME>`:  
-Entry points definition. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_ADDRESS`:  
-Entry point address.
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`:  
-Trust all forwarded headers. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_TRUSTEDIPS`:  
-Trust only forwarded headers from selected IPs.
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL`:  
-Proxy-Protocol configuration. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL_INSECURE`:  
-Trust all. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL_TRUSTEDIPS`:  
-Trust only selected IPs.
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_LIFECYCLE_GRACETIMEOUT`:  
-Duration to give active requests a chance to finish before Traefik stops. (Default: ```10```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_LIFECYCLE_REQUESTACCEPTGRACETIMEOUT`:  
-Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. (Default: ```0```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_IDLETIMEOUT`:  
-IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: ```180```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_READTIMEOUT`:  
-ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```0```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_WRITETIMEOUT`:  
-WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: ```0```)
-
-`TRAEFIK_GLOBAL_CHECKNEWVERSION`:  
-Periodically check if a new version has been released. (Default: ```false```)
-
-`TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE`:  
-Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default.
-
-`TRAEFIK_HOSTRESOLVER`:  
-Enable CNAME Flattening. (Default: ```false```)
-
-`TRAEFIK_HOSTRESOLVER_CNAMEFLATTENING`:  
-A flag to enable/disable CNAME flattening (Default: ```false```)
-
-`TRAEFIK_HOSTRESOLVER_RESOLVCONFIG`:  
-resolv.conf used for DNS resolving (Default: ```/etc/resolv.conf```)
-
-`TRAEFIK_HOSTRESOLVER_RESOLVDEPTH`:  
-The maximal depth of DNS recursive resolving (Default: ```5```)
-
-`TRAEFIK_LOG`:  
-Traefik log settings. (Default: "false")
-
-`TRAEFIK_LOG_FILEPATH`:  
-Traefik log file path. Stdout is used when omitted or empty.
-
-`TRAEFIK_LOG_FORMAT`:  
-Traefik log format: json | common (Default: ```common```)
-
-`TRAEFIK_LOG_LEVEL`:  
-Log level set to traefik logs. (Default: ```ERROR```)
-
-`TRAEFIK_METRICS_DATADOG`:  
-DataDog metrics exporter type. (Default: ```false```)
-
-`TRAEFIK_METRICS_DATADOG_ADDRESS`:  
-DataDog's address. (Default: ```localhost:8125```)
-
-`TRAEFIK_METRICS_DATADOG_PUSHINTERVAL`:  
-DataDog push interval. (Default: ```10```)
-
-`TRAEFIK_METRICS_INFLUXDB`:  
-InfluxDB metrics exporter type. (Default: ```false```)
-
-`TRAEFIK_METRICS_INFLUXDB_ADDRESS`:  
-InfluxDB address. (Default: ```localhost:8089```)
-
-`TRAEFIK_METRICS_INFLUXDB_DATABASE`:  
-InfluxDB database used when protocol is http.
-
-`TRAEFIK_METRICS_INFLUXDB_PASSWORD`:  
-InfluxDB password (only with http).
-
-`TRAEFIK_METRICS_INFLUXDB_PROTOCOL`:  
-InfluxDB address protocol (udp or http). (Default: ```udp```)
-
-`TRAEFIK_METRICS_INFLUXDB_PUSHINTERVAL`:  
-InfluxDB push interval. (Default: ```10```)
-
-`TRAEFIK_METRICS_INFLUXDB_RETENTIONPOLICY`:  
-InfluxDB retention policy used when protocol is http.
-
-`TRAEFIK_METRICS_INFLUXDB_USERNAME`:  
-InfluxDB username (only with http).
-
-`TRAEFIK_METRICS_PROMETHEUS`:  
-Prometheus metrics exporter type. (Default: ```false```)
-
-`TRAEFIK_METRICS_PROMETHEUS_BUCKETS`:  
-Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)
-
-`TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT`:  
-EntryPoint. (Default: ```traefik```)
-
-`TRAEFIK_METRICS_PROMETHEUS_MIDDLEWARES`:  
-Middlewares.
-
-`TRAEFIK_METRICS_STATSD`:  
-StatsD metrics exporter type. (Default: ```false```)
-
-`TRAEFIK_METRICS_STATSD_ADDRESS`:  
-StatsD address. (Default: ```localhost:8125```)
-
-`TRAEFIK_METRICS_STATSD_PUSHINTERVAL`:  
-StatsD push interval. (Default: ```10```)
-
-`TRAEFIK_PING`:  
-Enable ping. (Default: ```false```)
-
-`TRAEFIK_PING_ENTRYPOINT`:  
-Ping entryPoint. (Default: ```traefik```)
-
-`TRAEFIK_PING_MIDDLEWARES`:  
-Middleware list.
-
-`TRAEFIK_PROVIDERS_DOCKER`:  
-Enable Docker backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_DOCKER_CONSTRAINTS`:  
-Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
-
-`TRAEFIK_PROVIDERS_DOCKER_DEFAULTRULE`:  
-Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
-
-`TRAEFIK_PROVIDERS_DOCKER_ENDPOINT`:  
-Docker server endpoint. Can be a tcp or a unix socket endpoint. (Default: ```unix:///var/run/docker.sock```)
-
-`TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT`:  
-Expose containers by default. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_DOCKER_NETWORK`:  
-Default Docker network used.
-
-`TRAEFIK_PROVIDERS_DOCKER_SWARMMODE`:  
-Use Docker on Swarm Mode. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_DOCKER_SWARMMODEREFRESHSECONDS`:  
-Polling interval for swarm mode. (Default: ```15```)
-
-`TRAEFIK_PROVIDERS_DOCKER_TLS_CA`:  
-TLS CA
-
-`TRAEFIK_PROVIDERS_DOCKER_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_DOCKER_TLS_CERT`:  
-TLS cert
-
-`TRAEFIK_PROVIDERS_DOCKER_TLS_INSECURESKIPVERIFY`:  
-TLS insecure skip verify (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_DOCKER_TLS_KEY`:  
-TLS key
-
-`TRAEFIK_PROVIDERS_DOCKER_USEBINDPORTIP`:  
-Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_DOCKER_WATCH`:  
-Watch provider. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_FILE`:  
-Enable File backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_FILE_DEBUGLOGGENERATEDTEMPLATE`:  
-Enable debug logging of generated configuration template. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_FILE_DIRECTORY`:  
-Load configuration from one or more .toml files in a directory.
-
-`TRAEFIK_PROVIDERS_FILE_FILENAME`:  
-Override default configuration template. For advanced users :)
-
-`TRAEFIK_PROVIDERS_FILE_WATCH`:  
-Watch provider. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_KUBERNETES`:  
-Enable Kubernetes backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD`:  
-Enable Kubernetes backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_CERTAUTHFILEPATH`:  
-Kubernetes certificate authority file path (not needed for in-cluster client).
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_DISABLEPASSHOSTHEADERS`:  
-Kubernetes disable PassHost Headers. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_ENDPOINT`:  
-Kubernetes server endpoint (required for external cluster client).
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_INGRESSCLASS`:  
-Value of kubernetes.io/ingress.class annotation to watch for.
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_LABELSELECTOR`:  
-Kubernetes label selector to use.
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_NAMESPACES`:  
-Kubernetes namespaces.
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_TOKEN`:  
-Kubernetes bearer token (not needed for in-cluster client).
-
-`TRAEFIK_PROVIDERS_KUBERNETES_CERTAUTHFILEPATH`:  
-Kubernetes certificate authority file path (not needed for in-cluster client).
-
-`TRAEFIK_PROVIDERS_KUBERNETES_DISABLEPASSHOSTHEADERS`:  
-Kubernetes disable PassHost Headers. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_KUBERNETES_ENDPOINT`:  
-Kubernetes server endpoint (required for external cluster client).
-
-`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSCLASS`:  
-Value of kubernetes.io/ingress.class annotation to watch for.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSENDPOINT_HOSTNAME`:  
-Hostname used for Kubernetes Ingress endpoints.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSENDPOINT_IP`:  
-IP used for Kubernetes Ingress endpoints.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSENDPOINT_PUBLISHEDSERVICE`:  
-Published Kubernetes Service to copy status from.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_LABELSELECTOR`:  
-Kubernetes Ingress label selector to use.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_NAMESPACES`:  
-Kubernetes namespaces.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_TOKEN`:  
-Kubernetes bearer token (not needed for in-cluster client).
-
-`TRAEFIK_PROVIDERS_MARATHON`:  
-Enable Marathon backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_BASIC_HTTPBASICAUTHUSER`:  
-Basic authentication User.
-
-`TRAEFIK_PROVIDERS_MARATHON_BASIC_HTTPBASICPASSWORD`:  
-Basic authentication Password.
-
-`TRAEFIK_PROVIDERS_MARATHON_CONSTRAINTS`:  
-Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
-
-`TRAEFIK_PROVIDERS_MARATHON_DCOSTOKEN`:  
-DCOSToken for DCOS environment, This will override the Authorization header.
-
-`TRAEFIK_PROVIDERS_MARATHON_DEFAULTRULE`:  
-Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
-
-`TRAEFIK_PROVIDERS_MARATHON_DIALERTIMEOUT`:  
-Set a dialer timeout for Marathon. (Default: ```5```)
-
-`TRAEFIK_PROVIDERS_MARATHON_ENDPOINT`:  
-Marathon server endpoint. You can also specify multiple endpoint for Marathon. (Default: ```http://127.0.0.1:8080```)
-
-`TRAEFIK_PROVIDERS_MARATHON_EXPOSEDBYDEFAULT`:  
-Expose Marathon apps by default. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_MARATHON_FORCETASKHOSTNAME`:  
-Force to use the task's hostname. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_KEEPALIVE`:  
-Set a TCP Keep Alive time. (Default: ```10```)
-
-`TRAEFIK_PROVIDERS_MARATHON_RESPECTREADINESSCHECKS`:  
-Filter out tasks with non-successful readiness checks during deployments. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_RESPONSEHEADERTIMEOUT`:  
-Set a response header timeout for Marathon. (Default: ```60```)
-
-`TRAEFIK_PROVIDERS_MARATHON_TLSHANDSHAKETIMEOUT`:  
-Set a TLS handshake timeout for Marathon. (Default: ```5```)
-
-`TRAEFIK_PROVIDERS_MARATHON_TLS_CA`:  
-TLS CA
-
-`TRAEFIK_PROVIDERS_MARATHON_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_TLS_CERT`:  
-TLS cert
-
-`TRAEFIK_PROVIDERS_MARATHON_TLS_INSECURESKIPVERIFY`:  
-TLS insecure skip verify (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_TLS_KEY`:  
-TLS key
-
-`TRAEFIK_PROVIDERS_MARATHON_TRACE`:  
-Display additional provider logs. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_WATCH`:  
-Watch provider. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_PROVIDERSTHROTTLEDURATION`:  
-Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. (Default: ```0```)
-
-`TRAEFIK_PROVIDERS_RANCHER`:  
-Enable Rancher backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_RANCHER_CONSTRAINTS`:  
-Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
-
-`TRAEFIK_PROVIDERS_RANCHER_DEFAULTRULE`:  
-Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
-
-`TRAEFIK_PROVIDERS_RANCHER_ENABLESERVICEHEALTHFILTER`:  
-Filter services with unhealthy states and inactive states. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_RANCHER_EXPOSEDBYDEFAULT`:  
-Expose containers by default. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_RANCHER_INTERVALPOLL`:  
-Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate). (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_RANCHER_PREFIX`:  
-Prefix used for accessing the Rancher metadata service. (Default: ```latest```)
-
-`TRAEFIK_PROVIDERS_RANCHER_REFRESHSECONDS`:  
-Defines the polling interval in seconds. (Default: ```15```)
-
-`TRAEFIK_PROVIDERS_RANCHER_WATCH`:  
-Watch provider. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_REST`:  
-Enable Rest backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_REST_ENTRYPOINT`:  
-EntryPoint. (Default: ```traefik```)
-
-`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_DIALTIMEOUT`:  
-The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
-
-`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_RESPONSEHEADERTIMEOUT`:  
-The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. (Default: ```0```)
-
-`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_IDLECONNTIMEOUT`:  
-The maximum period for which an idle HTTP keep-alive connection to a backend
-server will remain open before closing itself. (Default: ```90s```)
-
-`TRAEFIK_SERVERSTRANSPORT_INSECURESKIPVERIFY`:  
-Disable SSL certificate verification. (Default: ```false```)
-
-`TRAEFIK_SERVERSTRANSPORT_MAXIDLECONNSPERHOST`:  
-If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used (Default: ```0```)
-
-`TRAEFIK_SERVERSTRANSPORT_ROOTCAS`:  
-Add cert file for self-signed certificate.
-
-`TRAEFIK_TRACING`:  
-OpenTracing configuration. (Default: ```false```)
-
-`TRAEFIK_TRACING_DATADOG`:  
-Settings for DataDog. (Default: ```false```)
-
-`TRAEFIK_TRACING_DATADOG_BAGAGEPREFIXHEADERNAME`:  
-Specifies the header name prefix that will be used to store baggage items in a map.
-
-`TRAEFIK_TRACING_DATADOG_DEBUG`:  
-Enable DataDog debug. (Default: ```false```)
-
-`TRAEFIK_TRACING_DATADOG_GLOBALTAG`:  
-Key:Value tag to be set on all the spans.
-
-`TRAEFIK_TRACING_DATADOG_LOCALAGENTHOSTPORT`:  
-Set datadog-agent's host:port that the reporter will used. (Default: ```localhost:8126```)
-
-`TRAEFIK_TRACING_DATADOG_PARENTIDHEADERNAME`:  
-Specifies the header name that will be used to store the parent ID.
-
-`TRAEFIK_TRACING_DATADOG_PRIORITYSAMPLING`:  
-Enable priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: ```false```)
-
-`TRAEFIK_TRACING_DATADOG_SAMPLINGPRIORITYHEADERNAME`:  
-Specifies the header name that will be used to store the sampling priority.
-
-`TRAEFIK_TRACING_DATADOG_TRACEIDHEADERNAME`:  
-Specifies the header name that will be used to store the trace ID.
-
-`TRAEFIK_TRACING_HAYSTACK`:  
-Settings for Haystack. (Default: ```false```)
-
-`TRAEFIK_TRACING_HAYSTACK_BAGGAGEPREFIXHEADERNAME`:  
-specifies the header name prefix that will be used to store baggage items in a map.
-
-`TRAEFIK_TRACING_HAYSTACK_GLOBALTAG`:  
-Key:Value tag to be set on all the spans.
-
-`TRAEFIK_TRACING_HAYSTACK_LOCALAGENTHOST`:  
-Set haystack-agent's host that the reporter will used. (Default: ```LocalAgentHost```)
-
-`TRAEFIK_TRACING_HAYSTACK_LOCALAGENTPORT`:  
-Set haystack-agent's port that the reporter will used. (Default: ```35000```)
-
-`TRAEFIK_TRACING_HAYSTACK_PARENTIDHEADERNAME`:  
-Specifies the header name that will be used to store the parent ID.
-
-`TRAEFIK_TRACING_HAYSTACK_SPANIDHEADERNAME`:  
-Specifies the header name that will be used to store the span ID.
-
-`TRAEFIK_TRACING_HAYSTACK_TRACEIDHEADERNAME`:  
-Specifies the header name that will be used to store the trace ID.
-
-`TRAEFIK_TRACING_INSTANA`:  
-Settings for Instana. (Default: ```false```)
-
-`TRAEFIK_TRACING_INSTANA_LOCALAGENTHOST`:  
-Set instana-agent's host that the reporter will used. (Default: ```localhost```)
-
-`TRAEFIK_TRACING_INSTANA_LOCALAGENTPORT`:  
-Set instana-agent's port that the reporter will used. (Default: ```42699```)
-
-`TRAEFIK_TRACING_INSTANA_LOGLEVEL`:  
-Set instana-agent's log level. ('error','warn','info','debug') (Default: ```info```)
-
-`TRAEFIK_TRACING_JAEGER`:  
-Settings for jaeger. (Default: ```false```)
-
-`TRAEFIK_TRACING_JAEGER_GEN128BIT`:  
-Generate 128 bit span IDs. (Default: ```false```)
-
-`TRAEFIK_TRACING_JAEGER_LOCALAGENTHOSTPORT`:  
-Set jaeger-agent's host:port that the reporter will used. (Default: ```127.0.0.1:6831```)
-
-`TRAEFIK_TRACING_JAEGER_PROPAGATION`:  
-Which propgation format to use (jaeger/b3). (Default: ```jaeger```)
-
-`TRAEFIK_TRACING_JAEGER_SAMPLINGPARAM`:  
-Set the sampling parameter. (Default: ```1.000000```)
-
-`TRAEFIK_TRACING_JAEGER_SAMPLINGSERVERURL`:  
-Set the sampling server url. (Default: ```http://localhost:5778/sampling```)
-
-`TRAEFIK_TRACING_JAEGER_SAMPLINGTYPE`:  
-Set the sampling type. (Default: ```const```)
-
-`TRAEFIK_TRACING_JAEGER_TRACECONTEXTHEADERNAME`:  
-Set the header to use for the trace-id. (Default: ```uber-trace-id```)
-
-`TRAEFIK_TRACING_SERVICENAME`:  
-Set the name for this service. (Default: ```traefik```)
-
-`TRAEFIK_TRACING_SPANNAMELIMIT`:  
-Set the maximum character limit for Span names (default 0 = no limit). (Default: ```0```)
-
-`TRAEFIK_TRACING_ZIPKIN`:  
-Settings for zipkin. (Default: ```false```)
-
-`TRAEFIK_TRACING_ZIPKIN_DEBUG`:  
-Enable Zipkin debug. (Default: ```false```)
-
-`TRAEFIK_TRACING_ZIPKIN_HTTPENDPOINT`:  
-HTTP Endpoint to report traces to. (Default: ```http://localhost:9411/api/v1/spans```)
-
-`TRAEFIK_TRACING_ZIPKIN_ID128BIT`:  
-Use Zipkin 128 bit root span IDs. (Default: ```true```)
-
-`TRAEFIK_TRACING_ZIPKIN_SAMESPAN`:  
-Use Zipkin SameSpan RPC style traces. (Default: ```false```)
-
-`TRAEFIK_TRACING_ZIPKIN_SAMPLERATE`:  
-The rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
+--8<-- "content/reference/static-configuration/env-ref.md"
--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@@ -52,7 +52,6 @@
    watch = true
    filename = "foobar"
    debugLogGeneratedTemplate = true
-    traefikFile = "foobar"
  [providers.marathon]
    constraints = "foobar"
    trace = true
@@ -76,7 +75,7 @@
    [providers.marathon.basic]
      httpBasicAuthUser = "foobar"
      httpBasicPassword = "foobar"
-  [providers.kubernetes]
+  [providers.kubernetesIngress]
    endpoint = "foobar"
    token = "foobar"
    certAuthFilePath = "foobar"
@@ -84,7 +83,8 @@
    namespaces = ["foobar", "foobar"]
    labelSelector = "foobar"
    ingressClass = "foobar"
-    [providers.kubernetes.ingressEndpoint]
+    throttleDuration = "10s"
+    [providers.kubernetesIngress.ingressEndpoint]
      ip = "foobar"
      hostname = "foobar"
      publishedService = "foobar"
@@ -96,8 +96,9 @@
    namespaces = ["foobar", "foobar"]
    labelSelector = "foobar"
    ingressClass = "foobar"
+    throttleDuration = "10s"
  [providers.rest]
-    entryPoint = "foobar"
+    insecure = true
  [providers.rancher]
    constraints = "foobar"
    watch = true
@@ -109,23 +110,26 @@
    prefix = "foobar"

 [api]
-  entryPoint = "foobar"
+  insecure = true
  dashboard = true
-  middlewares = ["foobar", "foobar"]
-  [api.statistics]
-    recentErrors = 42
+  debug = true

 [metrics]
  [metrics.prometheus]
    buckets = [42.0, 42.0]
+    addEntryPointsLabels = true
+    addServicesLabels = true
    entryPoint = "foobar"
-    middlewares = ["foobar", "foobar"]
-  [metrics.dataDog]
+  [metrics.datadog]
    address = "foobar"
    pushInterval = "10s"
+    addEntryPointsLabels = true
+    addServicesLabels = true
  [metrics.statsD]
    address = "foobar"
    pushInterval = "10s"
+    addEntryPointsLabels = true
+    addServicesLabels = true
  [metrics.influxDB]
    address = "foobar"
    protocol = "foobar"
@@ -134,10 +138,11 @@
    retentionPolicy = "foobar"
    username = "foobar"
    password = "foobar"
+    addEntryPointsLabels = true
+    addServicesLabels = true

 [ping]
  entryPoint = "foobar"
-  middlewares = ["foobar", "foobar"]

 [log]
  level = "foobar"
@@ -174,13 +179,16 @@
    gen128Bit = true
    propagation = "foobar"
    traceContextHeaderName = "foobar"
+    [tracing.jaeger.collector]
+      endpoint = "foobar"
+      user = "foobar"
+      password = "foobar"
  [tracing.zipkin]
    httpEndpoint = "foobar"
    sameSpan = true
    id128Bit = true
-    debug = true
    sampleRate = 42.0
-  [tracing.dataDog]
+  [tracing.datadog]
    localAgentHostPort = "foobar"
    globalTag = "foobar"
    debug = true
@@ -200,33 +208,39 @@
    traceIDHeaderName = "foobar"
    parentIDHeaderName = "foobar"
    spanIDHeaderName = "foobar"
+    baggagePrefixHeaderName = "foobar"

 [hostResolver]
  cnameFlattening = true
  resolvConfig = "foobar"
  resolvDepth = 42

-[acme]
-  email = "foobar"
-  acmeLogging = true
-  caServer = "foobar"
-  storage = "foobar"
-  entryPoint = "foobar"
-  keyType = "foobar"
-  onHostRule = true
-  [acme.dnsChallenge]
-    provider = "foobar"
-    delayBeforeCheck = 42
-    resolvers = ["foobar", "foobar"]
-    disablePropagationCheck = true
-  [acme.httpChallenge]
-    entryPoint = "foobar"
-  [acme.tlsChallenge]
-
-  [[acme.domains]]
-    main = "foobar"
-    sans = ["foobar", "foobar"]
-
-  [[acme.domains]]
-    main = "foobar"
-    sans = ["foobar", "foobar"]
+[certificatesResolvers]
+  [certificatesResolvers.CertificateResolver0]
+    [certificatesResolvers.CertificateResolver0.acme]
+      email = "foobar"
+      caServer = "foobar"
+      storage = "foobar"
+      keyType = "foobar"
+      [certificatesResolvers.CertificateResolver0.acme.dnsChallenge]
+        provider = "foobar"
+        delayBeforeCheck = 42
+        resolvers = ["foobar", "foobar"]
+        disablePropagationCheck = true
+      [certificatesResolvers.CertificateResolver0.acme.httpChallenge]
+        entryPoint = "foobar"
+      [certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
+  [certificatesResolvers.CertificateResolver1]
+    [certificatesResolvers.CertificateResolver1.acme]
+      email = "foobar"
+      caServer = "foobar"
+      storage = "foobar"
+      keyType = "foobar"
+      [certificatesResolvers.CertificateResolver1.acme.dnsChallenge]
+        provider = "foobar"
+        delayBeforeCheck = 42
+        resolvers = ["foobar", "foobar"]
+        disablePropagationCheck = true
+      [certificatesResolvers.CertificateResolver1.acme.httpChallenge]
+        entryPoint = "foobar"
+      [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@@ -4,36 +4,36 @@ global:
 serversTransport:
  insecureSkipVerify: true
  rootCAs:
-    - foobar
-    - foobar
+  - foobar
+  - foobar
  maxIdleConnsPerHost: 42
  forwardingTimeouts:
-    dialTimeout: 42000000000
-    responseHeaderTimeout: 42000000000
-    idleConnTimeout: 42000000000
+    dialTimeout: 42
+    responseHeaderTimeout: 42
+    idleConnTimeout: 42
 entryPoints:
  EntryPoint0:
    address: foobar
    transport:
      lifeCycle:
-        requestAcceptGraceTimeout: 42000000000
-        graceTimeOut: 42000000000
+        requestAcceptGraceTimeout: 42
+        graceTimeOut: 42
      respondingTimeouts:
-        readTimeout: 42000000000
-        writeTimeout: 42000000000
-        idleTimeout: 42000000000
+        readTimeout: 42
+        writeTimeout: 42
+        idleTimeout: 42
    proxyProtocol:
      insecure: true
      trustedIPs:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
    forwardedHeaders:
      insecure: true
      trustedIPs:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
 providers:
-  providersThrottleDuration: 42000000000
+  providersThrottleDuration: 42
  docker:
    constraints: foobar
    watch: true
@@ -49,13 +49,12 @@ providers:
    useBindPortIP: true
    swarmMode: true
    network: foobar
-    swarmModeRefreshSeconds: 42000000000
+    swarmModeRefreshSeconds: 42
  file:
    directory: foobar
    watch: true
    filename: foobar
    debugLogGeneratedTemplate: true
-    traefikFile: foobar
  marathon:
    constraints: foobar
    trace: true
@@ -70,25 +69,26 @@ providers:
      cert: foobar
      key: foobar
      insecureSkipVerify: true
-    dialerTimeout: 42000000000
-    responseHeaderTimeout: 42000000000
-    tlsHandshakeTimeout: 42000000000
-    keepAlive: 42000000000
+    dialerTimeout: 42
+    responseHeaderTimeout: 42
+    tlsHandshakeTimeout: 42
+    keepAlive: 42
    forceTaskHostname: true
    basic:
      httpBasicAuthUser: foobar
      httpBasicPassword: foobar
    respectReadinessChecks: true
-  kubernetes:
+  kubernetesIngress:
    endpoint: foobar
    token: foobar
    certAuthFilePath: foobar
    disablePassHostHeaders: true
    namespaces:
-      - foobar
-      - foobar
+    - foobar
+    - foobar
    labelSelector: foobar
    ingressClass: foobar
+    throttleDuration: 10s
    ingressEndpoint:
      ip: foobar
      hostname: foobar
@@ -99,12 +99,13 @@ providers:
    certAuthFilePath: foobar
    disablePassHostHeaders: true
    namespaces:
-      - foobar
-      - foobar
+    - foobar
+    - foobar
    labelSelector: foobar
    ingressClass: foobar
+    throttleDuration: 10s
  rest:
-    entryPoint: foobar
+    insecure: true
  rancher:
    constraints: foobar
    watch: true
@@ -115,41 +116,39 @@ providers:
    intervalPoll: true
    prefix: foobar
 api:
-  entryPoint: foobar
+  insecure: true
  dashboard: true
-  statistics:
-    recentErrors: 42
-  middlewares:
-    - foobar
-    - foobar
+  debug: true
 metrics:
  prometheus:
    buckets:
-      - 42
-      - 42
+    - 42
+    - 42
+    addEntryPointsLabels: true
+    addServicesLabels: true
    entryPoint: foobar
-    middlewares:
-      - foobar
-      - foobar
-  dataDog:
+  datadog:
    address: foobar
-    pushInterval: 10000000000
+    pushInterval: 42
+    addEntryPointsLabels: true
+    addServicesLabels: true
  statsD:
    address: foobar
-    pushInterval: 10000000000
+    pushInterval: 42
+    addEntryPointsLabels: true
+    addServicesLabels: true
  influxDB:
    address: foobar
    protocol: foobar
-    pushInterval: 10000000000
+    pushInterval: 42
    database: foobar
    retentionPolicy: foobar
    username: foobar
    password: foobar
+    addEntryPointsLabels: true
+    addServicesLabels: true
 ping:
  entryPoint: foobar
-  middlewares:
-    - foobar
-    - foobar
 log:
  level: foobar
  filePath: foobar
@@ -159,10 +158,10 @@ accessLog:
  format: foobar
  filters:
    statusCodes:
-      - foobar
-      - foobar
+    - foobar
+    - foobar
    retryAttempts: true
-    minDuration: 42000000000
+    minDuration: 42
  fields:
    defaultMode: foobar
    names:
@@ -185,13 +184,16 @@ tracing:
    gen128Bit: true
    propagation: foobar
    traceContextHeaderName: foobar
+    collector:
+      endpoint: foobar
+      user: foobar
+      password: foobar
  zipkin:
    httpEndpoint: foobar
    sameSpan: true
    id128Bit: true
-    debug: true
    sampleRate: 42
-  dataDog:
+  datadog:
    localAgentHostPort: foobar
    globalTag: foobar
    debug: true
@@ -211,34 +213,41 @@ tracing:
    traceIDHeaderName: foobar
    parentIDHeaderName: foobar
    spanIDHeaderName: foobar
+    baggagePrefixHeaderName: foobar
 hostResolver:
  cnameFlattening: true
  resolvConfig: foobar
  resolvDepth: 42
-acme:
-  email: foobar
-  acmeLogging: true
-  caServer: foobar
-  storage: foobar
-  entryPoint: foobar
-  keyType: foobar
-  onHostRule: true
-  dnsChallenge:
-    provider: foobar
-    delayBeforeCheck: 42000000000
-    resolvers:
-      - foobar
-      - foobar
-    disablePropagationCheck: true
-  httpChallenge:
-    entryPoint: foobar
-  tlsChallenge: {}
-  domains:
-    - main: foobar
-      sans:
+certificatesResolvers:
+  CertificateResolver0:
+    acme:
+      email: foobar
+      caServer: foobar
+      storage: foobar
+      keyType: foobar
+      dnsChallenge:
+        provider: foobar
+        delayBeforeCheck: 42
+        resolvers:
        - foobar
        - foobar
-    - main: foobar
-      sans:
+        disablePropagationCheck: true
+      httpChallenge:
+        entryPoint: foobar
+      tlsChallenge: {}
+  CertificateResolver1:
+    acme:
+      email: foobar
+      caServer: foobar
+      storage: foobar
+      keyType: foobar
+      dnsChallenge:
+        provider: foobar
+        delayBeforeCheck: 42
+        resolvers:
        - foobar
        - foobar
+        disablePropagationCheck: true
+      httpChallenge:
+        entryPoint: foobar
+      tlsChallenge: {}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ludovic Fernandez	e40e3af760	Prepare release v2.0.0-rc3	2019-09-10 18:58:03 +02:00
Ludovic Fernandez	24a2788081	Prepare release v1.7.14	2019-09-10 18:30:05 +02:00
mpl	1388266102	Finish kubernetes throttling refactoring	2019-09-10 18:30:05 +02:00
Ben Weissmann	43af0b051f	Throttle Kubernetes config refresh	2019-09-10 18:30:05 +02:00
Ludovic Fernandez	6e8138e19b	Update golangci-lint	2019-09-10 17:52:04 +02:00
Julien Salleyron	fb8edd86d5	k8s ErrorPage middleware now uses k8s service	2019-09-10 17:24:03 +02:00
Julien Salleyron	34be181706	Add provider in middleware chain	2019-09-10 16:12:05 +02:00
Jorge Gonzalez	fcc1109e76	Add more pages in the WebUI	2019-09-10 14:40:05 +02:00
mpl	2b828765e3	Improve rate limiter tests Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2019-09-09 20:02:04 +02:00
Ludovic Fernandez	25f4c23ab2	Write HTTP server logs into the global logger.	2019-09-09 14:52:04 +02:00
Ludovic Fernandez	be90b20a5d	fix: TLS domains with IngressRoute.	2019-09-09 13:52:04 +02:00
Ludovic Fernandez	232c113dae	Misc documentation fixes	2019-09-09 10:36:08 +02:00
mpl	605a9b2817	Default to CLF when accesslog format is unsupported	2019-09-09 09:24:03 +02:00
Julien Salleyron	d044c0f4cc	New API security	2019-09-06 15:08:04 +02:00
Julien Salleyron	1959e1fd44	Auth middlewares in kubernetes CRD uses secrets	2019-09-05 13:42:04 +02:00
mpl	6712423dd1	misc documentation fixes	2019-09-05 10:48:04 +02:00
Jean-Baptiste Doumenjou	3689990bd5	Enhance the Retry Middleware Documentation Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2019-09-04 17:28:03 +02:00
Michael	81a1f618f9	Update to go 1.13	2019-09-04 11:16:03 +02:00
Ludovic Fernandez	b77bb690de	Prepare release v2.0.0-rc2	2019-09-03 21:18:03 +02:00
Ludovic Fernandez	f843f260ee	fix: stripPrefix and stripPrefixRegex.	2019-09-03 20:32:03 +02:00
Julien Salleyron	770b3739e0	The chain middleware in k8s use middlewareRef	2019-09-03 19:20:04 +02:00
Jean-Baptiste Doumenjou	261e7c1744	Fix some documentation issues	2019-09-03 18:02:05 +02:00
Ludovic Fernandez	10acbb8d92	Don't panic with undefined middleware	2019-09-03 15:22:05 +02:00
Ludovic Fernandez	a917115a85	fix buffering middleware	2019-09-03 15:02:05 +02:00
Michael	b8ed6f1588	Re enable ratelimit integration tests	2019-09-03 14:34:04 +02:00
Michael	3ed57e01a6	Update go version to go 1.13rc2	2019-09-03 12:18:03 +02:00
Bas van Beek	cb7c5a8ca1	Update Zipkin OpenTracing driver to latest 0.4.3 release	2019-09-03 11:52:04 +02:00
Ludovic Fernandez	07eb9c5970	Update restrictions in the documentation.	2019-09-02 03:26:04 -07:00
Ludovic Fernandez	306e5081d9	fix: Datadog case.	2019-09-02 03:18:04 -07:00
Ludovic Fernandez	259c7adc81	deep-copy for MirrorService	2019-09-02 02:54:04 -07:00
Ludovic Fernandez	af9762cf32	Improve API for the web UI	2019-09-02 02:38:04 -07:00
Ludovic Fernandez	17554202f6	fix: stripPrefixRegex documentation.	2019-09-02 01:52:04 -07:00
Jean-Baptiste Doumenjou	0d9cf697fa	Base of the migration guide Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2019-08-31 00:28:04 -07:00
Julien Salleyron	df0dd2f5e6	Add errors about unknown entryPoint in runtime api	2019-08-29 03:38:04 -07:00
Julien Salleyron	38508f9a9c	Fix recovered panic when websocket is mirrored	2019-08-29 01:28:05 -07:00
Michael	b113972bcf	Fix trailing slash with check new version	2019-08-29 00:56:04 -07:00
Michael	72e67bf4e9	Rest provider icon in the webui	2019-08-28 05:52:05 -07:00
Ludovic Fernandez	da8aa2d8e4	Prepare release v2.0.0-rc1	2019-08-26 10:36:03 -07:00
Julien Salleyron	602a2ea541	Adds mirroring service	2019-08-26 10:00:04 -07:00
Jorge Gonzalez	fd24b1898e	Add a new dashboard page.	2019-08-26 18:15:41 +02:00
Ludovic Fernandez	89150e1164	Update to go1.13rc1	2019-08-26 06:06:05 -07:00
Fedorenko Dmitrij	e1831c4c60	Add support proxyprotocol v2	2019-08-26 05:40:04 -07:00
mpl	4ec90c5c0d	Add rate limiter, rename maxConn into inFlightReq Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com>	2019-08-26 03:20:06 -07:00
bsdelf	a8c73f7baf	Ensure WaitGroup.Done() is always called	2019-08-26 01:54:05 -07:00
Julien Salleyron	6fed76a687	WeightedRoundRobin load balancer Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>	2019-08-26 01:30:05 -07:00
Carlos Eduardo	84de444325	Bump x/sys to support Risc-V architecture	2019-08-23 07:36:04 -07:00
Ludovic Fernandez	0fbd87ca87	Fix: CRD user guide	2019-08-23 07:20:05 -07:00
Connor Bell	99797502eb	docker-compose labels require $'s to be escaped	2019-08-20 08:08:05 -07:00
fairwood136	16bd0b9ca8	Removed extra colon before the 8080 docker port	2019-08-15 07:44:04 -07:00
Ludovic Fernandez	5fdfa963f4	fix: lego version.	2019-08-15 06:52:03 -07:00
Ludovic Fernandez	1d86e71331	fix: invalid pseudo version.	2019-08-14 14:54:03 -07:00
Daniel Tomcej	9e3f549341	Add TLS-enabled Router	2019-08-14 10:16:06 -07:00
Steven E. Harris	2895ad21f3	Correct Kubernetes Ingress and IngressRoute port heuristic for choosing HTTPS	2019-08-14 09:58:04 -07:00
Ludovic Fernandez	5731ae7f47	Fix `url.Parse` due to go1.12.8 changes.	2019-08-14 09:16:04 -07:00
Ludovic Fernandez	51f7d9a07f	Split runtime.go	2019-08-14 08:28:04 -07:00
Antoine Caron	6be390c795	feat(webui): add doc and version in navbar	2019-08-12 08:48:04 -07:00
Fernandez Ludovic	0f32de4aa2	tests: improve timeout. - upgrade k3s to v0.8.0	2019-08-12 05:06:04 -07:00
Fernandez Ludovic	5d01452648	doc: contributing guide.	2019-08-12 05:06:04 -07:00
Fernandez Ludovic	51b0508512	scripts: makefile, dockerfile, travis, ...	2019-08-12 05:06:04 -07:00
Fernandez Ludovic	4c5e7a238d	chore: go module	2019-08-12 05:06:04 -07:00
Fernandez Ludovic	f327b7b499	chore: ignore vendor.	2019-08-12 05:06:04 -07:00
Fernandez Ludovic	306e86c9c6	kill: the vendor.	2019-08-12 05:06:04 -07:00
Fernandez Ludovic	9024f1b444	doc: update lego.	2019-08-12 00:36:04 -07:00
Ludovic Fernandez	fc26e8c194	Prepare release v1.7.13	2019-08-12 00:36:04 -07:00
Douglas Wagner	ffd8e5667c	Wrr loadbalancer honors old weight on recovered servers	2019-08-12 00:36:04 -07:00
Daniel Tomcej	9299c3abc7	Add missing KeyUsages for default generated certificate	2019-08-12 00:36:04 -07:00
BENEFICE Pierre	63a07fe6cf	Add a docker-compose & let's encrypt user-guide	2019-08-06 08:46:04 -07:00
Ludovic Fernandez	c2d440a914	chore: update docker and k8s	2019-08-05 09:24:03 -07:00
Edouard Vincent	2b5c7f9e91	[Docs] YAML indent for domains under TLS section	2019-08-05 08:22:04 -07:00
Jean-Baptiste Doumenjou	91e63dea47	Apply the case of the CLI flags for the configuration	2019-08-05 06:22:03 -07:00
Daniel Tomcej	cd164de776	Add Feature-Policy header support	2019-07-29 07:12:05 -07:00
Michael	c0ef5ce512	Fix prometheus metrics	2019-07-24 12:38:03 +02:00
Antoine Caron	7c852fbf33	refactor(webui): use components to split Home concerns	2019-07-22 11:06:04 +02:00
Ludovic Fernandez	28500989bc	Improve acme logs.	2019-07-22 10:16:04 +02:00
Ludovic Fernandez	75c99a0491	doc: improve examples.	2019-07-22 09:58:04 +02:00
Daniel Tomcej	8b4ba3cb67	Fix malformed rule	2019-07-22 09:24:04 +02:00
Jan	3ef2971c3f	Fix acme example	2019-07-19 18:06:03 +02:00
Ludovic Fernandez	a5aa8c6006	Prepare release v2.0.0-beta1	2019-07-19 17:18:03 +02:00
Jan	022d14abe1	Fixed a typo in label.	2019-07-19 17:00:05 +02:00
Ludovic Fernandez	1800b0b69c	Improve error on router without service. Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2019-07-19 16:42:04 +02:00
Julien Salleyron	c39a550b00	Lets encrypt documentation typo	2019-07-19 15:52:03 +02:00
mpl	092aa8fa6d	API: remove configuration of Entrypoint and Middlewares Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2019-07-19 12:28:07 +02:00
Ludovic Fernandez	f75f73f3d2	Certificate resolvers. Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com>	2019-07-19 11:52:04 +02:00
Julien Salleyron	e3627e9cba	Disable RateLimit temporarily	2019-07-19 10:50:05 +02:00
mpl	d5f4934acf	Add documentation about Kubernetes Ingress provider	2019-07-19 09:50:04 +02:00
Jean-Baptiste Doumenjou	693bd7e110	Add a basic Traefik install guide	2019-07-19 09:24:04 +02:00
Antoine Caron	4d8dcdc623	feat(webui/dashboard): init new dashboard	2019-07-18 22:36:04 +02:00
Michael	8e97af8dc3	Add Metrics	2019-07-18 21:36:05 +02:00
Ludovic Fernandez	4dc448056c	fix: TLS configuration from directory.	2019-07-18 16:26:05 +02:00
Ludovic Fernandez	68c349bbfa	Manage status for TCP element in the endpoint overview.	2019-07-18 15:56:04 +02:00
David Dymko	75aedc8e94	Fixed doc link for AlibabaCloud	2019-07-17 20:12:04 +02:00
Damien Duportal	8b08f89d2c	Allows logs to use local time zone instead of UTC Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>	2019-07-17 20:12:04 +02:00
Michael	889b38f75a	Improve tracing documentation	2019-07-16 09:54:04 +02:00
Jean-Baptiste Doumenjou	a17ac23457	Update Dynamic Configuration Reference for both Docker and Marathon	2019-07-16 06:48:03 +02:00
mpl	6fdd48509e	config: deal with multiple errors and their criticality Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2019-07-15 17:04:04 +02:00
Ryan Fitzpatrick	62800116d3	Add Jaeger collector endpoint	2019-07-15 14:52:04 +02:00
Antoine Caron	1bccbf061b	refactor(webui): use @vue/cli to bootstrap new ui	2019-07-15 10:58:03 +02:00
Ludovic Fernandez	093658836e	Restrict traefik.toml to static configuration.	2019-07-15 10:22:03 +02:00
Ludovic Fernandez	f49800e56a	user guide: fix a mistake in the deployment definition	2019-07-15 10:00:06 +02:00
Ludovic Fernandez	e478dbeb85	Docker URL	2019-07-15 07:06:03 +02:00
Daniel Tomcej	51486b18fa	Enhance REST provider	2019-07-13 01:24:03 +02:00
Michael	48d98dcf45	Update docker version for build	2019-07-12 21:14:03 +02:00
Jean-Baptiste Doumenjou	2c7cfd1c68	Expand Client Auth Type configuration	2019-07-12 17:50:04 +02:00
Michael	7a4b4c941c	Update dep version	2019-07-12 15:36:04 +02:00
Michael	608ccb0ca1	Update golangci-lint	2019-07-12 15:04:03 +02:00
Daniel Tomcej	3f6ea04048	Properly add response headers for CORS	2019-07-12 11:46:04 +02:00
Ludovic Fernandez	74c5ec70a9	Improve API endpoints	2019-07-12 11:10:03 +02:00
Ludovic Fernandez	c8bf8e896a	Move dynamic config into a dedicated package.	2019-07-10 09:26:04 +02:00
Michael	09cc1161c9	Generate deepcopy for configuration struct	2019-07-09 15:18:04 +02:00
Jean-Baptiste Doumenjou	8ab33db51a	Renamed `kubernetes` provider in `kubernetesIngress` provider	2019-07-08 21:36:03 +02:00
stffabi	cc4258bf9d	Remove X-Forwarded-(Uri, Method, Tls-Client-Cert and Tls-Client-Cert-Info) from untrusted IP	2019-07-08 17:56:04 +02:00
Ludovic Fernandez	0ee5d3d83f	Automatic generation of the doc for the CLI flags and env vars.	2019-07-08 11:00:04 +02:00
Ludovic Fernandez	c39aa5e857	Add scheme to IngressRoute.	2019-07-05 17:24:04 +02:00
mpl	39aae4167e	TLSOptions: handle conflict: same host name, different TLS options Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2019-07-03 19:22:05 +02:00
Ludovic Fernandez	9db9143366	Improve providers documentation.	2019-07-02 17:36:04 +02:00