Prepare release v2.0.1

Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>

.golangci.toml

@@ -23,6 +23,10 @@
   [linters-settings.misspell]
     locale = "US"
 
+  [linters-settings.funlen]
+    lines = 230 # default 60
+    statements = 120 # default 40
+
 [linters]
   enable-all = true
   disable = [
@@ -36,8 +40,9 @@
     "scopelint",
     "gochecknoinits",
     "gochecknoglobals",
+#    "godox", # manage TODO FIXME ## wait for https://github.com/golangci/golangci-lint/issues/337
     "bodyclose", # Too many false-positive and panics.
-    "typecheck", # v1.17.1 and Go1.13 => bug
+#    "stylecheck", # skip because report issues related to some generated files. ## wait for https://github.com/golangci/golangci-lint/issues/337
   ]
 
 [issues]
@@ -50,8 +55,8 @@
     "should have a package comment, unless it's in another file for this package",
   ]
  [[issues.exclude-rules]]
-    path = ".+_test.go"
-    linters = ["goconst"]
+    path = "(.+)_test.go"
+    linters = ["goconst", "funlen"]
  [[issues.exclude-rules]]
     path = "integration/.+_test.go"
     text = "Error return value of `cmd\\.Process\\.Kill` is not checked"

.semaphoreci/setup.sh

@@ -18,10 +18,9 @@ echo ${SHOULD_TEST}
 #if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
 #if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
 if [ -n "$SHOULD_TEST" ]; then docker version; fi
-
 export GO_VERSION=1.12
 if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
-if [ "${GO_VERSION}" == '1.13' ]; then export GO_VERSION=1.13rc2; fi
+#if [ "${GO_VERSION}" == '1.13' ]; then export GO_VERSION=1.13rc2; fi
 echo "Selected Go version: ${GO_VERSION}"
 
 if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi
@@ -34,5 +33,3 @@ if [ -f "./go.mod" ]; then export GOPROXY=https://proxy.golang.org; fi
 if [ -f "./go.mod" ]; then go mod download; fi
 
 df
-
-

CHANGELOG.md

@@ -1,4 +1,403 @@
-# Change Log
+## [v2.0.1](https://github.com/containous/traefik/tree/v2.0.1) (2019-09-26)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0...v2.0.1)
+
+**Bug fixes:**
+- **[go,security]** This version is compiled with [Go 1.13.1](https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ), which fixes a vulnerability in previous versions. See the [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276) about it for more details.
+- **[api,healthcheck]** Return an actual server status updater ([#5407](https://github.com/containous/traefik/pull/5407) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[cli]** Flag names don't need a consistent case. ([#5438](https://github.com/containous/traefik/pull/5438) by [ldez](https://github.com/ldez))
+- **[docker]** fix: docker service name. ([#5491](https://github.com/containous/traefik/pull/5491) by [ldez](https://github.com/ldez))
+- **[logs,middleware]** fix: improve log for invalid middleware. ([#5486](https://github.com/containous/traefik/pull/5486) by [ldez](https://github.com/ldez))
+- **[middleware]** Update Casing on STS Header Directive ([#5492](https://github.com/containous/traefik/pull/5492) by [dtomcej](https://github.com/dtomcej))
+- **[server]** Do not initialize list of middlewares if not needed ([#5485](https://github.com/containous/traefik/pull/5485) by [mpl](https://github.com/mpl))
+- **[websocket]** Fix case-sensitive header in websocket ([#5397](https://github.com/containous/traefik/pull/5397) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- **[acme,tls]** Improve TLS documentation. ([#5448](https://github.com/containous/traefik/pull/5448) by [ldez](https://github.com/ldez))
+- **[acme]** fix typo for kubectl version ([#5409](https://github.com/containous/traefik/pull/5409) by [mpl](https://github.com/mpl))
+- **[acme]** Wrong acme example. ([#5439](https://github.com/containous/traefik/pull/5439) by [ldez](https://github.com/ldez))
+- **[cli,docker]** doc: Flags and labels are case insensitive. ([#5428](https://github.com/containous/traefik/pull/5428) by [ldez](https://github.com/ldez))
+- **[docker,marathon,rancher]** clarify automatic service creation/assignment with labels ([#5493](https://github.com/containous/traefik/pull/5493) by [mpl](https://github.com/mpl))
+- **[file]** fix doc about file.filename ([#5494](https://github.com/containous/traefik/pull/5494) by [ldez](https://github.com/ldez))
+- **[k8s]** add indent to fix notes ([#5467](https://github.com/containous/traefik/pull/5467) by [mpl](https://github.com/mpl))
+- **[middleware,docker,marathon,tls]** Improve documentation for the TLS  section of the provider connection. ([#5437](https://github.com/containous/traefik/pull/5437) by [ldez](https://github.com/ldez))
+- **[yaml]** YAML I love you ([#5461](https://github.com/containous/traefik/pull/5461) by [mmatur](https://github.com/mmatur))
+- Improve routing documentation ([#5450](https://github.com/containous/traefik/pull/5450) by [ldez](https://github.com/ldez))
+- fix: typo in TOML for HTTP to HTTPS redirection ([#5452](https://github.com/containous/traefik/pull/5452) by [krerkkiat](https://github.com/krerkkiat))
+- document that /dashboard should be preferred over / ([#5431](https://github.com/containous/traefik/pull/5431) by [mpl](https://github.com/mpl))
+- Improve the migration guide ([#5430](https://github.com/containous/traefik/pull/5430) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- fixed doc typoes ([#5425](https://github.com/containous/traefik/pull/5425) by [mpl](https://github.com/mpl))
+- fix indentation for tab on migration guide ([#5423](https://github.com/containous/traefik/pull/5423) by [ViceIce](https://github.com/ViceIce))
+- Update links in readme. ([#5411](https://github.com/containous/traefik/pull/5411) by [ldez](https://github.com/ldez))
+- Add the router priority documentation ([#5481](https://github.com/containous/traefik/pull/5481) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Improve the Migration Guide ([#5391](https://github.com/containous/traefik/pull/5391) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+## [v2.0.0](https://github.com/containous/traefik/tree/v2.0.0) (2019-09-16)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha1...v2.0.0)
+
+**Enhancements:**
+- **[acme,api,tracing]** New API security ([#5311](https://github.com/containous/traefik/pull/5311) by [juliens](https://github.com/juliens))
+- **[acme,k8s,k8s/crd]** Document the TLS with ACME case ([#4654](https://github.com/containous/traefik/pull/4654) by [mpl](https://github.com/mpl))
+- **[acme,kv]** Remove Deprecated StorageFile ([#4252](https://github.com/containous/traefik/pull/4252) by [juliens](https://github.com/juliens))
+- **[acme]** Remove timeout/interval from the ACME Provider ([#4842](https://github.com/containous/traefik/pull/4842) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[acme]** Certificate resolvers. ([#5116](https://github.com/containous/traefik/pull/5116) by [ldez](https://github.com/ldez))
+- **[acme]** Improve acme logs. ([#5139](https://github.com/containous/traefik/pull/5139) by [ldez](https://github.com/ldez))
+- **[acme]** Migrate to go-acme/lego. ([#4589](https://github.com/containous/traefik/pull/4589) by [ldez](https://github.com/ldez))
+- **[api,provider]** Enhance REST provider ([#5072](https://github.com/containous/traefik/pull/5072) by [dtomcej](https://github.com/dtomcej))
+- **[api]** Adding content-header to api endpoints ([#5019](https://github.com/containous/traefik/pull/5019) by [dalanmiller](https://github.com/dalanmiller))
+- **[api]** Deal with multiple errors and their criticality ([#5070](https://github.com/containous/traefik/pull/5070) by [mpl](https://github.com/mpl))
+- **[api]** API: remove configuration of Entrypoint and Middlewares ([#5119](https://github.com/containous/traefik/pull/5119) by [mpl](https://github.com/mpl))
+- **[api]** Improve API endpoints ([#5080](https://github.com/containous/traefik/pull/5080) by [ldez](https://github.com/ldez))
+- **[api]** API: new contract ([#4964](https://github.com/containous/traefik/pull/4964) by [mpl](https://github.com/mpl))
+- **[api]** Improve API for the web UI ([#5267](https://github.com/containous/traefik/pull/5267) by [ldez](https://github.com/ldez))
+- **[api]** Manage status for TCP element in the endpoint overview. ([#5108](https://github.com/containous/traefik/pull/5108) by [ldez](https://github.com/ldez))
+- **[api]** API: expose runtime representation ([#4841](https://github.com/containous/traefik/pull/4841) by [mpl](https://github.com/mpl))
+- **[authentication,middleware,k8s,k8s/crd]** Auth middlewares in kubernetes CRD use secrets ([#5299](https://github.com/containous/traefik/pull/5299) by [juliens](https://github.com/juliens))
+- **[authentication,logs,etcd]** Remove deprecated elements ([#3715](https://github.com/containous/traefik/pull/3715) by [geraldcroes](https://github.com/geraldcroes))
+- **[authentication,middleware]** Basic Auth custom realm ([#3917](https://github.com/containous/traefik/pull/3917) by [tcoupin](https://github.com/tcoupin))
+- **[cli]** New static configuration loading system. ([#4935](https://github.com/containous/traefik/pull/4935) by [ldez](https://github.com/ldez))
+- **[docker,k8s,k8s/crd,k8s/ingress]** chore: update docker and k8s ([#5174](https://github.com/containous/traefik/pull/5174) by [ldez](https://github.com/ldez))
+- **[docker,k8s,k8s/crd,marathon,rancher,tcp]** Add weighted round robin load balancer on TCP ([#5380](https://github.com/containous/traefik/pull/5380) by [juliens](https://github.com/juliens))
+- **[docker,tcp]** Add support for TCP labels in Docker provider ([#4621](https://github.com/containous/traefik/pull/4621) by [juliens](https://github.com/juliens))
+- **[docker]** Adds default rule system on Docker provider. ([#4413](https://github.com/containous/traefik/pull/4413) by [ldez](https://github.com/ldez))
+- **[docker]** Adds Docker provider support ([#4399](https://github.com/containous/traefik/pull/4399) by [ldez](https://github.com/ldez))
+- **[docker]** Update to Go1.12. Support of TLS1.3 ([#4540](https://github.com/containous/traefik/pull/4540) by [ldez](https://github.com/ldez))
+- **[etcd]** Remove etcd v2 ([#3739](https://github.com/containous/traefik/pull/3739) by [geraldcroes](https://github.com/geraldcroes))
+- **[file]** Restrict traefik.toml to static configuration. ([#5090](https://github.com/containous/traefik/pull/5090) by [ldez](https://github.com/ldez))
+- **[file]** Support YAML for the dynamic configuration. ([#5024](https://github.com/containous/traefik/pull/5024) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd,k8s/ingress]** Correct Kubernetes Ingress and IngressRoute port heuristic for choosing HTTPS ([#5167](https://github.com/containous/traefik/pull/5167) by [seh](https://github.com/seh))
+- **[k8s,k8s/crd,k8s/ingress]** Fix kubernetes id name ([#5383](https://github.com/containous/traefik/pull/5383) by [mmatur](https://github.com/mmatur))
+- **[k8s,k8s/crd,tcp]** Add support for TCP (in kubernetes CRD) ([#4885](https://github.com/containous/traefik/pull/4885) by [mpl](https://github.com/mpl))
+- **[k8s,k8s/crd,tls]** Define TLS options on the Router configuration for Kubernetes ([#4973](https://github.com/containous/traefik/pull/4973) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/crd]** Add passHostHeader and responseForwarding in IngressRoute ([#5368](https://github.com/containous/traefik/pull/5368) by [juliens](https://github.com/juliens))
+- **[k8s,k8s/crd]** Add scheme to IngressRoute. ([#5062](https://github.com/containous/traefik/pull/5062) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/ingress]** Renamed `kubernetes` provider in `kubernetesIngress` provider ([#5068](https://github.com/containous/traefik/pull/5068) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/ingress]** Add TLS-enabled Router ([#5162](https://github.com/containous/traefik/pull/5162) by [dtomcej](https://github.com/dtomcej))
+- **[k8s/ingress]** Adds Kubernetes provider support ([#4476](https://github.com/containous/traefik/pull/4476) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s/ingress]** Adds update ingress status ([#4603](https://github.com/containous/traefik/pull/4603) by [juliens](https://github.com/juliens))
+- **[k8s/ingress]** k8s integration tests ([#4569](https://github.com/containous/traefik/pull/4569) by [juliens](https://github.com/juliens))
+- **[k8s/ingress]** Custom resource definition ([#4591](https://github.com/containous/traefik/pull/4591) by [ldez](https://github.com/ldez))
+- **[logs]** Improve error on router without service. ([#5126](https://github.com/containous/traefik/pull/5126) by [ldez](https://github.com/ldez))
+- **[logs]** log.loglevel becomes log.level in configuration ([#4775](https://github.com/containous/traefik/pull/4775) by [juliens](https://github.com/juliens))
+- **[logs]** Drop headers by default in access logs. ([#5034](https://github.com/containous/traefik/pull/5034) by [ldez](https://github.com/ldez))
+- **[logs]** Default to CLF when accesslog format is unsupported ([#5314](https://github.com/containous/traefik/pull/5314) by [mpl](https://github.com/mpl))
+- **[marathon,tcp]** Handle TCP in the marathon provider ([#4728](https://github.com/containous/traefik/pull/4728) by [juliens](https://github.com/juliens))
+- **[marathon]** Adds Marathon support. ([#4415](https://github.com/containous/traefik/pull/4415) by [ldez](https://github.com/ldez))
+- **[metrics]** Add Metrics ([#5111](https://github.com/containous/traefik/pull/5111) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Add HTTP authentication to influxdb metric backend ([#3600](https://github.com/containous/traefik/pull/3600) by [halfa](https://github.com/halfa))
+- **[middleware,k8s,k8s/crd]** k8s ErrorPage middleware now uses k8s service ([#5339](https://github.com/containous/traefik/pull/5339) by [juliens](https://github.com/juliens))
+- **[middleware,k8s/crd]** Handle cross-provider middleware in kubernetes CRD ([#5009](https://github.com/containous/traefik/pull/5009) by [mpl](https://github.com/mpl))
+- **[middleware,provider]** Change the provider separator from . to @ ([#4982](https://github.com/containous/traefik/pull/4982) by [ldez](https://github.com/ldez))
+- **[middleware,provider]** Add Feature-Policy header support ([#5156](https://github.com/containous/traefik/pull/5156) by [dtomcej](https://github.com/dtomcej))
+- **[middleware,tracing]** Re enable ratelimit integration tests ([#5288](https://github.com/containous/traefik/pull/5288) by [mmatur](https://github.com/mmatur))
+- **[middleware,provider]** IPStrategy for selecting IP in whitelist ([#3778](https://github.com/containous/traefik/pull/3778) by [juliens](https://github.com/juliens))
+- **[middleware,provider]** Enables the use of elements declared in other providers ([#4372](https://github.com/containous/traefik/pull/4372) by [geraldcroes](https://github.com/geraldcroes))
+- **[middleware]** Migrates the pass client tls cert middleware ([#4373](https://github.com/containous/traefik/pull/4373) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[middleware]** Migrates Compress from bool to struct ([#3714](https://github.com/containous/traefik/pull/3714) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[middleware]** Updates for jaeger tracing client. ([#3688](https://github.com/containous/traefik/pull/3688) by [tcolgate](https://github.com/tcolgate))
+- **[middleware]** Add forwarded headers on entry point configuration ([#4364](https://github.com/containous/traefik/pull/4364) by [juliens](https://github.com/juliens))
+- **[middleware]** SchemeRedirect Middleware ([#4400](https://github.com/containous/traefik/pull/4400) by [geraldcroes](https://github.com/geraldcroes))
+- **[middleware]** Add rate limiter, rename maxConn into inFlightReq ([#5246](https://github.com/containous/traefik/pull/5246) by [mpl](https://github.com/mpl))
+- **[middleware]** Disable RateLimit temporarily ([#5123](https://github.com/containous/traefik/pull/5123) by [juliens](https://github.com/juliens))
+- **[middleware]** Enable CORS configuration ([#3809](https://github.com/containous/traefik/pull/3809) by [dtomcej](https://github.com/dtomcej))
+- **[provider]** New constraints management. ([#4965](https://github.com/containous/traefik/pull/4965) by [ldez](https://github.com/ldez))
+- **[provider]** Remove BaseProvider ([#4661](https://github.com/containous/traefik/pull/4661) by [ldez](https://github.com/ldez))
+- **[provider]** Use name@provider instead of provider@name. ([#4990](https://github.com/containous/traefik/pull/4990) by [ldez](https://github.com/ldez))
+- **[provider]** Add health check timeout parameter ([#3813](https://github.com/containous/traefik/pull/3813) by [jbiel](https://github.com/jbiel))
+- **[provider]** Removes deprecated templates ([#3649](https://github.com/containous/traefik/pull/3649) by [geraldcroes](https://github.com/geraldcroes))
+- **[provider]** Remove everything templates related ([#4595](https://github.com/containous/traefik/pull/4595) by [mpl](https://github.com/mpl))
+- **[provider]** Small code enhancements on providers ([#3707](https://github.com/containous/traefik/pull/3707) by [vdemeester](https://github.com/vdemeester))
+- **[provider]** Migrate rest provider ([#4253](https://github.com/containous/traefik/pull/4253) by [juliens](https://github.com/juliens))
+- **[provider]** Labels parser. ([#4236](https://github.com/containous/traefik/pull/4236) by [ldez](https://github.com/ldez))
+- **[rancher]** Add Rancher provider ([#4647](https://github.com/containous/traefik/pull/4647) by [SantoDE](https://github.com/SantoDE))
+- **[rules]** New rule syntax ([#4437](https://github.com/containous/traefik/pull/4437) by [juliens](https://github.com/juliens))
+- **[server]** Adds mirroring service ([#5251](https://github.com/containous/traefik/pull/5251) by [juliens](https://github.com/juliens))
+- **[server]** Add support proxyprotocol v2 ([#4755](https://github.com/containous/traefik/pull/4755) by [c0va23](https://github.com/c0va23))
+- **[server]** WeightedRoundRobin load balancer ([#5237](https://github.com/containous/traefik/pull/5237) by [juliens](https://github.com/juliens))
+- **[server]** Make HTTP Keep-Alive timeout configurable for backend connections ([#4983](https://github.com/containous/traefik/pull/4983) by [mszabo-wikia](https://github.com/mszabo-wikia))
+- **[server]** Rework loadbalancer support ([#4933](https://github.com/containous/traefik/pull/4933) by [juliens](https://github.com/juliens))
+- **[server]** Use h2c from x/net to handle h2c requests ([#5045](https://github.com/containous/traefik/pull/5045) by [juliens](https://github.com/juliens))
+- **[server]** Dynamic Configuration Refactoring ([#4168](https://github.com/containous/traefik/pull/4168) by [ldez](https://github.com/ldez))
+- **[server]** Remove old global config and use new static config ([#4222](https://github.com/containous/traefik/pull/4222) by [juliens](https://github.com/juliens))
+- **[sticky-session]** HttpOnly and Secure flags on the affinity cookie ([#4947](https://github.com/containous/traefik/pull/4947) by [gheibia](https://github.com/gheibia))
+- **[tcp]** Adds TCP support ([#4587](https://github.com/containous/traefik/pull/4587) by [juliens](https://github.com/juliens))
+- **[tls]** Define a TLS section to group TLS, TLSOptions, and TLSStores. ([#5031](https://github.com/containous/traefik/pull/5031) by [ldez](https://github.com/ldez))
+- **[tls]** TLSOptions: handle conflict: same host name, different TLS options ([#5056](https://github.com/containous/traefik/pull/5056) by [mpl](https://github.com/mpl))
+- **[tls]** Define TLS options on the Router configuration ([#4931](https://github.com/containous/traefik/pull/4931) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[tls]** Expand Client Auth Type configuration ([#5078](https://github.com/containous/traefik/pull/5078) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[tracing]** Improve tracing ([#5010](https://github.com/containous/traefik/pull/5010) by [mmatur](https://github.com/mmatur))
+- **[tracing]** Add Jaeger collector endpoint ([#5082](https://github.com/containous/traefik/pull/5082) by [rmfitzpatrick](https://github.com/rmfitzpatrick))
+- **[tracing]** Update tracing dependencies ([#4721](https://github.com/containous/traefik/pull/4721) by [ldez](https://github.com/ldez))
+- **[tracing]** Added support for Haystack tracing ([#4555](https://github.com/containous/traefik/pull/4555) by [aantono](https://github.com/aantono))
+- **[tracing]** Update Zipkin OpenTracing driver to latest 0.4.3 release ([#5283](https://github.com/containous/traefik/pull/5283) by [basvanbeek](https://github.com/basvanbeek))
+- **[tracing]** Instana tracer implementation ([#4453](https://github.com/containous/traefik/pull/4453) by [notsureifkevin](https://github.com/notsureifkevin))
+- **[tracing]** Make Zipkin trace rate configurable ([#3968](https://github.com/containous/traefik/pull/3968) by [negz](https://github.com/negz))
+- **[webui]** refactor(webui): use @vue/cli to bootstrap new ui ([#5091](https://github.com/containous/traefik/pull/5091) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** Add a new dashboard page ([#5249](https://github.com/containous/traefik/pull/5249) by [Basgrani](https://github.com/Basgrani))
+- **[webui]** Add doc and version in navbar ([#5137](https://github.com/containous/traefik/pull/5137) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** Use components to split Home concerns ([#5136](https://github.com/containous/traefik/pull/5136) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** Add more pages in the WebUI ([#5278](https://github.com/containous/traefik/pull/5278) by [Basgrani](https://github.com/Basgrani))
+- **[webui]** feat(webui/dashboard): init new dashboard ([#5105](https://github.com/containous/traefik/pull/5105) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** Upgrade angular cli version ([#4450](https://github.com/containous/traefik/pull/4450) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** Update docker node version ([#4448](https://github.com/containous/traefik/pull/4448) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** Ignore target/dependencies in docker copy ([#4449](https://github.com/containous/traefik/pull/4449) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** Format code with prettier ([#4463](https://github.com/containous/traefik/pull/4463) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** No need for npm progress=false ([#3702](https://github.com/containous/traefik/pull/3702) by [vdemeester](https://github.com/vdemeester))
+- **[webui]** Migrate to a work in progress webui ([#4568](https://github.com/containous/traefik/pull/4568) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** Include lint in build process ([#4462](https://github.com/containous/traefik/pull/4462) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** Dropping rxjs-compat in favor of pipe ([#4520](https://github.com/containous/traefik/pull/4520) by [imcotton](https://github.com/imcotton))
+- Move dynamic config into a dedicated package. ([#5075](https://github.com/containous/traefik/pull/5075) by [ldez](https://github.com/ldez))
+- Disable collect data by default. ([#5393](https://github.com/containous/traefik/pull/5393) by [ldez](https://github.com/ldez))
+- Bump x/sys to support Risc-V architecture ([#5245](https://github.com/containous/traefik/pull/5245) by [carlosedp](https://github.com/carlosedp))
+- New packaging system. ([#4593](https://github.com/containous/traefik/pull/4593) by [ldez](https://github.com/ldez))
+- Updates Backoff ([#4457](https://github.com/containous/traefik/pull/4457) by [ldez](https://github.com/ldez))
+- Remove the bug command ([#4556](https://github.com/containous/traefik/pull/4556) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Small code enhancements ([#3712](https://github.com/containous/traefik/pull/3712) by [mmatur](https://github.com/mmatur))
+- Remove deprecated elements ([#3666](https://github.com/containous/traefik/pull/3666) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Clean old ([#4612](https://github.com/containous/traefik/pull/4612) by [ldez](https://github.com/ldez))
+- Update anonymize/collect ([#4590](https://github.com/containous/traefik/pull/4590) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+**Bug fixes:**
+- **[api,webui]** Improve documentation about API and Dashboard. ([#5364](https://github.com/containous/traefik/pull/5364) by [ldez](https://github.com/ldez))
+- **[api]** Add errors about unknown entryPoint in runtime api ([#5265](https://github.com/containous/traefik/pull/5265) by [juliens](https://github.com/juliens))
+- **[api]** Add provider in middleware chain ([#5334](https://github.com/containous/traefik/pull/5334) by [juliens](https://github.com/juliens))
+- **[cli]** fix: boolean flag parsing with map. ([#5372](https://github.com/containous/traefik/pull/5372) by [ldez](https://github.com/ldez))
+- **[cli]** Return an error when help is called on a non existing command. ([#4977](https://github.com/containous/traefik/pull/4977) by [ldez](https://github.com/ldez))
+- **[cli]** Filter env vars configuration ([#4985](https://github.com/containous/traefik/pull/4985) by [ldez](https://github.com/ldez))
+- **[cli]** Fix some CLI bugs ([#4989](https://github.com/containous/traefik/pull/4989) by [ldez](https://github.com/ldez))
+- **[cli]** Change the loading resource order ([#5007](https://github.com/containous/traefik/pull/5007) by [ldez](https://github.com/ldez))
+- **[cli]** Apply the case of the CLI flags for the configuration ([#5153](https://github.com/containous/traefik/pull/5153) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[cli]** Don't allow non flag arguments by default. ([#4970](https://github.com/containous/traefik/pull/4970) by [ldez](https://github.com/ldez))
+- **[docker]** Insensitive case for allow-empty value. ([#4745](https://github.com/containous/traefik/pull/4745) by [ldez](https://github.com/ldez))
+- **[file]** fix: TLS configuration from directory. ([#5118](https://github.com/containous/traefik/pull/5118) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd]** Fix log messages about label selector ([#4629](https://github.com/containous/traefik/pull/4629) by [mpl](https://github.com/mpl))
+- **[k8s,k8s/crd]** fix: TLS domains with IngressRoute. ([#5327](https://github.com/containous/traefik/pull/5327) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd]** Remove IngressEndpoint in CRD provider ([#4616](https://github.com/containous/traefik/pull/4616) by [juliens](https://github.com/juliens))
+- **[logs]** fix: logger and context. ([#5370](https://github.com/containous/traefik/pull/5370) by [ldez](https://github.com/ldez))
+- **[logs]** fix: error log message. ([#5020](https://github.com/containous/traefik/pull/5020) by [ldez](https://github.com/ldez))
+- **[logs]** Fix typos in data collection message ([#4891](https://github.com/containous/traefik/pull/4891) by [mpl](https://github.com/mpl))
+- **[logs]** Allow user to configure traefik log ([#4604](https://github.com/containous/traefik/pull/4604) by [mmatur](https://github.com/mmatur))
+- **[metrics,tracing]** fix: Datadog case. ([#5272](https://github.com/containous/traefik/pull/5272) by [ldez](https://github.com/ldez))
+- **[metrics]** Fix prometheus metrics ([#5152](https://github.com/containous/traefik/pull/5152) by [mmatur](https://github.com/mmatur))
+- **[middleware,k8s,k8s/crd]** The chain middleware in k8s use middlewareRef ([#5290](https://github.com/containous/traefik/pull/5290) by [juliens](https://github.com/juliens))
+- **[middleware]** Set X-Forwarded-* headers ([#4707](https://github.com/containous/traefik/pull/4707) by [mpl](https://github.com/mpl))
+- **[middleware]** Fix `url.Parse` due to go1.12.8 changes. ([#5207](https://github.com/containous/traefik/pull/5207) by [ldez](https://github.com/ldez))
+- **[middleware]** fix: stripPrefix and stripPrefixRegex. ([#5291](https://github.com/containous/traefik/pull/5291) by [ldez](https://github.com/ldez))
+- **[middleware]** Improve rate limiter tests ([#5310](https://github.com/containous/traefik/pull/5310) by [mpl](https://github.com/mpl))
+- **[middleware]** Fix response modifier initial building ([#4719](https://github.com/containous/traefik/pull/4719) by [mpl](https://github.com/mpl))
+- **[middleware]** Remove X-Forwarded-(Uri, Method, Tls-Client-Cert and Tls-Client-Cert-Info) from untrusted IP ([#5012](https://github.com/containous/traefik/pull/5012) by [stffabi](https://github.com/stffabi))
+- **[middleware]** fix buffering middleware ([#5281](https://github.com/containous/traefik/pull/5281) by [ldez](https://github.com/ldez))
+- **[middleware]** Don't panic with undefined middleware ([#5289](https://github.com/containous/traefik/pull/5289) by [ldez](https://github.com/ldez))
+- **[middleware]** Properly add response headers for CORS ([#4857](https://github.com/containous/traefik/pull/4857) by [dtomcej](https://github.com/dtomcej))
+- **[rules]** Allow matching with FQDN hosts with trailing periods ([#4763](https://github.com/containous/traefik/pull/4763) by [dtomcej](https://github.com/dtomcej))
+- **[server]** Fix panic while server shutdown ([#4644](https://github.com/containous/traefik/pull/4644) by [juliens](https://github.com/juliens))
+- **[server]** Write HTTP server logs into the global logger. ([#5329](https://github.com/containous/traefik/pull/5329) by [ldez](https://github.com/ldez))
+- **[server]** Fix problem in aggregator provider ([#4625](https://github.com/containous/traefik/pull/4625) by [juliens](https://github.com/juliens))
+- **[server]** Fix lock problem in server ([#4600](https://github.com/containous/traefik/pull/4600) by [juliens](https://github.com/juliens))
+- **[service,websocket]** Fix recovered panic when websocket is mirrored ([#5255](https://github.com/containous/traefik/pull/5255) by [juliens](https://github.com/juliens))
+- **[tcp]** Fix EOF error ([#4733](https://github.com/containous/traefik/pull/4733) by [juliens](https://github.com/juliens))
+- **[tcp]** Don't add TCP proxy when error occurs during creation. ([#4858](https://github.com/containous/traefik/pull/4858) by [ldez](https://github.com/ldez))
+- **[tcp]** Remove first byte wait when tcp catches all ([#4938](https://github.com/containous/traefik/pull/4938) by [juliens](https://github.com/juliens))
+- **[tcp]** On client CloseWrite, do CloseWrite instead of Close for backend ([#5366](https://github.com/containous/traefik/pull/5366) by [juliens](https://github.com/juliens))
+- **[tls]** Fix panic in TLS stores handling ([#4997](https://github.com/containous/traefik/pull/4997) by [juliens](https://github.com/juliens))
+- **[webui]** Rest provider icon in the webui ([#5261](https://github.com/containous/traefik/pull/5261) by [mmatur](https://github.com/mmatur))
+- **[webui]** Web UI graph names. ([#5389](https://github.com/containous/traefik/pull/5389) by [ldez](https://github.com/ldez))
+- **[webui]** fix: passHostHeader in the webUI. ([#5369](https://github.com/containous/traefik/pull/5369) by [ldez](https://github.com/ldez))
+- Fix trailing slash with check new version ([#5266](https://github.com/containous/traefik/pull/5266) by [mmatur](https://github.com/mmatur))
+- Ensure WaitGroup.Done() is always called ([#5026](https://github.com/containous/traefik/pull/5026) by [bsdelf](https://github.com/bsdelf))
+- Clean files during tests. ([#4607](https://github.com/containous/traefik/pull/4607) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme,docker]** Removed extra colon before the 8080 docker port ([#5209](https://github.com/containous/traefik/pull/5209) by [fairwood136](https://github.com/fairwood136))
+- **[acme,docker]** Add a docker-compose & let's encrypt user-guide ([#5121](https://github.com/containous/traefik/pull/5121) by [pbenefice](https://github.com/pbenefice))
+- **[acme,docker]** Synchronize documentation ([#4571](https://github.com/containous/traefik/pull/4571) by [juliens](https://github.com/juliens))
+- **[acme,k8s,k8s/crd]** Full ACME+CRD example ([#4652](https://github.com/containous/traefik/pull/4652) by [mpl](https://github.com/mpl))
+- **[acme,k8s/crd]** Fix: CRD user guide ([#5244](https://github.com/containous/traefik/pull/5244) by [ldez](https://github.com/ldez))
+- **[acme,tls]** docs: rewrite of the HTTPS and TLS section ([#4980](https://github.com/containous/traefik/pull/4980) by [mpl](https://github.com/mpl))
+- **[acme]** Lets encrypt documentation typo ([#5127](https://github.com/containous/traefik/pull/5127) by [juliens](https://github.com/juliens))
+- **[acme]** Use the same case every where for entryPoints. ([#4764](https://github.com/containous/traefik/pull/4764) by [ldez](https://github.com/ldez))
+- **[acme]** doc/crd-acme: specify required kubectl version ([#5015](https://github.com/containous/traefik/pull/5015) by [mpl](https://github.com/mpl))
+- **[acme]** Enhance manual dnsChallenge documentation ([#4636](https://github.com/containous/traefik/pull/4636) by [ntaranov](https://github.com/ntaranov))
+- **[acme]** Fix error in the documentation for CLI configuration example ([#5392](https://github.com/containous/traefik/pull/5392) by [MycTl](https://github.com/MycTl))
+- **[acme]** Add note about ACME renewal ([#4860](https://github.com/containous/traefik/pull/4860) by [dtomcej](https://github.com/dtomcej))
+- **[acme]** Fix acme example ([#5130](https://github.com/containous/traefik/pull/5130) by [jamct](https://github.com/jamct))
+- **[acme]** Rename Docker_Acme.md to Readme.md ([#4025](https://github.com/containous/traefik/pull/4025) by [vineetvermait](https://github.com/vineetvermait))
+- **[acme]** Enhance acme page. ([#4611](https://github.com/containous/traefik/pull/4611) by [ldez](https://github.com/ldez))
+- **[acme]** fix: some DNS provider link. ([#3637](https://github.com/containous/traefik/pull/3637) by [ldez](https://github.com/ldez))
+- **[docker,marathon]** Update Dynamic Configuration Reference for both Docker and Marathon ([#5100](https://github.com/containous/traefik/pull/5100) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[docker]** Remove traefik.port from documentation ([#4886](https://github.com/containous/traefik/pull/4886) by [ldez](https://github.com/ldez))
+- **[docker]** Fix two minor nits in Traefik 2.0 docs ([#4692](https://github.com/containous/traefik/pull/4692) by [cfra](https://github.com/cfra))
+- **[docker]** Fix Getting started ([#4646](https://github.com/containous/traefik/pull/4646) by [mmatur](https://github.com/mmatur))
+- **[docker]** docker-compose examples ([#4642](https://github.com/containous/traefik/pull/4642) by [karnthis](https://github.com/karnthis))
+- **[docker]** Clarify docs with labels in Swarm Mode ([#4847](https://github.com/containous/traefik/pull/4847) by [mikesir87](https://github.com/mikesir87))
+- **[file]** Update the file provider documentation ([#4588](https://github.com/containous/traefik/pull/4588) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/crd]** k8s static configuration explanation ([#4767](https://github.com/containous/traefik/pull/4767) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd]** doc: kubernetes CRD provider ([#4620](https://github.com/containous/traefik/pull/4620) by [mpl](https://github.com/mpl))
+- **[k8s,k8s/ingress]** Add documentation about Kubernetes Ingress provider ([#5112](https://github.com/containous/traefik/pull/5112) by [mpl](https://github.com/mpl))
+- **[k8s/crd]** user guide: fix a mistake in the deployment definition ([#5096](https://github.com/containous/traefik/pull/5096) by [ldez](https://github.com/ldez))
+- **[k8s]** Fix typo in the CRD documentation ([#4902](https://github.com/containous/traefik/pull/4902) by [llussy](https://github.com/llussy))
+- **[marathon]** Enhance Marathon documentation ([#4776](https://github.com/containous/traefik/pull/4776) by [ldez](https://github.com/ldez))
+- **[middleware,k8s,k8s/crd]** Fix typo: middleware -> middlewares. ([#4781](https://github.com/containous/traefik/pull/4781) by [ldez](https://github.com/ldez))
+- **[middleware,k8s/crd]** doc: fix middleware names for CRD. ([#4966](https://github.com/containous/traefik/pull/4966) by [ldez](https://github.com/ldez))
+- **[middleware,provider]** fix the documentation about middleware labels. ([#4888](https://github.com/containous/traefik/pull/4888) by [ldez](https://github.com/ldez))
+- **[middleware]** Fix Kubernetes Docs for Middlewares ([#4943](https://github.com/containous/traefik/pull/4943) by [HurricanKai](https://github.com/HurricanKai))
+- **[middleware]** Adds a reference to the middleware overview. ([#4824](https://github.com/containous/traefik/pull/4824) by [ldez](https://github.com/ldez))
+- **[middleware]** docker-compose labels require $'s to be escaped ([#5225](https://github.com/containous/traefik/pull/5225) by [Makeshift](https://github.com/Makeshift))
+- **[middleware]** Fix doc about removing headers ([#4708](https://github.com/containous/traefik/pull/4708) by [mpl](https://github.com/mpl))
+- **[middleware]** Remove invalid commas. ([#4706](https://github.com/containous/traefik/pull/4706) by [ldez](https://github.com/ldez))
+- **[middleware]** Adds middlewares examples for k8s. ([#4713](https://github.com/containous/traefik/pull/4713) by [ldez](https://github.com/ldez))
+- **[middleware]** Update the middleware documentation ([#4729](https://github.com/containous/traefik/pull/4729) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[middleware]** fix: stripPrefixRegex documentation. ([#5273](https://github.com/containous/traefik/pull/5273) by [ldez](https://github.com/ldez))
+- **[middleware]** Correct typo in documentation on rate limiting ([#4939](https://github.com/containous/traefik/pull/4939) by [ableuler](https://github.com/ableuler))
+- **[middleware]** Improve middleware documentation. ([#5003](https://github.com/containous/traefik/pull/5003) by [ldez](https://github.com/ldez))
+- **[middleware]** Enhance middleware examples. ([#4680](https://github.com/containous/traefik/pull/4680) by [ldez](https://github.com/ldez))
+- **[middleware]** docker-compose basic auth needs double dollar signs ([#4831](https://github.com/containous/traefik/pull/4831) by [muhlemmer](https://github.com/muhlemmer))
+- **[middleware]** Fixed a typo in label. ([#5128](https://github.com/containous/traefik/pull/5128) by [jamct](https://github.com/jamct))
+- **[middleware]** Review documentation ([#4798](https://github.com/containous/traefik/pull/4798) by [ldez](https://github.com/ldez))
+- **[middleware]** Kubernetes CRD documentation fixes ([#4971](https://github.com/containous/traefik/pull/4971) by [orhanhenrik](https://github.com/orhanhenrik))
+- **[middleware]** compress link fixed ([#4817](https://github.com/containous/traefik/pull/4817) by [gato](https://github.com/gato))
+- **[middleware]** Fix typo in forwardAuth middleware documentation ([#4638](https://github.com/containous/traefik/pull/4638) by [AkeemMcLennon](https://github.com/AkeemMcLennon))
+- **[middleware]** change doc references to scheme[Rr]edirect -> redirect[Ss]cheme ([#4959](https://github.com/containous/traefik/pull/4959) by [topiaruss](https://github.com/topiaruss))
+- **[middleware]** Update headers middleware docs for kubernetes crd ([#4955](https://github.com/containous/traefik/pull/4955) by [orhanhenrik](https://github.com/orhanhenrik))
+- **[middleware]** Fix strip prefix documentation ([#4829](https://github.com/containous/traefik/pull/4829) by [mmatur](https://github.com/mmatur))
+- **[provider]** Improve providers documentation. ([#5050](https://github.com/containous/traefik/pull/5050) by [ldez](https://github.com/ldez))
+- **[rancher]** fix: Rancher documentation. ([#4818](https://github.com/containous/traefik/pull/4818) by [ldez](https://github.com/ldez))
+- **[rancher]** Specify that Rancher provider is for 1.x only ([#4923](https://github.com/containous/traefik/pull/4923) by [bradjones1](https://github.com/bradjones1))
+- **[server]** Add gRPC user guide ([#5042](https://github.com/containous/traefik/pull/5042) by [ldez](https://github.com/ldez))
+- **[tcp]** Use rule HostSNI in documentation ([#4592](https://github.com/containous/traefik/pull/4592) by [bbinet](https://github.com/bbinet))
+- **[tls]** fix: typo in routing example. ([#4849](https://github.com/containous/traefik/pull/4849) by [ldez](https://github.com/ldez))
+- **[tracing]** Improve tracing documentation ([#5102](https://github.com/containous/traefik/pull/5102) by [mmatur](https://github.com/mmatur))
+- **[tracing]** Fix typo in tracing docs ([#4737](https://github.com/containous/traefik/pull/4737) by [timoschwarzer](https://github.com/timoschwarzer))
+- **[webui]** change docs and adjust dashboard for v2 alpha ([#4632](https://github.com/containous/traefik/pull/4632) by [SantoDE](https://github.com/SantoDE))
+- doc: improve examples. ([#5132](https://github.com/containous/traefik/pull/5132) by [ldez](https://github.com/ldez))
+- Fixed readme misspelling ([#4882](https://github.com/containous/traefik/pull/4882) by [antondalgren](https://github.com/antondalgren))
+- Prepare release v2.0.0-rc2 ([#5293](https://github.com/containous/traefik/pull/5293) by [ldez](https://github.com/ldez))
+- Fix typos in documentation ([#4884](https://github.com/containous/traefik/pull/4884) by [michael-k](https://github.com/michael-k))
+- Fixed spelling typo ([#4848](https://github.com/containous/traefik/pull/4848) by [mikesir87](https://github.com/mikesir87))
+- Enhance the Retry Middleware Documentation ([#5298](https://github.com/containous/traefik/pull/5298) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Clarification of the correct pronunciation of the word "Traefik" ([#4834](https://github.com/containous/traefik/pull/4834) by [ylamlum-g4m](https://github.com/ylamlum-g4m))
+- Improve the "reading path" for new contributors ([#4908](https://github.com/containous/traefik/pull/4908) by [dduportal](https://github.com/dduportal))
+- Fix some documentation issues ([#5286](https://github.com/containous/traefik/pull/5286) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Entry points CLI description. ([#4896](https://github.com/containous/traefik/pull/4896) by [ldez](https://github.com/ldez))
+- Add Mathieu Lonjaret to maintainers ([#4950](https://github.com/containous/traefik/pull/4950) by [emilevauge](https://github.com/emilevauge))
+- Prepare release v2.0.0-alpha5 ([#4967](https://github.com/containous/traefik/pull/4967) by [ldez](https://github.com/ldez))
+- Minor fix in documentation ([#4811](https://github.com/containous/traefik/pull/4811) by [mmatur](https://github.com/mmatur))
+- Prepare release v2.0.0-alpha6. ([#4975](https://github.com/containous/traefik/pull/4975) by [ldez](https://github.com/ldez))
+- Fix a typo in documentation ([#4794](https://github.com/containous/traefik/pull/4794) by [groovytron](https://github.com/groovytron))
+- Prepare release v2.0.0-alpha4. ([#4788](https://github.com/containous/traefik/pull/4788) by [ldez](https://github.com/ldez))
+- Remove dumpcerts.sh ([#4783](https://github.com/containous/traefik/pull/4783) by [ldez](https://github.com/ldez))
+- Base of the migration guide ([#5263](https://github.com/containous/traefik/pull/5263) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Prepare release v2.0.0-alpha7 ([#5001](https://github.com/containous/traefik/pull/5001) by [ldez](https://github.com/ldez))
+- misc documentation fixes ([#5302](https://github.com/containous/traefik/pull/5302) by [mpl](https://github.com/mpl))
+- Fix some minors errors on the documentation ([#4664](https://github.com/containous/traefik/pull/4664) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Adds a note in traefik.sample.toml ([#4757](https://github.com/containous/traefik/pull/4757) by [ldez](https://github.com/ldez))
+- Prepare release v2.0.0-rc1 ([#5252](https://github.com/containous/traefik/pull/5252) by [ldez](https://github.com/ldez))
+- Use the same case everywhere ([#5043](https://github.com/containous/traefik/pull/5043) by [ldez](https://github.com/ldez))
+- Improve the Documentation with a Reference Section ([#4714](https://github.com/containous/traefik/pull/4714) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Prepare release v2.0.0-alpha8 ([#5049](https://github.com/containous/traefik/pull/5049) by [ldez](https://github.com/ldez))
+- Add a basic Traefik install guide ([#5117](https://github.com/containous/traefik/pull/5117) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- AML indent for domains under TLS documentation section ([#5173](https://github.com/containous/traefik/pull/5173) by [edvincent](https://github.com/edvincent))
+- Update to v2.0 readme links ([#4700](https://github.com/containous/traefik/pull/4700) by [karnthis](https://github.com/karnthis))
+- Prepare release v2.0.0-alpha3. ([#4693](https://github.com/containous/traefik/pull/4693) by [ldez](https://github.com/ldez))
+- Misc documentation fixes ([#5307](https://github.com/containous/traefik/pull/5307) by [ldez](https://github.com/ldez))
+- Update restrictions in the documentation. ([#5270](https://github.com/containous/traefik/pull/5270) by [ldez](https://github.com/ldez))
+- Prepare release v2.0.0-rc3 ([#5343](https://github.com/containous/traefik/pull/5343) by [ldez](https://github.com/ldez))
+- Fix typos in docs ([#4662](https://github.com/containous/traefik/pull/4662) by [SeMeKh](https://github.com/SeMeKh))
+- Update traefik.sample.toml ([#4657](https://github.com/containous/traefik/pull/4657) by [ldez](https://github.com/ldez))
+- fix: services configuration documentation. ([#5359](https://github.com/containous/traefik/pull/5359) by [ldez](https://github.com/ldez))
+- Remove old links in readme ([#4651](https://github.com/containous/traefik/pull/4651) by [ldez](https://github.com/ldez))
+- fix a service with one server .yaml example ([#5373](https://github.com/containous/traefik/pull/5373) by [zaverden](https://github.com/zaverden))
+- Prepare release v2.0.0-rc4 ([#5384](https://github.com/containous/traefik/pull/5384) by [ldez](https://github.com/ldez))
+- Fix dead maintainers link on the README.md ([#4639](https://github.com/containous/traefik/pull/4639) by [benjaminch](https://github.com/benjaminch))
+- Prepare release v2.0.0-beta1 ([#5129](https://github.com/containous/traefik/pull/5129) by [ldez](https://github.com/ldez))
+- Fix typo in documentation ([#5386](https://github.com/containous/traefik/pull/5386) by [adrienbrignon](https://github.com/adrienbrignon))
+- Prepare release v2.0.0-alpha2 ([#4635](https://github.com/containous/traefik/pull/4635) by [ldez](https://github.com/ldez))
+- Fix malformed rule ([#5133](https://github.com/containous/traefik/pull/5133) by [dtomcej](https://github.com/dtomcej))
+- Improve various parts of the documentation. ([#4996](https://github.com/containous/traefik/pull/4996) by [ldez](https://github.com/ldez))
+- Documentation Revamp ([#4475](https://github.com/containous/traefik/pull/4475) by [geraldcroes](https://github.com/geraldcroes))
+- Adds a maintainer's page into the documentation. ([#4614](https://github.com/containous/traefik/pull/4614) by [ldez](https://github.com/ldez))
+- Add Gerald, Jean-Baptiste and Damien to maintainers ([#3982](https://github.com/containous/traefik/pull/3982) by [emilevauge](https://github.com/emilevauge))
+- fix broken links in readme.md ([#3967](https://github.com/containous/traefik/pull/3967) by [AndrewSav](https://github.com/AndrewSav))
+- Add master overhaul notice ([#3961](https://github.com/containous/traefik/pull/3961) by [emilevauge](https://github.com/emilevauge))
+- Complete maintainers processes ([#3696](https://github.com/containous/traefik/pull/3696) by [mmatur](https://github.com/mmatur))
+- Complete maintainers processes ([#3681](https://github.com/containous/traefik/pull/3681) by [emilevauge](https://github.com/emilevauge))
+- Prepare release v2.0.0-alpha1 ([#4617](https://github.com/containous/traefik/pull/4617) by [ldez](https://github.com/ldez))
+
+**Misc:**
+- Cherry pick v1.7 into v2.0 ([#5341](https://github.com/containous/traefik/pull/5341) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Cherry pick v1.7 into v2.0 ([#5192](https://github.com/containous/traefik/pull/5192) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into v2.0 ([#5115](https://github.com/containous/traefik/pull/5115) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Cherry pick v1.7 into v2.0 ([#4948](https://github.com/containous/traefik/pull/4948) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into v2.0 ([#4823](https://github.com/containous/traefik/pull/4823) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into v2.0 ([#4787](https://github.com/containous/traefik/pull/4787) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into v2.0 ([#4695](https://github.com/containous/traefik/pull/4695) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge v2.0.0-rc1 into master  ([#5253](https://github.com/containous/traefik/pull/5253) by [ldez](https://github.com/ldez))
+- Merge branch v2.0 into master  ([#5180](https://github.com/containous/traefik/pull/5180) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-alpha8 into master ([#5055](https://github.com/containous/traefik/pull/5055) by [ldez](https://github.com/ldez))
+- Merge current v2.0.0-alpha into master  ([#5022](https://github.com/containous/traefik/pull/5022) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-alpha6 into master ([#4984](https://github.com/containous/traefik/pull/4984) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-alpha4 into master ([#4789](https://github.com/containous/traefik/pull/4789) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-alpha3 into master ([#4694](https://github.com/containous/traefik/pull/4694) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into master ([#4565](https://github.com/containous/traefik/pull/4565) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Cherry pick v1.7 into master ([#4511](https://github.com/containous/traefik/pull/4511) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into master ([#4492](https://github.com/containous/traefik/pull/4492) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into master ([#4440](https://github.com/containous/traefik/pull/4440) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into master ([#4365](https://github.com/containous/traefik/pull/4365) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into master ([#4303](https://github.com/containous/traefik/pull/4303) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into master ([#4271](https://github.com/containous/traefik/pull/4271) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into master ([#4268](https://github.com/containous/traefik/pull/4268) by [ldez](https://github.com/ldez))
+- Cherry pick v1.7 into master ([#4229](https://github.com/containous/traefik/pull/4229) by [juliens](https://github.com/juliens))
+- Cherry pick v1.7 into master ([#4206](https://github.com/containous/traefik/pull/4206) by [ldez](https://github.com/ldez))
+- Merge v1.7.4 into master ([#4137](https://github.com/containous/traefik/pull/4137) by [ldez](https://github.com/ldez))
+- Merge v1.7.3 into master ([#4046](https://github.com/containous/traefik/pull/4046) by [ldez](https://github.com/ldez))
+- Merge current v1.7 into master ([#3992](https://github.com/containous/traefik/pull/3992) by [ldez](https://github.com/ldez))
+- Merge v1.7.2 into master ([#3983](https://github.com/containous/traefik/pull/3983) by [ldez](https://github.com/ldez))
+- Merge v1.7.0 into master ([#3925](https://github.com/containous/traefik/pull/3925) by [ldez](https://github.com/ldez))
+- Merge v1.7.0-rc5 into master ([#3903](https://github.com/containous/traefik/pull/3903) by [ldez](https://github.com/ldez))
+- Merge v1.7.0-rc4 into master ([#3867](https://github.com/containous/traefik/pull/3867) by [ldez](https://github.com/ldez))
+- Merge v1.7.0-rc2 into master ([#3634](https://github.com/containous/traefik/pull/3634) by [ldez](https://github.com/ldez))
+
+## [v2.0.0-rc4](https://github.com/containous/traefik/tree/v2.0.0-rc4) (2019-09-13)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc3...v2.0.0-rc4)
+
+**Enhancements:**
+- **[docker,k8s,k8s/crd,marathon,rancher,tcp]** Add weighted round robin load balancer on TCP ([#5380](https://github.com/containous/traefik/pull/5380) by [juliens](https://github.com/juliens))
+- **[k8s,k8s/crd,k8s/ingress]** Fix kubernetes id name ([#5383](https://github.com/containous/traefik/pull/5383) by [mmatur](https://github.com/mmatur))
+- **[k8s,k8s/crd]** Add passHostHeader and responseForwarding in IngressRoute ([#5368](https://github.com/containous/traefik/pull/5368) by [juliens](https://github.com/juliens))
+
+**Bug fixes:**
+- **[api,webui]** Improve documentation about API and Dashboard. ([#5364](https://github.com/containous/traefik/pull/5364) by [ldez](https://github.com/ldez))
+- **[cli]** fix: boolean flag parsing with map. ([#5372](https://github.com/containous/traefik/pull/5372) by [ldez](https://github.com/ldez))
+- **[logs]** fix: logger and context. ([#5370](https://github.com/containous/traefik/pull/5370) by [ldez](https://github.com/ldez))
+- **[tcp]** On client CloseWrite, do CloseWrite instead of Close for backend ([#5366](https://github.com/containous/traefik/pull/5366) by [juliens](https://github.com/juliens))
+- **[webui]** fix: passHostHeader in the webUI. ([#5369](https://github.com/containous/traefik/pull/5369) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- fix a service with one server .yaml example ([#5373](https://github.com/containous/traefik/pull/5373) by [zaverden](https://github.com/zaverden))
+- fix: services configuration documentation. ([#5359](https://github.com/containous/traefik/pull/5359) by [ldez](https://github.com/ldez))
+
+## [v2.0.0-rc3](https://github.com/containous/traefik/tree/v2.0.0-rc3) (2019-09-10)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc2...v2.0.0-rc3)
+
+**Enhancements:**
+- **[acme,api,tracing]** New API security ([#5311](https://github.com/containous/traefik/pull/5311) by [juliens](https://github.com/juliens))
+- **[authentication,middleware,k8s,k8s/crd]** Auth middlewares in kubernetes CRD use secrets ([#5299](https://github.com/containous/traefik/pull/5299) by [juliens](https://github.com/juliens))
+- **[logs]** Default to CLF when accesslog format is unsupported ([#5314](https://github.com/containous/traefik/pull/5314) by [mpl](https://github.com/mpl))
+- **[middleware,k8s,k8s/crd]** k8s ErrorPage middleware now uses k8s service ([#5339](https://github.com/containous/traefik/pull/5339) by [juliens](https://github.com/juliens))
+- **[webui]** Add more pages in the WebUI ([#5278](https://github.com/containous/traefik/pull/5278) by [Basgrani](https://github.com/Basgrani))
+
+**Bug fixes:**
+- **[api]** Add provider in middleware chain ([#5334](https://github.com/containous/traefik/pull/5334) by [juliens](https://github.com/juliens))
+- **[k8s,k8s/crd]** fix: TLS domains with IngressRoute. ([#5327](https://github.com/containous/traefik/pull/5327) by [ldez](https://github.com/ldez))
+- **[middleware]** Improve rate limiter tests ([#5310](https://github.com/containous/traefik/pull/5310) by [mpl](https://github.com/mpl))
+- **[server]** Write HTTP server logs into the global logger. ([#5329](https://github.com/containous/traefik/pull/5329) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Misc documentation fixes ([#5307](https://github.com/containous/traefik/pull/5307) by [ldez](https://github.com/ldez))
+- misc documentation fixes ([#5302](https://github.com/containous/traefik/pull/5302) by [mpl](https://github.com/mpl))
+- Enhance the Retry Middleware Documentation ([#5298](https://github.com/containous/traefik/pull/5298) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+**Misc:**
+- Cherry pick v1.7 into v2.0 ([#5341](https://github.com/containous/traefik/pull/5341) by [jbdoumenjou](https://github.com/jbdoumenjou))
 
 ## [v2.0.0-rc2](https://github.com/containous/traefik/tree/v2.0.0-rc2) (2019-09-03)
 [All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc1...v2.0.0-rc2)
@@ -62,6 +461,13 @@
 **Misc:**
 - Cherry pick v1.7 into v2.0 ([#5192](https://github.com/containous/traefik/pull/5192) by [ldez](https://github.com/ldez))
 
+## [v1.7.14](https://github.com/containous/traefik/tree/v1.7.14) (2019-08-14)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.13...v1.7.14)
+
+**Bug fixes:**
+- Update to go1.12.8 ([#5201](https://github.com/containous/traefik/pull/5201) by [ldez](https://github.com/ldez)). HTTP/2 Denial of Service [CVE-2019-9512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512) and [CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514)
+- **[server]** Make hijackConnectionTracker.Close thread safe ([#5194](https://github.com/containous/traefik/pull/5194) by [jlevesy](https://github.com/jlevesy))
+
 ## [v1.7.13](https://github.com/containous/traefik/tree/v1.7.13) (2019-08-07)
 [All Commits](https://github.com/containous/traefik/compare/v1.7.12...v1.7.13)
 

README.md

@@ -33,7 +33,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo
 
 ---
 
-:warning: Please be aware that the old configurations for Traefik v1.X are NOT compatible with the v2.X config as of now. If you're testing out v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/v2.0/).
+:warning: Please be aware that the old configurations for Traefik v1.X are NOT compatible with the v2.X config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/).
 
 ## Overview
 
@@ -69,18 +69,11 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 ## Supported Backends
 
-- [Docker](https://docs.traefik.io/configuration/backends/docker) / [Swarm mode](https://docs.traefik.io/configuration/backends/docker#docker-swarm-mode)
-- [Kubernetes](https://docs.traefik.io/configuration/backends/kubernetes)
-- [Mesos](https://docs.traefik.io/configuration/backends/mesos) / [Marathon](https://docs.traefik.io/configuration/backends/marathon)
-- [Rancher](https://docs.traefik.io/configuration/backends/rancher) (API, Metadata)
-- [Azure Service Fabric](https://docs.traefik.io/configuration/backends/servicefabric)
-- [Consul Catalog](https://docs.traefik.io/configuration/backends/consulcatalog)
-- [Consul](https://docs.traefik.io/configuration/backends/consul) / [Etcd](https://docs.traefik.io/configuration/backends/etcd) / [Zookeeper](https://docs.traefik.io/configuration/backends/zookeeper) / [BoltDB](https://docs.traefik.io/configuration/backends/boltdb)
-- [Eureka](https://docs.traefik.io/configuration/backends/eureka)
-- [Amazon ECS](https://docs.traefik.io/configuration/backends/ecs)
-- [Amazon DynamoDB](https://docs.traefik.io/configuration/backends/dynamodb)
+- [Docker](https://docs.traefik.io/providers/docker/) / [Swarm mode](https://docs.traefik.io/providers/docker/)
+- [Kubernetes](https://docs.traefik.io/providers/kubernetes-crd/)
+- [Marathon](https://docs.traefik.io/providers/marathon/)
+- [Rancher](https://docs.traefik.io/providers/rancher/) (Metadata)
 - [File](https://docs.traefik.io/configuration/backends/file)
-- [Rest](https://docs.traefik.io/configuration/backends/rest)
 
 ## Quickstart
 
@@ -90,15 +83,14 @@ To get your hands on Traefik, you can use the [5-Minute Quickstart](http://docs.
 
 You can access the simple HTML frontend of Traefik.
 
-![Web UI Providers](docs/content/assets/img/dashboard-main.png)
-![Web UI Health](docs/content/assets/img/dashboard-health.png)
+![Web UI Providers](docs/content/assets/img/webui-dashboard.png)
 
 ## Documentation
 
 You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
-:warning: If you're testing out v2, please ensure you are using the [v2 documentation](https://docs.traefik.io/v2.0/).
+:warning: If you're testing out v2, please ensure you are using the [v2 documentation](https://docs.traefik.io/).
 
 ## Support
 
@@ -129,7 +121,7 @@ git clone https://github.com/containous/traefik
 
 ## Introductory Videos
 
-:warning: Please be aware that these videos are for v1.X. The old configurations for Traefik v1.X are NOT compatible with Traefik v2. If you're testing out v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/v2.0/).
+:warning: Please be aware that these videos are for v1.X. The old configurations for Traefik v1.X are NOT compatible with Traefik v2. If you're running v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/).
 
 Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at GopherCon 2017.
 You will learn Traefik basics in less than 10 minutes.

build.Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.13rc2-alpine
+FROM golang:1.13-alpine
 
 RUN apk --update upgrade \
     && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.17.1
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.18.0
 
 # Download golangci-lint and misspell binary to bin folder in $GOPATH
 RUN GO111MODULE=off go get github.com/client9/misspell/cmd/misspell

cmd/traefik/traefik.go

@@ -119,7 +119,6 @@ func runCmd(staticConfiguration *static.Configuration) error {
 			return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
 		}
 		serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProviders)
-
 	}
 
 	svr := server.NewServer(*staticConfiguration, providerAggregator, serverEntryPointsTCP, tlsManager)
@@ -286,24 +285,16 @@ func checkNewVersion() {
 }
 
 func stats(staticConfiguration *static.Configuration) {
-	if staticConfiguration.Global.SendAnonymousUsage == nil {
-		log.WithoutContext().Error(`
-You haven't specified the sendAnonymousUsage option, it will be enabled by default.
-`)
-		sendAnonymousUsage := true
-		staticConfiguration.Global.SendAnonymousUsage = &sendAnonymousUsage
-	}
+	logger := log.WithoutContext()
 
-	if *staticConfiguration.Global.SendAnonymousUsage {
-		log.WithoutContext().Info(`
-Stats collection is enabled.
-Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.
-Help us improve Traefik by leaving this feature on :)
-More details on: https://docs.traefik.io/v2.0/contributing/data-collection/
-`)
+	if staticConfiguration.Global.SendAnonymousUsage {
+		logger.Info(`Stats collection is enabled.`)
+		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
+		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
+		logger.Info(`More details on: https://docs.traefik.io/v2.0/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
-		log.WithoutContext().Info(`
+		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
 More details on: https://docs.traefik.io/v2.0/contributing/data-collection/

docs/content/contributing/building-testing.md

@@ -28,7 +28,7 @@ Successfully tagged traefik-webui:latest
 [...]
 docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
 Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.13rc2-alpine
+Step 1/10 : FROM golang:1.13-alpine
  ---> f4bfb3d22bda
 [...]
 Successfully built 5c3c1a911277

docs/content/contributing/data-collection.md

@@ -8,9 +8,6 @@ Understanding How Traefik is Being Used
 Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.  
 For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us so we can benefit from your experience and use cases.
 
-!!! warning
-    Before the GA, leaving this option unset will not prevent Traefik from running but will generate an error log indicating that it enables data collection by default.
-
 !!! example "Enabling Data Collection"
     
     ```toml tab="File (TOML)"
@@ -45,71 +42,51 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
 - a hash of the configuration
 - an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).
 
-!!! note
-    We do not collect the dynamic configuration information (routers & services).
-    We do not collect these data to run advertising programs.
-    We do not sell these data to third-parties.
+!!! info
+    
+    - We do not collect the dynamic configuration information (routers & services).
+    - We do not collect this data to run advertising programs.
+    - We do not sell this data to third-parties.
 
 ### Example of Collected Data
 
-??? example "Original configuration"
+```toml tab="Original configuration"
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
 
-    ```toml
-    [entryPoints]
-      [entryPoints.web]
-         address = ":80"
-    
-    [api]
-    
-    [providers.docker]
-      endpoint = "tcp://10.10.10.10:2375"
-      exposedByDefault = true
-      swarmMode = true
-    
-      [providers.docker.TLS]
-        ca = "dockerCA"
-        cert = "dockerCert"
-        key = "dockerKey"
-        insecureSkipVerify = true
-    
-    [providers.ecs]
-      domain = "foo.bar"
-      exposedByDefault = true
-      clusters = ["foo-bar"]
-      region = "us-west-2"
-      accessKeyID = "AccessKeyID"
-      secretAccessKey = "SecretAccessKey"
-    ```
+[api]
 
-??? example "Resulting Obfuscated Configuration"
+[providers.docker]
+  endpoint = "tcp://10.10.10.10:2375"
+  exposedByDefault = true
+  swarmMode = true
 
-    ```toml
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-    
-    [api]
-    
-    [providers.docker]
-      endpoint = "xxxx"
-      domain = "xxxx"
-      exposedByDefault = true
-      swarmMode = true
-    
-      [providers.docker.TLS]
-        ca = "xxxx"
-        cert = "xxxx"
-        key = "xxxx"
-        insecureSkipVerify = false
-    
-    [providers.ecs]
-      domain = "xxxx"
-      exposedByDefault = true
-      clusters = []
-      region = "us-west-2"
-      accessKeyID = "xxxx"
-      secretAccessKey = "xxxx"
-    ```
+  [providers.docker.TLS]
+    ca = "dockerCA"
+    cert = "dockerCert"
+    key = "dockerKey"
+    insecureSkipVerify = true
+```
+
+```toml tab="Resulting Obfuscated Configuration"
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
+
+[api]
+
+[providers.docker]
+  endpoint = "xxxx"
+  exposedByDefault = true
+  swarmMode = true
+
+  [providers.docker.TLS]
+    ca = "xxxx"
+    cert = "xxxx"
+    key = "xxxx"
+    insecureSkipVerify = false
+```
 
 ## The Code for Data Collection
 

docs/content/getting-started/concepts.md

@@ -23,11 +23,11 @@ The opposite is true: when you remove a service from your infrastructure, the ro
 
 You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.
 
-!!! note "Many different rules"
+!!! info "Many different rules"
 
     In the example above, we used the request [path](../routing/routers/index.md#rule) to determine which service was in charge, but of course you can use many other different [rules](../routing/routers/index.md#rule).
 
-!!! note "Updating the requests"
+!!! info "Updating the requests"
 
     In the [middleware](../middlewares/overview.md) section, you can learn about how to update the requests before forwarding them to the services.
 

docs/content/getting-started/configuration-overview.md

@@ -21,23 +21,25 @@ This configuration can change and is seamlessly hot-reloaded, without any reques
 
 ## The Dynamic Configuration 
 
-Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).
+Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file.
 
-!!! Note 
+Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../routing/overview.md).
+
+!!! info ""
 
     In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
     
-!!! Note
+!!! info "HTTPS Certificates also belong to the dynamic configuration."
     
-    HTTPS Certificates also belong to the dynamic configuration. You can add / update / remove them without restarting your Traefik instance. 
+    You can add / update / remove them without restarting your Traefik instance. 
  
 ## The Static Configuration
 
-There are three different, mutually exclusive, ways to define static configuration options in Traefik:
+There are three different, **mutually exclusive** (e.g. you can use only one at the same time), ways to define static configuration options in Traefik:
 
-- In a configuration file
-- In the command-line arguments
-- As environment variables
+1. In a configuration file
+1. In the command-line arguments
+1. As environment variables
 
 These ways are evaluated in the order listed above.
 

docs/content/getting-started/install-traefik.md

@@ -10,7 +10,7 @@ You can install Traefik with the following flavors:
 
 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.0/traefik.sample.toml):
 
-```shell
+```bash
 docker run -d -p 8080:8080 -p 80:80 \
     -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.0
 ```
@@ -21,14 +21,14 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 
     * Prefer a fixed version than the latest that could be an unexpected version.
     ex: `traefik:v2.0.0`
-    * Docker images comes in 2 flavors: scratch based or alpine based.
+    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
     * All the orchestrator using docker images could fetch the official Traefik docker image.
 
 ## Use the Binary Distribution
 
 Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page.
 
-??? tip "Check the integrity of the downloaded file"
+??? info "Check the integrity of the downloaded file"
 
     ```bash tab="Linux"
     # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
@@ -45,7 +45,7 @@ Grab the latest binary from the [releases](https://github.com/containous/traefik
     Get-FileHash ./traefik_${traefik_version}_windows_${arch}.zip -Algorithm SHA256
     ```
 
-??? tip "Extract the downloaded archive"
+??? info "Extract the downloaded archive"
 
     ```bash tab="Linux"
     tar -zxvf traefik_${traefik_version}_linux_${arch}.tar.gz

docs/content/getting-started/quick-start.md

@@ -17,11 +17,11 @@ services:
     # The official v2.0 Traefik docker image
     image: traefik:v2.0
     # Enables the web UI and tells Traefik to listen to docker
-    command: --api --providers.docker
+    command: --api.insecure=true --providers.docker
     ports:
       # The HTTP port
       - "80:80"
-      # The Web UI (enabled by --api)
+      # The Web UI (enabled by --api.insecure=true)
       - "8080:8080"
     volumes:
       # So that Traefik can listen to the Docker events

docs/content/https/acme.md

@@ -23,7 +23,7 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
     [certificatesResolvers.sample.acme]
       email = "your-email@your-domain.org"
       storage = "acme.json"
-      [acme.httpChallenge]
+      [certificatesResolvers.sample.acme.httpChallenge]
         # used during the challenge
         entryPoint = "web"
     ```
@@ -50,12 +50,14 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
     --entryPoints.web.address=":80"
     --entryPoints.websecure.address=":443"
     # ...
-    --certificatesResolvers.sample.acme.email: your-email@your-domain.org
-    --certificatesResolvers.sample.acme.storage: acme.json
+    --certificatesResolvers.sample.acme.email="your-email@your-domain.org"
+    --certificatesResolvers.sample.acme.storage="acme.json"
     # used during the challenge
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint: web
+    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
     ```
 
+!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
 ??? note "Configuration Reference"
     
     There are many available options for ACME.
@@ -79,11 +81,13 @@ Traefik automatically tracks the expiry date of ACME certificates it generates.
 
 If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.
 
-!!! note
+!!! info ""
     Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
 
 ## The Different ACME Challenges
 
+!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
 ### `tlsChallenge`
 
 Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
@@ -158,7 +162,7 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
     --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
     ```
 
-!!! note
+!!! info ""
     Redirection is fully compatible with the `HTTP-01` challenge.
 
 ### `dnsChallenge`
@@ -274,7 +278,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
 [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
 
-!!! note "`delayBeforeCheck`"
+!!! info "`delayBeforeCheck`"
     By default, the `provider` verifies the TXT record _before_ letting ACME verify.
     You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
     This option is useful when internal networks block external DNS queries.
@@ -299,8 +303,8 @@ certificatesResolvers:
       dnsChallenge:
         # ...
         resolvers:
-        - "1.1.1.1:53"
-        - "8.8.8.8:53"
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
 ```
 
 ```bash tab="CLI"
@@ -394,5 +398,5 @@ If Let's Encrypt is not reachable, the following certificates will apply:
   1. Expired ACME certificates
   1. Provided certificates
 
-!!! note
+!!! important
     For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.

docs/content/https/tls.md

@@ -13,7 +13,9 @@ See the [Let's Encrypt](./acme.md) page.
 
 To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [[tls.certificates]]
   certFile = "/path/to/domain.cert"
   keyFile = "/path/to/domain.key"
@@ -23,30 +25,37 @@ To add / remove TLS certificates, even when Traefik is already running, their de
   keyFile = "/path/to/other-domain.key"
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   certificates:
-  - certFile: /path/to/domain.cert
-    keyFile: /path/to/domain.key
-  - certFile: /path/to/other-domain.cert
-    keyFile: /path/to/other-domain.key
+    - certFile: /path/to/domain.cert
+      keyFile: /path/to/domain.key
+    - certFile: /path/to/other-domain.cert
+      keyFile: /path/to/other-domain.key
 ```
 
-!!! important "File Provider Only"
+!!! important "Restriction"
 
     In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
     It is the only available method to configure the certificates (as well as the options and the stores).
+    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](../routing/providers/kubernetes-crd.md#tls). 
 
 ## Certificates Stores
 
 In Traefik, certificates are grouped together in certificates stores, which are defined as such:
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [tls.stores]
   [tls.stores.default]
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   stores:
     default: {}
@@ -59,7 +68,9 @@ tls:
 
 In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [[tls.certificates]]
   certFile = "/path/to/domain.cert"
   keyFile = "/path/to/domain.key"
@@ -72,17 +83,19 @@ In the `tls.certificates` section, a list of stores can then be specified to ind
   keyFile = "/path/to/other-domain.key"
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   certificates:
-  - certFile: /path/to/domain.cert
-    keyFile: /path/to/domain.key
-    stores:
-    - default
-  # Note that since no store is defined,
-  # the certificate below will be stored in the `default` store.
-  - certFile: /path/to/other-domain.cert
-    keyFile: /path/to/other-domain.key
+    - certFile: /path/to/domain.cert
+      keyFile: /path/to/domain.key
+      stores:
+        - default
+    # Note that since no store is defined,
+    # the certificate below will be stored in the `default` store.
+    - certFile: /path/to/other-domain.cert
+      keyFile: /path/to/other-domain.key
 ```
 
 !!! important "Restriction"
@@ -94,7 +107,9 @@ tls:
 Traefik can use a default certificate for connections without a SNI, or without a matching domain.
 This default certificate should be defined in a TLS store:
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [tls.stores]
   [tls.stores.default]
     [tls.stores.default.defaultCertificate]
@@ -102,7 +117,9 @@ This default certificate should be defined in a TLS store:
       keyFile  = "path/to/cert.key"
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   stores:
     default:
@@ -119,7 +136,9 @@ The TLS options allow one to configure some parameters of the TLS connection.
 
 ### Minimum TLS Version
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [tls.options]
 
   [tls.options.default]
@@ -129,7 +148,9 @@ The TLS options allow one to configure some parameters of the TLS connection.
     minVersion = "VersionTLS13"
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   options:
     default:
@@ -139,46 +160,34 @@ tls:
       minVersion: VersionTLS13
 ```
 
-### Client Authentication (mTLS)
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
 
-Traefik supports mutual authentication, through the `ClientAuth` section.
+spec:
+  minVersion: VersionTLS12
 
-For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `ClientAuth.caFiles`.
- 
-The `ClientAuth.clientAuthType` option governs the behaviour as follows:
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: mintls13
+  namespace: default
 
-- `NoClientCert`: disregards any client certificate.
-- `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
-- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `ClientAuth.caFiles`.
-- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `ClientAuth.caFiles`. Otherwise proceeds without any certificate.
-- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `ClientAuth.caFiles`. 
-
-```toml tab="TOML"
-[tls.options]
-  [tls.options.default]
-    [tls.options.default.clientAuth]
-      # in PEM format. each file can contain multiple CAs.
-      caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
-      clientAuthType = "RequireAndVerifyClientCert"
-```
-
-```yaml tab="YAML"
-tls:
-  options:
-    default:
-      clientAuth:
-        # in PEM format. each file can contain multiple CAs.
-        caFiles:
-        - tests/clientca1.crt
-        - tests/clientca2.crt
-        clientAuthType: RequireAndVerifyClientCert
+spec:
+  minVersion: VersionTLS13
 ```
 
 ### Cipher Suites
 
 See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [tls.options]
   [tls.options.default]
     cipherSuites = [
@@ -187,29 +196,118 @@ See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more informat
     ]
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   options:
     default:
       cipherSuites:
-      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-      - TLS_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_RSA_WITH_AES_256_GCM_SHA384
 ```
 
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  cipherSuites:
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    - TLS_RSA_WITH_AES_256_GCM_SHA384
+```
+
+!!! important "TLS 1.3"
+
+    Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa. (<https://tools.ietf.org/html/rfc8446>)  
+    With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).
+    <https://golang.org/doc/go1.12#tls_1_3>
+
 ### Strict SNI Checking
 
 With strict SNI checking, Traefik won't allow connections from clients connections
 that do not specify a server_name extension.
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [tls.options]
   [tls.options.default]
     sniStrict = true
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   options:
     default:
       sniStrict: true
 ```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  sniStrict: true
+```
+
+### Client Authentication (mTLS)
+
+Traefik supports mutual authentication, through the `clientAuth` section.
+
+For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `clientAuth.caFiles`.
+ 
+The `clientAuth.clientAuthType` option governs the behaviour as follows:
+
+- `NoClientCert`: disregards any client certificate.
+- `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
+- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles`.
+- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles`. Otherwise proceeds without any certificate.
+- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`. 
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    [tls.options.default.clientAuth]
+      # in PEM format. each file can contain multiple CAs.
+      caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
+      clientAuthType = "RequireAndVerifyClientCert"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      clientAuth:
+        # in PEM format. each file can contain multiple CAs.
+        caFiles:
+          - tests/clientca1.crt
+          - tests/clientca2.crt
+        clientAuthType: RequireAndVerifyClientCert
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  clientAuth:
+    secretNames:
+      - secretCA
+    clientAuthType: RequireAndVerifyClientCert
+```

docs/content/includes/.markdownlint.json

@@ -1,4 +0,0 @@
-{
-    "extends": "../../.markdownlint.json",
-    "MD041": false
-}

docs/content/includes/more-on-command-line.md

@@ -1 +0,0 @@
-To learn more about configuration options in the command line, refer to the [configuration overview](../getting-started/configuration-overview.md)

docs/content/includes/more-on-configuration-file.md

@@ -1 +0,0 @@
-To learn more about the configuration file, refer to [configuration overview](../getting-started/configuration-overview.md)

docs/content/includes/more-on-entrypoints.md

@@ -1,2 +0,0 @@
-!!! info "More On Entry Points"
-    Learn more about entry points and their configuration options in the dedicated section.

docs/content/includes/more-on-key-value-store.md

@@ -1 +0,0 @@
-To learn more about configuration in key-value stores, refer to the [configuration overview](../getting-started/configuration-overview.md)

docs/content/includes/more-on-routers.md

@@ -1,2 +0,0 @@
-!!! info "More On Routers"
-    Learn more about routers and their configuration options in the [dedicated section](../routing/routers/index.md).

docs/content/index.md

@@ -18,6 +18,6 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
 
 -- The Traefik Maintainer Team 
 
-!!! Note
+!!! info
 
     If you're a businness running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. 

docs/content/middlewares/addprefix.md

@@ -12,7 +12,7 @@ The AddPrefix middleware updates the URL Path of the request before forwarding i
 ```yaml tab="Docker"
 # Prefixing with /foo
 labels:
-- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```
 
 ```yaml tab="Kubernetes"
@@ -35,7 +35,7 @@ spec:
 ```yaml tab="Rancher"
 # Prefixing with /foo
 labels:
-- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```
 
 ```toml tab="File (TOML)"

docs/content/middlewares/basicauth.md

@@ -27,9 +27,7 @@ metadata:
   name: test-auth
 spec:
   basicAuth:
-    users:
-    - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
-    - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
+    secret: secretName
 ```
 
 ```json tab="Marathon"
@@ -61,8 +59,8 @@ http:
     test-auth:
       basicAuth:
         users:
-        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
-        - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
 ## Configuration Options
@@ -79,12 +77,140 @@ Passwords must be encoded using MD5, SHA1, or BCrypt.
 
 The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
 
+!!! note ""
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+```yaml tab="Docker"
+# Declaring the user list
+#
+# Note: all dollar signs in the hash need to be doubled for escaping.
+# To create user:password pair, it's possible to use this command:
+# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="Kubernetes"
+# Declaring the user list
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    users = [
+      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+    ]
+```
+
+```yaml tab="File (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ### `usersFile`
 
 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
 
 The file content is a list of `name:encoded-password`.
 
+!!! note ""
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        usersFile: "/path/to/my/usersfile"
+```
+
 ??? example "A file containing test/test and test2/test2"
 
     ```txt
@@ -92,14 +218,50 @@ The file content is a list of `name:encoded-password`.
     test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
     ```
 
-!!! Note
-    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-
 ### `realm`
 
 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 
 
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    realm: MyRealm
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.realm": "MyRealm"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    realm = "MyRealm"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        realm: "MyRealm"
+```
+
 ### `headerField`
 
 You can define a header field to store the authenticated user using the `headerField`option.
@@ -144,3 +306,43 @@ http:
 ### `removeHeader`
 
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    removeHeader: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    removeHeader = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        removeHeader: true
+```

docs/content/middlewares/buffering.md

@@ -16,7 +16,7 @@ This can help services deal with large data (multipart/form-data for example), a
 ```yaml tab="Docker"
 # Sets the maximum request body to 2Mb
 labels:
-- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
 ```yaml tab="Kubernetes"
@@ -27,26 +27,26 @@ metadata:
   name: limit
 spec:
   buffering:
-    maxRequestBodyBytes: 250000
+    maxRequestBodyBytes: 2000000
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "250000"
+  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
 }
 ```
 
 ```yaml tab="Rancher"
 # Sets the maximum request body to 2Mb
 labels:
-- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
 ```toml tab="File (TOML)"
 # Sets the maximum request body to 2Mb
 [http.middlewares]
   [http.middlewares.limit.buffering]
-    maxRequestBodyBytes = 250000
+    maxRequestBodyBytes = 2000000
 ```
 
 ```yaml tab="File (YAML)"
@@ -55,7 +55,7 @@ http:
   middlewares:
     limit:
       buffering:
-        maxRequestBodyBytes: 250000
+        maxRequestBodyBytes: 2000000
 ```
 
 ## Configuration Options
@@ -64,11 +64,91 @@ http:
 
 With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
 
-If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response.
+If the request exceeds the allowed size, it is not forwarded to the service and the client gets a `413 (Request Entity Too Large)` response.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    maxRequestBodyBytes: 2000000
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxRequestBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        maxRequestBodyBytes: 2000000
+```
 
 ### `memRequestBodyBytes`
 
-You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. 
+You can configure a threshold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. 
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    memRequestBodyBytes: 2000000
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.memRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    memRequestBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        memRequestBodyBytes: 2000000
+```
 
 ### `maxResponseBodyBytes`
 
@@ -76,21 +156,137 @@ With the `maxReesponseBodyBytes` option, you can configure the maximum allowed r
 
 If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
 
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    maxResponseBodyBytes: 2000000
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxResponseBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        maxResponseBodyBytes: 2000000
+```
+
 ### `memResponseBodyBytes`
 
-You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. 
+You can configure a threshold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. 
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    memResponseBodyBytes: 2000000
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.memResponseBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    memResponseBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        memResponseBodyBytes: 2000000
+```
 
 ### `retryExpression`
 
 You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
 
-!!! example "Retries once in case of a network error"
+??? example "Retries once in case of a network error"
     
-    ```toml
-    retryExpression = "IsNetworkError() && Attempts() < 2"
+    ```yaml tab="Docker"
+    labels:
+      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
     ```
     
-Available functions for the retry expression are:
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: limit
+    spec:
+      buffering:
+        retryExpression: "IsNetworkError() && Attempts() < 2"
+    ```
+    
+    ```json tab="Marathon"
+    "labels": {
+      "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"
+    }
+    ```
+    
+    ```yaml tab="Rancher"
+    labels:
+      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
+    ```
+    
+    ```toml tab="File (TOML)"
+    [http.middlewares]
+      [http.middlewares.limit.buffering]
+        retryExpression = "IsNetworkError() && Attempts() < 2"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    http:
+      middlewares:
+        limit:
+          buffering:
+            retryExpression: "IsNetworkError() && Attempts() < 2"
+    ```
+
+The retry expression is defined as a logical combination of the functions below with the operators AND (`&&`) and OR (`||`). At least one function is required:
 
 - `Attempts()` number of attempts (the first one counts)
 - `ResponseCode()` response code of the service

docs/content/middlewares/chain.md

@@ -14,14 +14,14 @@ Example "A Chain for WhiteList, BasicAuth, and HTTPS"
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.routers.router1.service=service1"
-- "traefik.http.routers.router1.middlewares=secured"
-- "traefik.http.routers.router1.rule=Host(`mydomain`)"
-- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
-- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-- "http.services.service1.loadbalancer.server.port=80"
+  - "traefik.http.routers.router1.service=service1"
+  - "traefik.http.routers.router1.middlewares=secured"
+  - "traefik.http.routers.router1.rule=Host(`mydomain`)"
+  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "http.services.service1.loadbalancer.server.port=80"
 ```
 
 ```yaml tab="Kubernetes"
@@ -98,14 +98,14 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.routers.router1.service=service1"
-- "traefik.http.routers.router1.middlewares=secured"
-- "traefik.http.routers.router1.rule=Host(`mydomain`)"
-- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
-- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-- "http.services.service1.loadbalancer.server.port=80"
+  - "traefik.http.routers.router1.service=service1"
+  - "traefik.http.routers.router1.middlewares=secured"
+  - "traefik.http.routers.router1.rule=Host(`mydomain`)"
+  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "http.services.service1.loadbalancer.server.port=80"
 ```
 
 ```toml tab="File (TOML)"
@@ -143,21 +143,21 @@ http:
     router1:
       service: service1
       middlewares:
-      - secured
+        - secured
       rule: "Host(`mydomain`)"
 
   middlewares:
     secured:
       chain:
         middlewares:
-        - https-only
-        - known-ips
-        - auth-users
+          - https-only
+          - known-ips
+          - auth-users
 
     auth-users:
       basicAuth:
         users:
-        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 
     https-only:
       redirectScheme:
@@ -166,12 +166,12 @@ http:
     known-ips:
       ipWhiteList:
         sourceRange:
-        - "192.168.1.7"
-        - "127.0.0.1/32"
+          - "192.168.1.7"
+          - "127.0.0.1/32"
 
   services:
     service1:
       loadBalancer:
         servers:
-        - url: "http://127.0.0.1:80"
+          - url: "http://127.0.0.1:80"
 ```

docs/content/middlewares/circuitbreaker.md

@@ -12,21 +12,26 @@ When your system becomes unhealthy, the circuit becomes open and the requests ar
 
 To assess if your system is healthy, the circuit breaker constantly monitors the services. 
 
-!!! Note
+!!! note ""
 
     - The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state.
     - The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state.
 
 !!! important
 
-    Each router will eventually gets its own instance of a given circuit breaker. If two different routers refer to the same circuit breaker definition, they will get one instance each. It means that one circuit breaker can be open while the other stays close: their state is not shared. This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
+    Each router will eventually gets its own instance of a given circuit breaker.
+    
+    If two different routers refer to the same circuit breaker definition, they will get one instance each.
+    It means that one circuit breaker can be open while the other stays closed: their state is not shared.
+    
+    This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
 # Latency Check
 labels:
-- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```
 
 ```yaml tab="Kubernetes"
@@ -49,7 +54,7 @@ spec:
 ```yaml tab="Rancher"
 # Latency Check
 labels:
-- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```
 
 ```toml tab="File (TOML)"
@@ -117,7 +122,7 @@ The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`,
 
 The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`).
 
-!!! Note
+!!! note ""
     If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
     
     `from`is inclusive, `to` is exclusive. 
@@ -130,7 +135,7 @@ You can trigger the circuit breaker when a given proportion of your requests bec
 
 For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
 
-!!! Note
+!!! note ""
 
     You must provide a float number (with the trailing .0) for the quantile value
  
@@ -155,14 +160,16 @@ Here is the list of supported operators:
 - Lesser or equal than (`<=`)
 - Equal (`==`)
 - Not Equal (`!=`)
- 
+
 ### Fallback mechanism
 
-The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured. 
+The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service).
+This behavior cannot be configured. 
 
 ### `CheckPeriod`
 
-The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
+The interval used to evaluate `expression` and decide if the state of the circuit breaker must change.
+By default, `CheckPeriod` is 100ms. This value cannot be configured.
 
 ### `FallbackDuration`
 

docs/content/middlewares/compress.md

@@ -12,7 +12,7 @@ The Compress middleware enables the gzip compression.
 ```yaml tab="Docker"
 # Enable gzip compression
 labels:
-- "traefik.http.middlewares.test-compress.compress=true"
+  - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -34,7 +34,7 @@ spec:
 ```yaml tab="Rancher"
 # Enable gzip compression
 labels:
-- "traefik.http.middlewares.test-compress.compress=true"
+  - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
 ```toml tab="File (TOML)"
@@ -51,10 +51,10 @@ http:
       compress: {}
 ```
 
-## Notes
-
-Responses are compressed when:
-
-* The response body is larger than `1400` bytes.
-* The `Accept-Encoding` request header contains `gzip`.
-* The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
+!!! info
+    
+    Responses are compressed when:
+    
+    * The response body is larger than `1400` bytes.
+    * The `Accept-Encoding` request header contains `gzip`.
+    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.

docs/content/middlewares/digestauth.md

@@ -10,8 +10,9 @@ The DigestAuth middleware is a quick way to restrict access to your services to
 ## Configuration Examples
 
 ```yaml tab="Docker"
+# Declaring the user list
 labels:
-- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
 ```yaml tab="Kubernetes"
@@ -22,9 +23,81 @@ metadata:
   name: test-auth
 spec:
   digestAuth:
-    users:
-    - test:traefik:a2688e031edb4be6a3797f3882655c05
-    - test2:traefik:518845800f9e2bfb1f1f740ec24f074e
+    secret: userssecret
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    users = [
+      "test:traefik:a2688e031edb4be6a3797f3882655c05",
+      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+    ]
+```
+
+```yaml tab="File (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        users:
+          - "test:traefik:a2688e031edb4be6a3797f3882655c05"
+          - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+## Configuration Options
+
+!!! tip 
+   
+    Use `htdigest` to generate passwords.
+
+### `users`
+
+The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
+
+!!! note ""
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDp0cmFlZmlrOmEyNjg4ZTAzMWVkYjRiZTZhMzc5N2YzODgyNjU1YzA1CnRlc3QyOnRyYWVmaWs6NTE4ODQ1ODAwZjllMmJmYjFmMWY3NDBlYzI0ZjA3NGUKCg==
 ```
 
 ```json tab="Marathon"
@@ -35,7 +108,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
 ```toml tab="File (TOML)"
@@ -53,30 +126,73 @@ http:
     test-auth:
       digestAuth:
         users:
-        - "test:traefik:a2688e031edb4be6a3797f3882655c05"
-        - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+          - "test:traefik:a2688e031edb4be6a3797f3882655c05"
+          - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
-!!! tip 
-   
-    Use `htdigest` to generate passwords.
-
-## Configuration Options
-
-### `users`
-
-The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
-
-!!! Note
-    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-
 ### `usersFile`
 
 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
 
 The file content is a list of `name:realm:encoded-password`.
 
+!!! note ""
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        usersFile: "/path/to/my/usersfile"
+```
+
 ??? example "A file containing test/test and test2/test2"
 
     ```txt
@@ -84,20 +200,54 @@ The file content is a list of `name:realm:encoded-password`.
     test2:traefik:518845800f9e2bfb1f1f740ec24f074e
     ```
 
-!!! Note
-    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-
 ### `realm`
 
 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 
 
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    realm: MyRealm
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    realm = "MyRealm"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        realm: "MyRealm"
+```
+
 ### `headerField`
 
 You can customize the header field for the authenticated user using the `headerField`option.
 
-Example "File -- Passing Authenticated User to Services Via Headers"
-
 ```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
@@ -143,3 +293,43 @@ http:
 ### `removeHeader`
 
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    removeHeader: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    removeHeader = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        removeHeader: true
+```

docs/content/middlewares/errorpages.md

@@ -15,9 +15,9 @@ The ErrorPage middleware returns a custom page in lieu of the default, according
 ```yaml tab="Docker"
 # Dynamic Custom Error Page for 5XX Status Code
 labels:
-- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
-- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
-- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
+  - "traefik.http.middlewares.test-errorpage.errors.status=500-599"
+  - "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
+  - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
 ```
 
 ```yaml tab="Kubernetes"
@@ -28,9 +28,11 @@ metadata:
 spec:
   errors:
     status:
-    - 500-599
-    service: serviceError
+      - 500-599
     query: /{status}.html
+    service:
+      name: whoami
+      port: 80
 ```
 
 ```json tab="Marathon"
@@ -44,9 +46,9 @@ spec:
 ```yaml tab="Rancher"
 # Dynamic Custom Error Page for 5XX Status Code
 labels:
-- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
-- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
-- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
+  - "traefik.http.middlewares.test-errorpage.errors.status=500-599"
+  - "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
+  - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
 ```
 
 ```toml tab="File (TOML)"
@@ -68,7 +70,7 @@ http:
     test-errorpage:
       errors:
         status:
-        - "500-599"
+          - "500-599"
         service: serviceError
         query: "/{status}.html"
 
@@ -76,7 +78,7 @@ http:
   # ... definition of error-handler-service and my-service
 ```
 
-!!! note 
+!!! note "" 
     In this example, the error page URL is based on the status code (`query=/{status}.html`).
 
 ## Configuration Options
@@ -87,7 +89,7 @@ The `status` that will trigger the error page.
 
 The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
  
-!!! Note
+!!! note "" 
 
     You can define either a status code like `500` or ranges with a syntax like `500-599`.
 
@@ -95,6 +97,9 @@ The status code ranges are inclusive (`500-599` will trigger with every code bet
 
 The service that will serve the new requested error page.
 
+!!! note "" 
+    In kubernetes, you need to reference a kubernetes service instead of a traefik service.
+
 ### `query`
 
 The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.

docs/content/middlewares/forwardauth.md

@@ -14,14 +14,101 @@ Otherwise, the response from the authentication server is returned.
 ```yaml tab="Docker"
 # Forward authentication to authserver.com
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
-- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
-- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
+```yaml tab="Kubernetes"
+# Forward authentication to authserver.com
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+}
+```
+
+```yaml tab="Rancher"
+# Forward authentication to authserver.com
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
+```toml tab="File (TOML)"
+# Forward authentication to authserver.com
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+```
+
+```yaml tab="File (YAML)"
+# Forward authentication to authserver.com
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+```
+
+## Configuration Options
+
+### `address`
+
+The `address` option defines the authentication server address.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth 
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+```
+
+### `trustForwardHeader`
+
+Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -33,89 +120,386 @@ spec:
   forwardAuth:
     address: https://authserver.com/auth
     trustForwardHeader: true
-    authResponseHeaders:
-    - X-Auth-User
-    - X-Secret
-    tls:
-      ca: path/to/local.crt
-      caOptional: true
-      cert: path/to/foo.cert
-      key: path/to/foo.key  
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth",
-  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key",
   "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
 }
 ```
 
 ```yaml tab="Rancher"
-# Forward authentication to authserver.com
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
-- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.InisecureSkipVerify=true"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
-- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```
 
 ```toml tab="File (TOML)"
-# Forward authentication to authserver.com
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
     address = "https://authserver.com/auth"
     trustForwardHeader = true
-    authResponseHeaders = ["X-Auth-User", "X-Secret"]
-
-    [http.middlewares.test-auth.forwardAuth.tls]
-      ca = "path/to/local.crt"
-      caOptional = true
-      cert = "path/to/foo.cert"
-      key = "path/to/foo.key"
 ```
 
 ```yaml tab="File (YAML)"
-# Forward authentication to authserver.com
 http:
   middlewares:
     test-auth:
       forwardAuth:
         address: "https://authserver.com/auth"
         trustForwardHeader: true
-        authResponseHeaders:
-        - "X-Auth-User"
-        - "X-Secret"
-        tls:
-          ca: "path/to/local.crt"
-          caOptional: true
-          cert: "path/to/foo.cert"
-          key: "path/to/foo.key"
 ```
 
-## Configuration Options
-
-### `address`
-
-The `address` option defines the authentication server address.
-
-### `trustForwardHeader`
-
-Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
-
 ### `authResponseHeaders`
 
 The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
 
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    authResponseHeaders:
+      - X-Auth-User
+      - X-Secret
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    authResponseHeaders = ["X-Auth-User", "X-Secret"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        authResponseHeaders:
+          - "X-Auth-User"
+          - "X-Secret"
+```
+
 ### `tls`
 
 The `tls` option is the TLS configuration from Traefik to the authentication server.
+
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to the authentication server.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      caSecret: mycasercret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mycasercret
+  namespace: default
+
+data:
+  ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      ca = "path/to/local.crt"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          ca: "path/to/local.crt"
+```
+
+#### `tls.caOptional`
+
+Policy used for the secured connection with TLS Client Authentication to the authentication server.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      caOptional: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      caOptional = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          caOptional: true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to the authentication server.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      certSecret: mytlscert
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mytlscert
+  namespace: default
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          cert: "path/to/foo.cert"
+          key: "path/to/foo.key"
+```
+
+!!! info
+    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+#### `tls.key`
+
+Private certificate used for the secure connection to the authentication server.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      certSecret: mytlscert
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mytlscert
+  namespace: default
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          cert: "path/to/foo.cert"
+          key: "path/to/foo.key"
+```
+
+!!! info
+    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS for the connection to authentication server accepts any certificate presented by the server and any host name in that certificate.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    insecureSkipVerify: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    insecureSkipVerify: true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        insecureSkipVerify: true
+```

docs/content/middlewares/headers.md

@@ -15,8 +15,8 @@ Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
-- "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
+  - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```
 
 ```yaml tab="Kubernetes"
@@ -41,8 +41,8 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
-- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```
 
 ```toml tab="File (TOML)"
@@ -236,9 +236,9 @@ http:
     testHeader:
       headers:
         accessControlAllowMethod:
-        - GET
-        - OPTIONS
-        - PUT
+          - GET
+          - OPTIONS
+          - PUT
         accessControlAllowOrigin: "origin-list-or-null"
         accessControlMaxAge: 100
         addVaryHeader: true
@@ -251,7 +251,7 @@ http:
 !!! warning
     If the custom header name is the same as one header name of the request or response, it will be replaced.
 
-!!! note
+!!! note ""
     The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
 
 ### `customRequestHeaders`
@@ -331,7 +331,7 @@ If set to 0, would NOT include the header.
 
 ### `stsIncludeSubdomains` 
 
-The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header.
+The `stsIncludeSubdomains` is set to true, the `includeSubDomains` directive will be appended to the Strict-Transport-Security header.
 
 ### `stsPreload` 
 

docs/content/middlewares/inflightreq.md

@@ -11,7 +11,7 @@ To proactively prevent services from being overwhelmed with high load, a limit o
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
 
 ```yaml tab="Kubernetes"
@@ -33,7 +33,7 @@ spec:
 ```yaml tab="Rancher"
 # Limiting to 10 simultaneous connections
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
 
 ```toml tab="File (TOML)"
@@ -59,6 +59,49 @@ http:
 The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
 The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
 
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    amount: 10
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inFlightReq]
+    amount = 10 
+```
+
+```yaml tab="File (YAML)"
+# Limiting to 10 simultaneous connections
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        amount: 10 
+```
+
 ### `sourceCriterion`
  
 SourceCriterion defines what criterion is used to group requests as originating from a common source.
@@ -76,7 +119,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is lesser than or equal to 0.
     
-!!! note "Example of Depth & X-Forwarded-For"
+!!! example "Example of Depth & X-Forwarded-For"
 
     If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
 
@@ -86,14 +129,58 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
 
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    sourceCriterion:
+      ipStrategy:
+        depth: 2
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth": "2"
+}
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
+      depth = 2
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        sourceCriterion:
+          ipStrategy:
+            depth: 2
+```
+
 ##### `ipStrategy.excludedIPs`
 
 `excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
 
-!!! important
-    If `depth` is specified, `excludedIPs` is ignored.
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
 
-!!! note "Example of ExcludedIPs & X-Forwarded-For"
+!!! example "Example of ExcludedIPs & X-Forwarded-For"
 
     | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
     |-----------------------------------------|-----------------------|--------------|
@@ -105,7 +192,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```yaml tab="Kubernetes"
@@ -122,17 +209,17 @@ spec:
         - 192.168.1.7
 ```
 
-```yaml tab="Rancher"
-labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-inflightreq.inflightreq]
@@ -148,8 +235,8 @@ http:
         sourceCriterion:
           ipStrategy:
             excludedIPs:
-            - "127.0.0.1/32"
-            - "192.168.1.7"
+              - "127.0.0.1/32"
+              - "192.168.1.7"
 ```
 
 #### `sourceCriterion.requestHeaderName`
@@ -158,7 +245,7 @@ Requests having the same value for the given header are grouped as coming from t
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
 
 ```yaml tab="Kubernetes"
@@ -174,7 +261,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
 
 ```json tab="Marathon"
@@ -205,7 +292,7 @@ Whether to consider the request host as the source.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -221,7 +308,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
 
 ```json tab="Marathon"

docs/content/middlewares/ipwhitelist.md

@@ -12,7 +12,7 @@ IPWhitelist accepts / refuses requests based on the client IP.
 ```yaml tab="Docker"
 # Accepts request from defined IP
 labels:
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```yaml tab="Kubernetes"
@@ -23,8 +23,8 @@ metadata:
 spec:
   ipWhiteList:
     sourceRange:
-    - 127.0.0.1/32
-    - 192.168.1.7
+      - 127.0.0.1/32
+      - 192.168.1.7
 ```
 
 ```json tab="Marathon"
@@ -36,7 +36,7 @@ spec:
 ```yaml tab="Rancher"
 # Accepts request from defined IP
 labels:
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```toml tab="File (TOML)"
@@ -53,8 +53,8 @@ http:
     test-ipwhitelist:
       ipWhiteList:
         sourceRange:
-        - "127.0.0.1/32"
-        - "192.168.1.7"
+          - "127.0.0.1/32"
+          - "192.168.1.7"
 ```
 
 ## Configuration Options
@@ -71,23 +71,13 @@ The `ipStrategy` option defines two parameters that sets how Traefik will determ
 
 The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
 
-!!! note "Examples of Depth & X-Forwarded-For"
+!!! example "Examples of Depth & X-Forwarded-For"
 
-    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
-    
-    ??? note "More examples"
-    
-        | `X-Forwarded-For`                       | `depth` | clientIP     |
-        |-----------------------------------------|---------|--------------|
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
-    
     ```yaml tab="Docker"
     # Whitelisting Based on `X-Forwarded-For` with `depth=2`
     labels:
-        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
     ```
     
     ```yaml tab="Kubernetes"
@@ -99,8 +89,8 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
     spec:
       ipWhiteList:
         sourceRange:
-        - 127.0.0.1/32
-        - 192.168.1.7
+          - 127.0.0.1/32
+          - 192.168.1.7
         ipStrategy:
           depth: 2
     ```
@@ -108,14 +98,14 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
     ```yaml tab="Rancher"
     # Whitelisting Based on `X-Forwarded-For` with `depth=2`
     labels:
-        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
     ```
     
     ```json tab="Marathon"
     "labels": {
-        "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-        "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
+      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
     }
     ```
     
@@ -135,34 +125,29 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
         test-ipwhitelist:
           ipWhiteList:
             sourceRange:
-            - "127.0.0.1/32"
-            - "192.168.1.7"
+              - "127.0.0.1/32"
+              - "192.168.1.7"
             ipStrategy:
               depth: 2
     ```
+    
+    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
+    
+    ??? example "More examples"
+    
+        | `X-Forwarded-For`                       | `depth` | clientIP     |
+        |-----------------------------------------|---------|--------------|
+        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
 
-!!! note
+!!! info
 
     - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
     - `depth` is ignored if its value is lesser than or equal to 0.
 
 #### `ipStrategy.excludedIPs`
 
-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
-
-!!! note "Examples of ExcludedIPs & X-Forwarded-For"
-
-    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
-    |-----------------------------------------|-----------------------|--------------|
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
-
-!!! important
-    If `depth` is specified, `excludedIPs` is ignored.
-
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
@@ -179,19 +164,19 @@ spec:
   ipWhiteList:
     ipStrategy:
       excludedIPs:
-      - 127.0.0.1/32
-      - 192.168.1.7
+        - 127.0.0.1/32
+        - 192.168.1.7
 ```
 
 ```yaml tab="Rancher"
 # Exclude from `X-Forwarded-For`
 labels:
-    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```json tab="Marathon"
 "labels": {
-    "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
 }
 ```
 
@@ -211,6 +196,20 @@ http:
       ipWhiteList:
         ipStrategy:
           excludedIPs:
-          - "127.0.0.1/32"
-          - "192.168.1.7"
+            - "127.0.0.1/32"
+            - "192.168.1.7"
 ```
+
+`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Examples of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |

docs/content/middlewares/overview.md

@@ -60,13 +60,13 @@ spec:
   routes:
     # more fields...
     middlewares:
-    - name: stripprefix
+      - name: stripprefix
 ```
 
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
-  "traefik.http.router.router1.middlewares": "foo-add-prefix@marathon"
+  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
 }
 ```
 
@@ -76,7 +76,7 @@ labels:
   # Create a middleware named `foo-add-prefix`
   - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
   # Apply the middleware named `foo-add-prefix` to the router named `router1`
-  - "traefik.http.router.router1.middlewares=foo-add-prefix@rancher"
+  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
 ```
 
 ```toml tab="File (TOML)"
@@ -106,7 +106,7 @@ http:
     router1:
       service: myService
       middlewares:
-      - "foo-add-prefix"
+        - "foo-add-prefix"
       rule: "Host(`example.com`)"
 
   middlewares:
@@ -118,7 +118,7 @@ http:
     service1:
       loadBalancer:
         servers:
-        - url: "http://127.0.0.1:80"
+          - url: "http://127.0.0.1:80"
 ```
 
 ## Provider Namespace

docs/content/middlewares/passtlsclientcert.md

@@ -3,7 +3,9 @@
 Adding Client Certificates in a Header
 {: .subtitle }
 
-`TODO add schema`
+<!--
+TODO: add schema
+-->
 
 PassTLSClientCert adds in header the selected data from the passed client tls certificate.
 
@@ -14,7 +16,7 @@ Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 ```yaml tab="Docker"
 # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
-- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -36,7 +38,7 @@ spec:
 ```yaml tab="Rancher"
 # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
-- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```
 
 ```toml tab="File (TOML)"
@@ -60,23 +62,23 @@ http:
     ```yaml tab="Docker"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     labels:
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
     ```
     
     ```yaml tab="Kubernetes"
@@ -112,23 +114,23 @@ http:
     ```yaml tab="Rancher"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     labels:
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
     ```
         
     ```json tab="Marathon"
@@ -216,7 +218,7 @@ PassTLSClientCert can add two headers to the request:
 - `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
 - `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
 
-!!! note
+!!! info
     The headers are filled with escaped string so it can be safely placed inside a URL query.
 
 In the following example, you can see a complete certificate. We will use each part of it to explain the middleware options.
@@ -372,12 +374,12 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
     -----END CERTIFICATE-----
     ```
     
-!!! note "Extracted data"
+!!! info "Extracted data"
     
     The delimiters and `\n` will be removed.  
     If there are more than one certificate, they are separated by a "`;`".
 
-!!! note "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
+!!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
 
     The header size limit of web servers is commonly between 4kb and 8kb.  
     You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).
@@ -393,7 +395,7 @@ The following example shows an unescaped result that uses all the available fiel
 Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
 ```
 
-!!! note "Multiple certificates"
+!!! info "Multiple certificates"
 
     If there are more than one certificate, they are separated by a `;`.
 
@@ -448,7 +450,7 @@ The escape SANs info part will be like:
 SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
 ```
 
-!!! note "multiple values"
+!!! info "multiple values"
 
     All the SANs data are separated by a `,`.
     

docs/content/middlewares/ratelimit.md

@@ -11,8 +11,8 @@ The RateLimit middleware ensures that services will receive a _fair_ number of r
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 50 requests is allowed.
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```
 
 ```yaml tab="Kubernetes"
@@ -39,8 +39,8 @@ spec:
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 50 requests is allowed.
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```
 
 ```toml tab="File (TOML)"
@@ -72,7 +72,7 @@ It defaults to 0, which means no rate limiting.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```
 
 ```yaml tab="Kubernetes"
@@ -93,7 +93,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```
 
 ```toml tab="File (TOML)"
@@ -117,7 +117,7 @@ It defaults to 1.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```
 
 ```yaml tab="Kubernetes"
@@ -138,7 +138,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
   		
 ```
 
@@ -173,7 +173,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is lesser than or equal to 0.
 
-!!! note "Example of Depth & X-Forwarded-For"
+!!! example "Example of Depth & X-Forwarded-For"
 
     If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
 
@@ -185,24 +185,9 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 
 ##### `ipStrategy.excludedIPs`
 
-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
-
-!!! important
-    If `depth` is specified, `excludedIPs` is ignored.
-
-!!! note "Example of ExcludedIPs & X-Forwarded-For"
-
-    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
-    |-----------------------------------------|-----------------------|--------------|
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
-
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```yaml tab="Kubernetes"
@@ -221,7 +206,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```json tab="Marathon"
@@ -245,17 +230,31 @@ http:
         sourceCriterion:
           ipStrategy:
             excludedIPs:
-            - "127.0.0.1/32"
-            - "192.168.1.7"
+              - "127.0.0.1/32"
+              - "192.168.1.7"
 ```
 
+`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Example of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
 #### `sourceCriterion.requestHeaderName`
 
 Requests having the same value for the given header are grouped as coming from the same source.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```
 
 ```yaml tab="Kubernetes"
@@ -271,7 +270,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```
 
 ```json tab="Marathon"
@@ -302,7 +301,7 @@ Whether to consider the request host as the source.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -318,7 +317,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```
 
 ```json tab="Marathon"
@@ -341,4 +340,4 @@ http:
       rateLimit:
         sourceCriterion:
           requestHost: true
-```
+```

docs/content/middlewares/redirectregex.md

@@ -3,7 +3,9 @@
 Redirecting the Client to a Different Location
 {: .subtitle }
 
-`TODO: add schema`
+<!--
+TODO: add schema
+-->
 
 RegexRedirect redirect a request from an url to another with regex matching and replacement.
 
@@ -11,9 +13,10 @@ RegexRedirect redirect a request from an url to another with regex matching and
 
 ```yaml tab="Docker"
 # Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
 labels:
-- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
-- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```
 
 ```yaml tab="Kubernetes"
@@ -37,9 +40,10 @@ spec:
 
 ```yaml tab="Rancher"
 # Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
 labels:
-- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
-- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/${1}"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```
 
 ```toml tab="File (TOML)"
@@ -81,4 +85,3 @@ The `regex` option is the regular expression to match and capture elements from
 ### `replacement`
 
 The `replacement` option defines how to modify the URL to have the new target URL.
- 

docs/content/middlewares/redirectscheme.md

@@ -3,7 +3,9 @@
 Redirecting the Client to a Different Scheme/Port
 {: .subtitle }
 
-`TODO: add schema`
+<!--
+TODO: add schema
+-->
 
 RegexRedirect redirect request from a scheme to another.
 
@@ -12,7 +14,7 @@ RegexRedirect redirect request from a scheme to another.
 ```yaml tab="Docker"
 # Redirect to https
 labels:
-- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```
 
 ```yaml tab="Kubernetes"
@@ -35,7 +37,7 @@ spec:
 ```yaml tab="Rancher"
 # Redirect to https
 labels:
-- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```
 
 ```toml tab="File (TOML)"

docs/content/middlewares/replacepath.md

@@ -3,7 +3,9 @@
 Updating the Path Before Forwarding the Request
 {: .subtitle }
 
-`TODO: add schema`
+<!--
+TODO: add schema
+-->
 
 Replace the path of the request url.
 
@@ -12,7 +14,7 @@ Replace the path of the request url.
 ```yaml tab="Docker"
 # Replace the path by /foo
 labels:
-- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```
 
 ```yaml tab="Kubernetes"
@@ -35,7 +37,7 @@ spec:
 ```yaml tab="Rancher"
 # Replace the path by /foo
 labels:
-- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```
 
 ```toml tab="File (TOML)"

docs/content/middlewares/replacepathregex.md

@@ -3,7 +3,9 @@
 Updating the Path Before Forwarding the Request (Using a Regex)
 {: .subtitle }
 
-`TODO: add schema`
+<!--
+TODO: add schema
+-->
 
 The ReplaceRegex replace a path from an url to another with regex matching and replacement.
 
@@ -12,8 +14,8 @@ The ReplaceRegex replace a path from an url to another with regex matching and r
 ```yaml tab="Docker"
 # Replace path with regex
 labels:
-- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
-- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```
 
 ```yaml tab="Kubernetes"
@@ -38,8 +40,8 @@ spec:
 ```yaml tab="Rancher"
 # Replace path with regex
 labels:
-- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
-- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```
 
 ```toml tab="File (TOML)"

docs/content/middlewares/retry.md

@@ -3,16 +3,19 @@
 Retrying until it Succeeds
 {: .subtitle }
 
-`TODO: add schema`
+<!--
+TODO: add schema
+-->
 
-Retry to send request on attempt failure.
+The Retry middleware is in charge of reissuing a request a given number of times to a backend server if that server does not reply.
+To be clear, as soon as the server answers, the middleware stops retrying, regardless of the response status.
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
 # Retry to send request 4 times
 labels:
-- "traefik.http.middlewares.test-retry.retry.attempts=4"
+  - "traefik.http.middlewares.test-retry.retry.attempts=4"
 ```
 
 ```yaml tab="Kubernetes"
@@ -35,7 +38,7 @@ spec:
 ```yaml tab="Rancher"
 # Retry to send request 4 times
 labels:
-- "traefik.http.middlewares.test-retry.retry.attempts=4"
+  - "traefik.http.middlewares.test-retry.retry.attempts=4"
 ```
 
 ```toml tab="File (TOML)"
@@ -60,4 +63,4 @@ http:
 
 _mandatory_
 
-The `attempts` option defines how many times to try sending the request.
+The `attempts` option defines how many times the request should be retried.

docs/content/middlewares/stripprefix.md

@@ -3,7 +3,9 @@
 Removing Prefixes From the Path Before Forwarding the Request
 {: .subtitle }
 
-`TODO: add schema`
+<!--
+TODO: add schema
+-->
 
 Remove the specified prefixes from the URL path.
 
@@ -12,7 +14,7 @@ Remove the specified prefixes from the URL path.
 ```yaml tab="Docker"
 # Strip prefix /foobar and /fiibar
 labels:
-- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar, /fiibar"
+  - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```
 
 ```yaml tab="Kubernetes"
@@ -24,20 +26,20 @@ metadata:
 spec:
   stripPrefix:
     prefixes:
-    - /foobar
-    - /fiibar
+      - /foobar
+      - /fiibar
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar, /fiibar"
+  "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar,/fiibar"
 }
 ```
 
 ```yaml tab="Rancher"
 # Strip prefix /foobar and /fiibar
 labels:
-- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar, /fiibar"
+  - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```
 
 ```toml tab="File (TOML)"
@@ -54,8 +56,8 @@ http:
     test-stripprefix:
       stripPrefix:
         prefixes:
-        - "/foobar"
-        - "/fiibar"
+          - "/foobar"
+          - "/fiibar"
 ```
 
 ## Configuration Options

docs/content/middlewares/stripprefixregex.md

@@ -9,7 +9,7 @@ Remove the matching prefixes from the URL path.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/",
+  - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```
 
 ```yaml tab="Kubernetes"
@@ -20,7 +20,7 @@ metadata:
 spec:
   stripPrefixRegex:
     regex:
-    - "/foo/[a-z0-9]+/[0-9]+/"
+      - "/foo/[a-z0-9]+/[0-9]+/"
 ```
 
 ```json tab="Marathon"
@@ -31,7 +31,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/",
+  - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```
 
 ```toml tab="File (TOML)"
@@ -46,7 +46,7 @@ http:
     test-stripprefixregex:
       stripPrefixRegex:
         regex:
-        - "/foo/[a-z0-9]+/[0-9]+/"
+          - "/foo/[a-z0-9]+/[0-9]+/"
 ```
 
 ## Configuration Options

docs/content/migration/v1-to-v2.md

@@ -8,10 +8,20 @@ which require one to update their configuration when they migrate from v1 to v2.
 The goal of this page is to recapitulate all of these changes, and in particular to give examples, 
 feature by feature, of how the configuration looked like in v1, and how it now looks like in v2.
 
+!!! info "Migration Helper"
+    
+    We created a tool to help during the migration: [traefik-migration-tool](https://github.com/containous/traefik-migration-tool)
+
+    This tool allows to:
+
+    - convert `Ingress` to Traefik `IngressRoute` resources.
+    - convert `acme.json` file from v1 to v2 format.
+    - migrate the static configuration contained in the file `traefik.toml` to a Traefik v2 file.
+
 ## Frontends and Backends Are Dead... <br/>... Long Live Routers, Middlewares, and Services
 
 During the transition from v1 to v2, a number of internal pieces and components of Traefik were rewritten and reorganized.
-As such, the combination of core notions such as frontends and backends has been replaced with the combination of routers, services, and middlewares.
+As such, the combination of core notions such as frontends and backends has been replaced with the combination of [routers](../routing/routers/index.md), [services](../routing/services/index.md), and [middlewares](../middlewares/overview.md).
 
 Typically, a router replaces a frontend, and a service assumes the role of a backend, with each router referring to a service.
 However, even though a backend was in charge of applying any desired modification on the fly to the incoming request,
@@ -21,7 +31,7 @@ Then any router can refer to an instance of the wanted middleware.
 
 !!! example "One frontend with basic auth and one backend, become one router, one service, and one basic auth middleware."
 
-    ### v1
+    !!! info "v1"
     
     ```yaml tab="Docker"
     labels:
@@ -83,7 +93,7 @@ Then any router can refer to an instance of the wanted middleware.
           method = "wrr"
     ```
     
-    ### v2
+    !!! info "v2"
     
     ```yaml tab="Docker"
     labels:
@@ -157,32 +167,32 @@ Then any router can refer to an instance of the wanted middleware.
           rule: "Host(`test.localhost`) && PathPrefix(`/test`)"
           service: my-service
           middlewares:
-          - auth
+            - auth
     
       services:
         my-service:
           loadBalancer:
             servers:
-            - url: http://10.10.10.1:80
-            - url: http://10.10.10.2:80
+              - url: http://10.10.10.1:80
+              - url: http://10.10.10.2:80
     
       middlewares:
         auth:
           basicAuth:
             users:
-            - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-            - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+              - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+              - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
     ```
 
 ## TLS configuration is now dynamic, per router.
 
 TLS parameters used to be specified in the static configuration, as an entryPoint field.
 With Traefik v2, a new dynamic TLS section at the root contains all the desired TLS configurations.
-Then, a router's TLS field can refer to one of the TLS configurations defined at the root, hence defining the TLS configuration for that router.
+Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one of the [TLS configurations](../https/tls.md) defined at the root, hence defining the [TLS configuration](../https/tls.md) for that router.
 
 !!! example "TLS on web-secure entryPoint becomes TLS option on Router-1"
 
-    ### v1
+    !!! info "v1"
     
     ```toml tab="File (TOML)"
     # static configuration
@@ -205,7 +215,7 @@ Then, a router's TLS field can refer to one of the TLS configurations defined at
     --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384'
     ```
     
-    ### v2
+    !!! info "v2"
     
     ```toml tab="File (TOML)"
     # dynamic configuration
@@ -251,8 +261,8 @@ Then, a router's TLS field can refer to one of the TLS configurations defined at
         myTLSOptions:
           minVersion: VersionTLS13
           cipherSuites:
-          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-          - TLS_RSA_WITH_AES_256_GCM_SHA384
+            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+            - TLS_RSA_WITH_AES_256_GCM_SHA384
     ```
     
     ```yaml tab="K8s IngressRoute"
@@ -280,11 +290,11 @@ Then, a router's TLS field can refer to one of the TLS configurations defined at
       entryPoints:
         - web
       routes:
-      - match: Host(`bar.com`)
-        kind: Rule
-        services:
-        - name: whoami
-          port: 80
+        - match: Host(`bar.com`)
+          kind: Rule
+          services:
+            - name: whoami
+              port: 80
       tls:
         options: 
           name: mytlsoption
@@ -298,47 +308,664 @@ Then, a router's TLS field can refer to one of the TLS configurations defined at
       - "traefik.http.routers.router0.tls.options=myTLSOptions@file"
     ```
 
-## HTTP -> HTTPS Redirection
+## HTTP to HTTPS Redirection is now configured on Routers
 
-	TODO
+Previously on Traefik v1, the redirection was applied on an entry point or on a frontend.
+With Traefik v2 it is applied on a [Router](../routing/routers/index.md). 
 
-## ACME (let's encrypt)
+To apply a redirection, one of the redirect middlewares, [RedirectRegex](../middlewares/redirectregex.md) or [RedirectScheme](../middlewares/redirectscheme.md), has to be configured and added to the router middlewares list.
 
-	TODO
+!!! example "HTTP to HTTPS redirection"
+
+    !!! info "v1"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    defaultEntryPoints = ["http", "https"]
+    
+    [entryPoints]
+      [entryPoints.http]
+        address = ":80"
+        [entryPoints.http.redirect]
+          entryPoint = "https"
+
+      [entryPoints.https]
+        address = ":443"
+        [entryPoints.https.tls]
+          [[entryPoints.https.tls.certificates]]
+            certFile = "examples/traefik.crt"
+            keyFile = "examples/traefik.key"
+    ```
+    
+    ```bash tab="CLI"
+    --entrypoints=Name:web Address::80 Redirect.EntryPoint:web-secure
+    --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key'
+    ```
+    
+    !!! info "v2"
+    
+    ```yaml tab="Docker"
+    labels:
+    - traefik.http.routers.web.rule=Host(`foo.com`)
+    - traefik.http.routers.web.entrypoints=web
+    - traefik.http.routers.web.middlewares=redirect@file
+    - traefik.http.routers.web-secured.rule=Host(`foo.com`)
+    - traefik.http.routers.web-secured.entrypoints=web-secure
+    - traefik.http.routers.web-secured.tls=true
+    ```
+
+    ```yaml tab="K8s IngressRoute"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: http-redirect-ingressRoute
+    
+    spec:
+      entryPoints:
+        - web
+      routes:
+        - match: Host(`foo.com`)
+          kind: Rule
+          services:
+            - name: whoami
+              port: 80
+          middlewares:
+            - name: redirect
+    
+    ---
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: https-ingressRoute
+    
+    spec:
+      entryPoints:
+        - web-secure
+      routes:
+        - match: Host(`foo`)
+          kind: Rule
+          services:
+            - name: whoami
+              port: 80
+      tls: {}
+      
+    ---
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: redirect
+    spec:
+      redirectScheme:
+        scheme: https
+      
+    ```
+
+    ```toml tab="File (TOML)"
+    ## static configuration
+    # traefik.toml
+    
+    [entryPoints.web]
+      address = ":80"
+    
+    [entryPoints.web-secure]
+      address = ":443"
+    
+    ##---------------------##
+    
+    ## dynamic configuration
+    # dymanic-conf.toml
+    
+    [http.routers]
+      [http.routers.router0]
+        rule = "Host(`foo.com`)"
+        service = "my-service"
+        entrypoints = ["web"]
+        middlewares = ["redirect"]
+    
+    [http.routers.router1]
+        rule = "Host(`foo.com`)"
+        service = "my-service"
+        entrypoints = ["web-secure"]
+        [http.routers.router1.tls]
+        
+    [http.services]
+      [[http.services.my-service.loadBalancer.servers]]
+        url = "http://10.10.10.1:80"
+      [[http.services.my-service.loadBalancer.servers]]
+        url = "http://10.10.10.2:80"
+    
+    [http.middlewares]
+      [http.middlewares.redirect.redirectScheme]
+        scheme = "https"
+    
+    [[tls.certificates]]
+      certFile = "/path/to/domain.cert"
+      keyFile = "/path/to/domain.key"    
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## static configuration
+    # traefik.yml
+    
+    entryPoints:
+      web:
+        address: ":80"
+    
+      web-secure:
+        address: ":443"
+    
+    ##---------------------##
+    
+    ## dynamic configuration
+    # dymanic-conf.yml
+    
+    http:
+      routers:
+        router0:
+          rule: "Host(`foo.com`)"
+          entryPoints:
+            - web
+          middlewares:
+            - redirect
+          service: my-service
+    
+        router1:
+          rule: "Host(`foo.com`)"
+          entryPoints:
+            - web-secure
+          service: my-service
+          tls: {}
+    
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+              - url: http://10.10.10.1:80
+              - url: http://10.10.10.2:80
+    
+      middlewares:
+        redirect:
+          redirectScheme:
+            scheme: https
+    
+    tls:
+      certificates:
+        - certFile: /app/certs/server/server.pem
+          keyFile: /app/certs/server/server.pem
+    ``` 
+
+## ACME (LetsEncrypt)
+
+[ACME](../https/acme.md) is now a certificate resolver (under a certificatesResolvers section) but remains in the static configuration.
+
+!!! example "ACME from provider to a specific Certificate Resolver"
+
+    !!! info "v1"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    defaultEntryPoints = ["web-secure","web"]
+    
+    [entryPoints.web]
+    address = ":80"
+      [entryPoints.web.redirect]
+      entryPoint = "webs"
+    [entryPoints.web-secure]
+      address = ":443"
+      [entryPoints.https.tls]
+    
+    [acme]
+      email = "your-email-here@my-awesome-app.org"
+      storage = "acme.json"
+      entryPoint = "web-secure"
+      onHostRule = true
+      [acme.httpChallenge]
+        entryPoint = "web"
+    ```
+    
+    ```bash tab="CLI"
+    --defaultentrypoints=web-secure,web
+    --entryPoints=Name:web Address::80 Redirect.EntryPoint:web-secure
+    --entryPoints=Name:web-secure Address::443 TLS
+    --acme.email=your-email-here@my-awesome-app.org
+    --acme.storage=acme.json
+    --acme.entryPoint=web-secure
+    --acme.onHostRule=true
+    --acme.httpchallenge.entrypoint=http
+    ```
+    
+    !!! info "v2"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+    
+      [entryPoints.web-secure]
+        address = ":443"
+    
+    [certificatesResolvers.sample.acme]
+      email = "your-email@your-domain.org"
+      storage = "acme.json"
+      [certificatesResolvers.sample.acme.httpChallenge]
+        # used during the challenge
+        entryPoint = "web"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+    
+      web-secure:
+        address: ":443"
+    
+    certificatesResolvers:
+      sample:
+        acme:
+          email: your-email@your-domain.org
+          storage: acme.json
+          httpChallenge:
+            # used during the challenge
+            entryPoint: web
+    ``` 
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=":80"
+    --entryPoints.websecure.address=":443"
+    --certificatesResolvers.sample.acme.email: your-email@your-domain.org
+    --certificatesResolvers.sample.acme.storage: acme.json
+    --certificatesResolvers.sample.acme.httpChallenge.entryPoint: web
+    ```
 
 ## Traefik Logs
 
-	TODO
+In the v2, all the [log configuration](../observability/logs.md) remains in the static part but are unified under a `log` section.
+There is no more log configuration at the root level.
+
+!!! example "Simple log configuration"
+
+    !!! info "v1"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    logLevel = "DEBUG"
+    
+    [traefikLog]
+      filePath = "/path/to/traefik.log"
+      format   = "json"
+    ```
+    
+    ```bash tab="CLI"
+    --logLevel="DEBUG"
+    --traefikLog.filePath="/path/to/traefik.log"
+    --traefikLog.format="json"
+    ```
+    
+    !!! info "v2"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    [log]
+      level = "DEBUG"
+      filePath = "/path/to/log-file.log"
+      format = "json"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    # static configuration
+    log:
+      level: DEBUG
+      filePath: /path/to/log-file.log
+      format: json
+    ``` 
+    
+    ```bash tab="CLI"
+    --log.level="DEBUG"
+    --log.filePath="/path/to/traefik.log"
+    --log.format="json"
+    ```
 
 ## Tracing
 
-	TODO
+Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is gone, you just have to set your [tracing configuration](../observability/tracing/overview.md).
+	
+!!! example "Simple Jaeger tracing configuration"
+
+    !!! info "v1"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    [tracing]
+      backend = "jaeger"
+      servicename = "tracing"
+      [tracing.jaeger]
+        samplingParam = 1.0
+        samplingServerURL = "http://12.0.0.1:5778/sampling"
+        samplingType = "const"
+        localAgentHostPort = "12.0.0.1:6831"
+    ```
+    
+    ```bash tab="CLI"
+    --tracing.backend="jaeger"
+    --tracing.servicename="tracing"
+    --tracing.jaeger.localagenthostport="12.0.0.1:6831"
+    --tracing.jaeger.samplingparam="1.0"
+    --tracing.jaeger.samplingserverurl="http://12.0.0.1:5778/sampling"
+    --tracing.jaeger.samplingtype="const" 
+    ```
+    
+    !!! info "v2"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    [tracing]
+      servicename = "tracing"
+      [tracing.jaeger]
+        samplingParam = 1.0
+        samplingServerURL = "http://12.0.0.1:5778/sampling"
+        samplingType = "const"
+        localAgentHostPort = "12.0.0.1:6831"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    # static configuration
+    tracing:
+      servicename: tracing
+      jaeger:
+        samplingParam: 1
+        samplingServerURL: 'http://12.0.0.1:5778/sampling'
+        samplingType: const
+        localAgentHostPort: '12.0.0.1:6831'
+    ``` 
+    
+    ```bash tab="CLI"
+    --tracing.servicename="tracing"
+    --tracing.jaeger.localagenthostport="12.0.0.1:6831"
+    --tracing.jaeger.samplingparam="1.0"
+    --tracing.jaeger.samplingserverurl="http://12.0.0.1:5778/sampling"
+    --tracing.jaeger.samplingtype="const"
+    ```
 
 ## Metrics
 
-	TODO
+The v2 retains metrics tools and allows metrics to be configured for the entrypoints and/or services.
+For a basic configuration, the [metrics configuration](../observability/metrics/overview.md) remains the same.     
+
+!!! example "Simple Prometheus metrics configuration"
+
+    !!! info "v1"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    [metrics.prometheus]
+      buckets = [0.1,0.3,1.2,5.0]
+      entryPoint = "traefik"
+    ```
+    
+    ```bash tab="CLI"
+    --metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
+    --metrics.prometheus.entrypoint="traefik"
+    ```
+    
+    !!! info "v2"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    [metrics.prometheus]
+      buckets = [0.1,0.3,1.2,5.0]
+      entryPoint = "metrics"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    # static configuration
+    metrics:
+      prometheus:
+        buckets:
+          - 0.1
+          - 0.3
+          - 1.2
+          - 5
+        entryPoint: metrics
+    ``` 
+    
+    ```bash tab="CLI"
+    --metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
+    --metrics.prometheus.entrypoint="metrics"
+    ```
 
 ## No more root level key/values
 
-	TODO
+To avoid any source of confusion, there are no more configuration at the root level.
+Each root item has been moved to a related section or removed.
 
+!!! example "From root to dedicated section"
+ 
+    !!! info "v1"
+ 
+    ```toml tab="File (TOML)"
+    # static configuration
+    checkNewVersion = false
+    sendAnonymousUsage = true
+    logLevel = "DEBUG"
+    insecureSkipVerify = true
+    rootCAs = [ "/mycert.cert" ]
+    maxIdleConnsPerHost = 200
+    providersThrottleDuration = "2s"
+    AllowMinWeightZero = true
+    debug = true
+    defaultEntryPoints = ["web", "web-secure"]
+    keepTrailingSlash = false
+    ```
+    
+    ```bash tab="CLI"
+    --checknewversion=false
+    --sendanonymoususage=true
+    --loglevel="DEBUG"
+    --insecureskipverify=true
+    --rootcas="/mycert.cert"
+    --maxidleconnsperhost=200
+    --providersthrottleduration="2s"
+    --allowminweightzero=true
+    --debug=true
+    --defaultentrypoints="web","web-secure"
+    --keeptrailingslash=true
+    ```
+    
+    !!! info "v2"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    [global]
+      checkNewVersion = true
+      sendAnonymousUsage = true
+    
+    [log]
+      level = "DEBUG"
+    
+    [serversTransport]
+      insecureSkipVerify = true
+      rootCAs = [ "/mycert.cert" ]
+      maxIdleConnsPerHost = 42
+    
+    [providers]
+      providersThrottleDuration = 42    
+    ```
+    
+    ```yaml tab="File (YAML)"
+    # static configuration
+    global:
+      checkNewVersion: true
+      sendAnonymousUsage: true
+    
+    log:
+      level: DEBUG
+    
+    serversTransport:
+      insecureSkipVerify: true
+      rootCAs:
+        - /mycert.cert
+      maxIdleConnsPerHost: 42
+    
+    providers:
+      providersThrottleDuration: 42
+    ``` 
+    
+    ```bash tab="CLI"
+    --global.checknewversion=true
+    --global.sendanonymoususage=true
+    --log.level="DEBUG"
+    --serverstransport.insecureskipverify=true
+    --serverstransport.rootcas="/mycert.cert"
+    --serverstransport.maxidleconnsperhost=42
+    --providers.providersthrottleduration=42
+    ```
+    
+## Dashboard
+
+You need to activate the [API](../operations/dashboard.md#enabling-the-dashboard) to access the dashboard.
+As the dashboard access is now secured by default you can either:
+
+* define a  [specific router](../operations/api.md#configuration) with the `api@internal` service and one authentication middleware like the following example
+* or use the [unsecure](../operations/api.md#insecure) option of the API
+
+!!! info "Dashboard with k8s and dedicated router"
+
+    As `api@internal` is not a Kubernetes service, you have to use the file provider or the `insecure` API option.
+    
+!!! example "Activate and access the dashboard"
+
+    !!! info "v1"
+    
+    ```toml tab="File (TOML)"
+    ## static configuration
+    # traefik.toml
+    
+    [entryPoints.web-secure]
+      address = ":443"
+      [entryPoints.web-secure.tls]
+      [entryPoints.web-secure.auth]
+        [entryPoints.web-secure.auth.basic]
+          users = [
+            "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+          ]
+    
+    [api]
+      entryPoint = "web-secure"
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints='Name:web-secure Address::443 TLS Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
+    --api
+    ```
+    
+    !!! info "v2"
+    
+    ```yaml tab="Docker"
+    # dynamic configuration
+    labels:
+      - "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"
+      - "traefik.http.routers.api.entrypoints=web-secured"
+      - "traefik.http.routers.api.service=api@internal"
+      - "traefik.http.routers.api.middlewares=myAuth"
+      - "traefik.http.routers.api.tls"
+      - "traefik.http.middlewares.myAuth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+    ```
+
+    ```toml tab="File (TOML)"
+    ## static configuration
+    # traefik.toml
+    
+    [entryPoints.web-secure]
+      address = ":443"
+    
+    [api]
+    
+    [providers.file]
+        filename = "/dymanic-conf.toml"
+    
+    ##---------------------##
+    
+    ## dynamic configuration
+    # dymanic-conf.toml
+    
+    [http.routers.api]
+      rule = "Host(`traefik.docker.localhost`)"
+      entrypoints = ["web-secure"]
+      service = "api@internal"
+      middlewares = ["myAuth"]
+      [http.routers.api.tls]
+    
+    [http.middlewares.myAuth.basicAuth]
+      users = [
+        "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+      ]
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## static configuration
+    # traefik.yaml
+    
+    entryPoints:
+      web-secure:
+        address: ':443'
+        
+    api: {}
+    
+    providers:
+      file:
+        filename: /dymanic-conf.yaml
+   
+    ##---------------------##
+    
+    ## dynamic configuration
+    # dymanic-conf.yaml
+    
+     http:
+      routers:
+        api:
+          rule: Host(`traefik.docker.localhost`)
+          entrypoints:
+            - web-secure
+          service: api@internal
+          middlewares:
+            - myAuth
+          tls: {}
+          
+      middlewares:
+        myAuth:
+          basicAuth:
+            users:
+              - 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
+    ``` 
+    
 ## Providers
 
-Supported providers, for now:
+Supported [providers](../providers/overview.md), for now:
 
-- [ ] Azure Service Fabric
-- [ ] BoltDB
-- [ ] Consul
-- [ ] Consul Catalog
-- [x] Docker
-- [ ] DynamoDB
-- [ ] ECS
-- [ ] Etcd
-- [ ] Eureka
-- [x] File
-- [x] Kubernetes Ingress (without annotations)
-- [x] Kubernetes IngressRoute
-- [x] Marathon
-- [ ] Mesos
-- [x] Rest
-- [ ] Zookeeper
+* [ ] Azure Service Fabric
+* [ ] BoltDB
+* [ ] Consul
+* [ ] Consul Catalog
+* [x] Docker
+* [ ] DynamoDB
+* [ ] ECS
+* [ ] Etcd
+* [ ] Eureka
+* [x] File
+* [x] Kubernetes Ingress (without annotations)
+* [x] Kubernetes IngressRoute
+* [x] Marathon
+* [ ] Mesos
+* [x] Rancher
+* [x] Rest
+* [ ] Zookeeper
+
+## Some Tips You Should Known
+
+* Different sources of static configuration (file, CLI flags, ...) cannot be [mixed](../getting-started/configuration-overview.md#the-static-configuration).
+* Now, configuration elements can be referenced between different providers by using the provider namespace notation: `@<provider>`.
+  For instance, a router named `myrouter` in a File Provider can refer to a service named `myservice` defined in Docker Provider with the following notation: `myservice@docker`.
+* Middlewares are applied in the same order as their declaration in router.
+* If you have any questions feel free to join our [community forum](https://community.containo.us).

docs/content/observability/access-logs.md

@@ -26,14 +26,13 @@ accessLog: {}
 By default access logs are written to the standard output.
 To write the logs into a log file, use the `filePath` option.
 
-in the Common Log Format (CLF), extended with additional fields.
-
 ### `format`
  
 By default, logs are written using the Common Log Format (CLF).
 To write logs in JSON, use `json` in the `format` option.
+If the given format is unsupported, the default (CLF) is used instead.
 
-!!! note "Common Log Format"
+!!! info "Common Log Format"
     
     ```html
     <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms 
@@ -96,8 +95,8 @@ accessLog:
   format: json
   filters:    
     statusCodes:
-    - "200"
-    - "300-302"
+      - "200"
+      - "300-302"
     retryAttempts: true
     minDuration: "10ms"
 ```
@@ -152,15 +151,14 @@ accessLog:
   format: json
   fields:
     defaultMode: keep
-    fields:
+    names:
+      ClientUsername: drop
+    headers:
+      defaultMode: keep
       names:
-        ClientUsername: drop
-      headers:
-        defaultMode: keep
-        names:
-        - User-Agent: redact
-        - Authorization: drop
-        - Content-Type: keep
+          User-Agent: redact
+          Authorization: drop
+          Content-Type: keep
 ```
 
 ```bash tab="CLI"
@@ -176,7 +174,7 @@ accessLog:
 --accesslog.fields.headers.names.Content-Type="keep"
 ```
 
-??? list "Available Fields"
+??? info "Available Fields"
 
     | Field                   | Description                                                                                                                                                         |
     |-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -216,5 +214,5 @@ accessLog:
 Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
 This allows the logs to be rotated and processed by an external program, such as `logrotate`.
 
-!!! note
+!!! warning
     This does not work on Windows due to the lack of USR signals.

docs/content/observability/logs.md

@@ -80,5 +80,5 @@ log:
 Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
 This allows the logs to be rotated and processed by an external program, such as `logrotate`.
 
-!!! note
+!!! warning
     This does not work on Windows due to the lack of USR signals.

docs/content/observability/metrics/influxdb.md

@@ -47,7 +47,7 @@ InfluxDB's address protocol (udp or http).
 ```toml tab="File (TOML)"
 [metrics]
   [metrics.influxdb]
-    protocol = "upd"
+    protocol = "udp"
 ```
 
 ```yaml tab="File (YAML)"

docs/content/observability/metrics/prometheus.md

@@ -32,10 +32,10 @@ Buckets for latency metrics.
 metrics:
   prometheus:
     buckets:
-    - 0.1
-    - 0.3
-    - 1.2
-    - 5.0
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0
 ```
 
 ```bash tab="CLI"
@@ -85,3 +85,34 @@ metrics:
 ```bash tab="CLI"
 --metrics.prometheus.addServicesLabels=true
 ```
+
+#### `entryPoint`
+
+_Optional, Default=traefik_
+
+Entry point used to expose metrics.
+
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.metrics]
+    address = ":8082"
+
+[metrics]
+  [metrics.prometheus]
+    entryPoint = "metrics"
+```
+
+```yaml tab="File (YAML)"
+entryPoints:
+  metrics:
+    address: ":8082"
+
+metrics:
+  prometheus:
+    entryPoint: metrics
+```
+
+```bash tab="CLI"
+--entryPoints.metrics.address=":8082"
+--metrics.prometheus..entryPoint="metrics"
+```

docs/content/operations/api.md

@@ -1,8 +1,5 @@
 # API
 
-!!! important
-    In the RC version, you can't configure middlewares (basic authentication or white listing) anymore, but as security is important, this will change before the GA version.
-
 Traefik exposes a number of information through an API handler, such as the configuration of all routers, services, middlewares, etc.
 
 As with all features of Traefik, this handler can be enabled with the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
@@ -22,11 +19,10 @@ would be to apply the following protection mechanisms:
   keeping it restricted to internal networks
   (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
 
-!!! important
-    In the beta version, you can't configure middlewares (basic authentication or white listing) anymore, but as security is important, this will change before the RC version.
-
 ## Configuration
 
+If you enable the API, a new special `service` named `api@internal` is created and can then be referenced in a router.
+
 To enable the API handler:
 
 ```toml tab="File (TOML)"
@@ -41,6 +37,84 @@ api: {}
 --api=true
 ```
 
+And then you will be able to reference it like this:
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.routers.api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+  - "traefik.http.routers.api.service=api@internal"
+  - "traefik.http.routers.api.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.routers.api.rule": "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+  "traefik.http.routers.api.service": "api@internal"
+  "traefik.http.routers.api.middlewares": "auth"
+  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.routers.api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+  - "traefik.http.routers.api.service=api@internal"
+  - "traefik.http.routers.api.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+[http.routers.my-api]
+    rule="PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+    service="api@internal"
+    middlewares=["auth"]
+
+[http.middlewares.auth.basicAuth]
+    users = [
+      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+    ]
+```
+
+```yaml tab="File (YAML)"
+http:
+  routers:
+    api:
+      rule: PathPrefix(`/api`) || PathPrefix(`/dashboard`)
+      service: api@internal
+      middlewares:
+        - auth
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+### `insecure`
+
+Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`.
+
+!!! info
+    If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080.
+
+```toml tab="File (TOML)"
+[api]
+  insecure = true
+```
+
+```yaml tab="File (YAML)"
+api:
+  insecure: true
+```
+
+```bash tab="CLI"
+--api.insecure=true
+```
+
 ### `dashboard`
 
 _Optional, Default=true_
@@ -65,7 +139,7 @@ api:
 
 _Optional, Default=false_
 
-Enable additional endpoints for debugging and profiling, served under `/debug/`.
+Enable additional [endpoints](./api.md#endpoints) for debugging and profiling, served under `/debug/`.
 
 ```toml tab="File (TOML)"
 [api]

docs/content/operations/cli.md

@@ -26,6 +26,10 @@ traefik [--flag=flag_argument] [-f [flag_argument]]
 traefik [--flag[=true|false| ]] [-f [true|false| ]]
 ```
 
+All flags are documented in the [(static configuration) CLI reference](../reference/static-configuration/cli.md).
+
+!!! info "Flags are case insensitive."
+
 ### `healthcheck`
 
 Calls Traefik `/ping` to check the health of Traefik.
@@ -34,8 +38,8 @@ Its exit status is `0` if Traefik is healthy and `1` otherwise.
 This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction
 or any other health check orchestration mechanism.
 
-!!! note
-    The [`ping` endpoint](../ping/) must be enabled to allow the `healthcheck` command to call `/ping`.
+!!! info
+    The [`ping` endpoint](../operations/ping.md) must be enabled to allow the `healthcheck` command to call `/ping`.
 
 Usage:
 

docs/content/operations/dashboard.md

@@ -5,29 +5,22 @@ See What's Going On
 
 The dashboard is the central place that shows you the current active routes handled by Traefik. 
 
-!!! warning "Dashboard WIP"
-    Currently, the dashboard is in a Work In Progress State while being reconstructed for v2. 
-    Therefore, the dashboard is currently not working.
-
 <figure>
-    <img src="../../assets/img/dashboard-main.png" alt="Dashboard - Providers" />
-    <figcaption>The dashboard in action with Traefik listening to 3 different providers</figcaption>
+    <img src="../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
+    <figcaption>The dashboard in action</figcaption>
 </figure>
 
-<figure>
-    <img src="../../assets/img/dashboard-health.png" alt="Dashboard - Health" />
-    <figcaption>The dashboard shows the health of the system.</figcaption>
-</figure>
+By default, the dashboard is available on `/dashboard` on port `:8080`.
+There is also a redirect of `/` to `/dashboard`, but one should not rely on that property as it is bound to change,
+and it might make for confusing routing rules anyway.
 
-By default, the dashboard is available on `/` on port `:8080`.
-
-!!! tip "Did You Know?"
+!!! info "Did You Know?"
     It is possible to customize the dashboard endpoint. 
-    To learn how, refer to the `Traefik's API documentation`(TODO: add doc and link).
+    To learn how, refer to the [API documentation](./api.md)
     
 ## Enabling the Dashboard
 
-To enable the dashboard, you need to enable Traefik's API.
+To enable the dashboard, you need to enable [Traefik's API](./api.md).
 
 ```toml tab="File (TOML)"
 [api]
@@ -58,10 +51,12 @@ api:
 --api.dashboard=true
 ```
 
-{!more-on-command-line.md!}
+!!! important "API/Dashboard Security" 
+    
+    To secure your dashboard, the use of a `service` named `api@internal` is mandatory and requires the definition of a router using one or more security [middlewares](../middlewares/overview.md)
+    like authentication ([basicAuth](../middlewares/basicauth.md) , [digestAuth](../middlewares/digestauth.md), [forwardAuth](../middlewares/forwardauth.md)) or [whitelisting](../middlewares/ipwhitelist.md).  
+    More information about `api@internal` can be found in the [API documentation](./api.md#configuration)
 
-{!more-on-configuration-file.md!}
-
-!!! tip "Did You Know?"
+!!! info "Did You Know?"
     The API provides more features than the Dashboard. 
-    To learn more about it, refer to the `Traefik's API documentation`(TODO: add doc and link).
+    To learn more about it, refer to the [API documentation](./api.md)

docs/content/operations/ping.md

@@ -5,7 +5,7 @@ Checking the Health of Your Traefik Instances
 
 ## Configuration Examples
 
-??? example "Enabling /ping"
+To enable the API handler:
 
 ```toml tab="File (TOML)"
 [ping]
@@ -19,10 +19,39 @@ ping: {}
 --ping=true
 ```
 
+## Configuration Options
+
+The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
+
+You can customize the `entryPoint` where the `/ping` is active with the `entryPoint` option (default value: `traefik`)
+
 | Path    | Method        | Description                                                                                         |
 |---------|---------------|-----------------------------------------------------------------------------------------------------|
 | `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
 
-## Configuration Options
+### `entryPoint`
 
-The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
+Enabling /ping on a dedicated EntryPoint.
+
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.ping]
+    address = ":8082"
+
+[ping]
+  entryPoint = "ping"
+```
+
+```yaml tab="File (YAML)"
+entryPoints:
+  ping:
+    address: ":8082"
+
+ping:
+  entryPoint: "ping"
+```
+
+```bash tab="CLI"
+--entryPoints.ping.address=":8082"
+--ping.entryPoint="ping"
+```

docs/content/providers/docker.md

@@ -37,7 +37,7 @@ Attach labels to your containers and let Traefik do the rest!
       my-container:
         # ...
         labels:
-          - traefik.http.routers.my-container.rule=Host(`my-domain`)
+          - traefik.http.routers.my-container.rule=Host(`mydomain.com`)
     ```
 
 ??? example "Configuring Docker Swarm & Deploying / Exposing Services"
@@ -76,17 +76,21 @@ Attach labels to your containers and let Traefik do the rest!
       my-container:
         deploy:
           labels:
-            - traefik.http.routers.my-container.rule=Host(`my-domain`)
+            - traefik.http.routers.my-container.rule=Host(`mydomain.com`)
+            - traefik.http.services.my-container-service.loadbalancer.server.port=8080
     ```
 
     !!! important "Labels in Docker Swarm Mode"
-        While in Swarm Mode, Traefik uses labels found on services, not on individual containers. Therefore, if you use a compose file with Swarm Mode, labels should be defined in the `deploy` part of your service.
+        While in Swarm Mode, Traefik uses labels found on services, not on individual containers.
+        
+        Therefore, if you use a compose file with Swarm Mode, labels should be defined in the `deploy` part of your service.
         This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
 
-## Provider Configuration Options
+## Routing Configuration
 
-!!! tip "Browse the Reference"
-    If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) and the [dynamic](../reference/dynamic-configuration/docker.md) configuration references.
+See the dedicated section in [routing](../routing/providers/docker.md).
+
+## Provider Configuration
 
 ### `endpoint`
 
@@ -117,11 +121,11 @@ Traefik requires access to the docker socket to get its dynamic configuration.
 
     `[...] only **trusted** users should be allowed to control your Docker daemon [...]`
 
-    !!! note "Improved Security"
+    !!! tip "Improved Security"
 
         [TraefikEE](https://containo.us/traefikee) solves this problem by separating the control plane (connected to Docker) and the data plane (handling the requests).
 
-    ??? tip "Resources about Docker's Security"
+    ??? info "Resources about Docker's Security"
 
         - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
         - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html)
@@ -140,14 +144,14 @@ Traefik requires access to the docker socket to get its dynamic configuration.
       With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
     - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
 
-    ??? tip "Additional Resources"
+    ??? info "Additional Resources"
 
         - [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174)
         - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
         - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
         - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
 
-!!! note "Traefik & Swarm Mode"
+!!! info "Traefik & Swarm Mode"
     To let Traefik access the Docker Socket of the Swarm manager, it is mandatory to schedule Traefik on the Swarm manager nodes.
 
 ??? example "Using the docker.sock"
@@ -158,7 +162,6 @@ Traefik requires access to the docker socket to get its dynamic configuration.
     version: '3'
 
     services:
-
       traefik:
          image: traefik:v2.0 # The official v2.0 Traefik docker image
          ports:
@@ -212,10 +215,10 @@ providers:
 Traefik routes requests to the IP/Port of the matching container.
 When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
 
-When used in conjunction with the `traefik.http.services.XXX.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
-Traefik tries to find a binding on port `traefik.http.services.XXX.loadbalancer.server.port`.
+When used in conjunction with the `traefik.http.services.<name>.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
+Traefik tries to find a binding on port `traefik.http.services.<name>.loadbalancer.server.port`.
 If it can't find such a binding, Traefik falls back on the internal network IP of the container,
-but still uses the `traefik.http.services.XXX.loadbalancer.server.port` that is set in the label.
+but still uses the `traefik.http.services.<name>.loadbalancer.server.port` that is set in the label.
 
 ??? example "Examples of `usebindportip` in different situations."
 
@@ -229,8 +232,13 @@ but still uses the `traefik.http.services.XXX.loadbalancer.server.port` that is
     | LblPort            | ExtIp:ExtPort:OtherPort                            | IntIp:LblPort  |
     | LblPort            | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
 
-    !!! note
-        In the above table, ExtIp stands for "external IP found in the binding", IntIp stands for "internal network container's IP", ExtPort stands for "external Port found in the binding", and IntPort stands for "internal network container's port."
+    !!! info ""
+        In the above table:
+        
+        - `ExtIp` stands for "external IP found in the binding"
+        - `IntIp` stands for "internal network container's IP",
+        - `ExtPort` stands for "external Port found in the binding"
+        - `IntPort` stands for "internal network container's port."
 
 ### `exposedByDefault`
 
@@ -387,7 +395,7 @@ Constraints is an expression that Traefik matches against the container's labels
 That is to say, if none of the container's labels match the expression, no route for the container is created.
 If the expression is empty, all detected containers are included.
 
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
 
 ??? example "Constraints Expression Examples"
 
@@ -418,94 +426,122 @@ The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp(
     
     ```toml
     # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegexp(`a.label.name`, `a.+`)"
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
     ```
 
 See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 
-## Routing Configuration Options
+### `tls`
 
-### General
+_Optional_
 
-Traefik creates, for each container, a corresponding [service](../routing/services/index.md) and [router](../routing/routers/index.md).
+#### `tls.ca`
 
-The Service automatically gets a server per instance of the container,
-and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels).
+Certificate Authority used for the secured connection to Docker.
 
-### Routers
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  ca = "path/to/ca.crt"
+```
 
-To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.http.routers.{name-of-your-choice}.` and followed by the option you want to change. For example, to change the rule, you could add the label `traefik.http.routers.my-container.rule=Host(my-domain)`.
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      ca: path/to/ca.crt
+```
 
-Every [Router](../routing/routers/index.md) parameter can be updated this way.
+```bash tab="CLI"
+--providers.docker.tls.ca=path/to/ca.crt
+```
 
-### Services
+#### `tls.caOptional`
 
-To update the configuration of the Service automatically attached to the container, add labels starting with `traefik.http.services.{name-of-your-choice}.`, followed by the option you want to change. For example, to change the passhostheader behavior, you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false`.
+Policy followed for the secured connection with TLS Client Authentication to Docker.
+Requires `tls.ca` to be defined.
 
-Every [Service](../routing/services/index.md) parameter can be updated this way.
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
 
-### Middleware
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  caOptional = true
+```
 
-You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options. For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      caOptional: true
+```
 
-??? example "Declaring and Referencing a Middleware"
+```bash tab="CLI"
+--providers.docker.tls.caOptional=true
+```
 
-    ```yaml
-       services:
-         my-container:
-           # ...
-           labels:
-             - traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
-             - traefik.http.routers.my-container.middlewares=my-redirect
-    ```
+#### `tls.cert`
 
-!!! warning "Conflicts in Declaration"
+Public certificate used for the secured connection to Docker.
 
-    If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
 
-More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md).
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
 
-### TCP
+```bash tab="CLI"
+--providers.docker.tls.cert=path/to/foo.cert
+--providers.docker.tls.key=path/to/foo.key
+```
 
-You can declare TCP Routers and/or Services using labels.
+#### `tls.key`
 
-??? example "Declaring TCP Routers and Services"
+Private certificate used for the secured connection to Docker.
 
-    ```yaml
-       services:
-         my-container:
-           # ...
-           labels:
-             - traefik.tcp.routers.my-router.rule="HostSNI(`my-host.com`)"
-             - traefik.tcp.routers.my-router.tls="true"
-             - traefik.tcp.services.my-service.loadbalancer.server.port="4123"
-    ```
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
 
-!!! warning "TCP and HTTP"
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
 
-    If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined).
-    You can declare both a TCP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).
+```bash tab="CLI"
+--providers.docker.tls.cert=path/to/foo.cert
+--providers.docker.tls.key=path/to/foo.key
+```
 
-### Specific Options
+#### `tls.insecureSkipVerify`
 
-#### `traefik.enable`
+If `insecureSkipVerify` is `true`, TLS for the connection to Docker accepts any certificate presented by the server and any host name in that certificate.
 
-You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false.
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  insecureSkipVerify = true
+```
 
-This option overrides the value of `exposedByDefault`.
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      insecureSkipVerify: true
+```
 
-#### `traefik.docker.network`
-
-Overrides the default docker network to use for connections to the container.
-
-If a container is linked to several networks, be sure to set the proper network name (you can check this with `docker inspect <container_id>`), otherwise it will randomly pick one (depending on how docker is returning them).
-
-!!! warning
-    When deploying a stack from a compose file `stack`, the networks defined are prefixed with `stack`.
-
-#### `traefik.docker.lbswarm`
-
-Enables Swarm's inbuilt load balancer (only relevant in Swarm Mode).
-
-If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs.
-Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm.
+```bash tab="CLI"
+--providers.docker.tls.insecureSkipVerify=true
+```

docs/content/providers/file.md

@@ -9,7 +9,7 @@ You can write these configuration elements:
 * In [a dedicated file](#filename)
 * In [several dedicated files](#directory)
 
-!!! note
+!!! info
     The file provider is the default format used throughout the documentation to show samples of the configuration for many features. 
 
 !!! tip
@@ -96,15 +96,12 @@ You can write these configuration elements:
             passHostHeader: false
     ```
 
-## Provider Configuration Options
+## Provider Configuration
+
+If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../reference/dynamic-configuration/file.md) references and the [static configuration](../reference/static-configuration/overview.md).
 
-!!! tip "Browse the Reference"
-    If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) and the [dynamic](../reference/dynamic-configuration/file.md) configuration references.
-    
 ### `filename`
 
-_Optional_
-
 Defines the path of the configuration file.
 
 ```toml tab="File (TOML)"
@@ -125,8 +122,6 @@ providers:
 
 ### `directory`
 
-_Optional_
-
 Defines the directory that contains the configuration files.
 
 ```toml tab="File (TOML)"
@@ -147,8 +142,6 @@ providers:
 
 ### `watch`
 
-_Optional_
-
 Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.  
 It works with both the `filename` and the `directory` options.
 
@@ -174,8 +167,8 @@ providers:
 ### Go Templating
 
 !!! warning
-    Go Templating only works along with dedicated configuration files.
-    Templating does not work in the Traefik main configuration file.
+    Go Templating only works along with dedicated dynamic configuration files.
+    Templating does not work in the Traefik main static configuration file.
 
 Traefik allows using Go templating.  
 Thus, it's possible to define easily lot of routers, services and TLS certificates as described in the file `template-rules.toml` :

docs/content/providers/kubernetes-crd.md

@@ -8,6 +8,10 @@ Traefik used to support Kubernetes only through the [Kubernetes Ingress provider
 However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
 we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
 
+## Resource Configuration
+
+See the dedicated section in [routing](../routing/providers/kubernetes-crd.md).
+
 ## Provider Configuration
 
 ### `endpoint`
@@ -168,194 +172,25 @@ Value of `kubernetes.io/ingress.class` annotation that identifies Ingress object
 If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
 Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
 
-## Resource Configuration
+### `throttleDuration`
 
-If you're in a hurry, maybe you'd rather go through the [dynamic](../reference/dynamic-configuration/kubernetes-crd.md) configuration reference.
+_Optional, Default: 0 (no throttling)_
 
-### Traefik IngressRoute definition
-
-```yaml
---8<-- "content/providers/crd_ingress_route.yml"
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  throttleDuration = "10s"
+  # ...
 ```
 
-That `IngressRoute` kind can then be used to define an `IngressRoute` object, such as in:
-
-```yaml
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: ingressroutefoo
-
-spec:
-  entryPoints:
-    - web
-  routes:
-  # Match is the rule corresponding to an underlying router.
-  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
-  # but for now we only support a traefik style matching rule.
-  - match: Host(`foo.com`) && PathPrefix(`/bar`)
-    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
-    # "Parameter", etc, to support simpler forms of rule matching, but for now we
-    # only support "Rule".
-    kind: Rule
-    # (optional) Priority disambiguates rules of the same length, for route matching.
-    priority: 12
-    services:
-    - name: whoami
-      port: 80
-      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
-      weight: 1
-
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRouteTCP
-metadata:
-  name: ingressroutetcpfoo.crd
-
-spec:
-  entryPoints:
-    - footcp
-  routes:
-  # Match is the rule corresponding to an underlying router.
-  - match: HostSNI(`*`)
-    services:
-    - name: whoamitcp
-      port: 8080
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    throttleDuration: "10s"
+    # ...
 ```
 
-### Middleware
-
-Additionally, to allow for the use of middlewares in an `IngressRoute`, we defined the CRD below for the `Middleware` kind.
-
-```yaml
---8<-- "content/providers/crd_middlewares.yml"
-```
-
-Once the `Middleware` kind has been registered with the Kubernetes cluster, it can then be used in `IngressRoute` definitions, such as:
-
-```yaml
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: stripprefix
-  namespace: foo
-
-spec:
-  stripPrefix:
-    prefixes:
-      - /stripit
-
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: ingressroutebar
-
-spec:
-  entryPoints:
-    - web
-  routes:
-  - match: Host(`bar.com`) && PathPrefix(`/stripit`)
-    kind: Rule
-    services:
-    - name: whoami
-      port: 80
-    middlewares:
-    - name: stripprefix
-      namespace: foo
-```
-
-!!! important "Cross-provider namespace"
-
-	As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource
-(in the reference to the middleware) with the [provider namespace](../middlewares/overview.md#provider-namespace),
-when the definition of the middleware is from another provider.
-In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored.
-
-More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md).
-
-### TLS Option
-
-Additionally, to allow for the use of TLS options in an IngressRoute, we defined the CRD below for the TLSOption kind.
-More information about TLS Options is available in the dedicated [TLS Configuration Options](../../https/tls/#tls-options).
-
-```yaml
---8<-- "content/providers/crd_tls_option.yml"
-```
-
-Once the TLSOption kind has been registered with the Kubernetes cluster or defined in the File Provider, it can then be used in IngressRoute definitions, such as:
-
-```yaml
-apiVersion: traefik.containo.us/v1alpha1
-kind: TLSOption
-metadata:
-  name: mytlsoption
-  namespace: default
-
-spec:
-  minVersion: VersionTLS12
-
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: ingressroutebar
-
-spec:
-  entryPoints:
-    - web
-  routes:
-  - match: Host(`bar.com`) && PathPrefix(`/stripit`)
-    kind: Rule
-    services:
-    - name: whoami
-      port: 80
-  tls:
-    options: 
-      name: mytlsoption
-      namespace: default
-```
-
-!!! important "References and namespaces"
-
-    If the optional `namespace` attribute is not set, the configuration will be applied with the namespace of the IngressRoute.
-
-	Additionally, when the definition of the TLS option is from another provider,
-the cross-provider syntax (`middlewarename@provider`) should be used to refer to the TLS option,
-just as in the [middleware case](../middlewares/overview.md#provider-namespace).
-Specifying a namespace attribute in this case would not make any sense, and will be ignored.
-
-### TLS
-
-To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute`:
-
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: supersecret
-
-data:
-  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
-  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
-
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: ingressroutetls
-
-spec:
-  entryPoints:
-    - web
-  routes:
-  - match: Host(`foo.com`) && PathPrefix(`/bar`)
-    kind: Rule
-    services:
-    - name: whoami
-      port: 443
-  tls:
-    secretName: supersecret
+```bash tab="CLI"
+--providers.kubernetescrd.throttleDuration="10s"
 ```
 
 ## Further

docs/content/providers/kubernetes-ingress.md

@@ -34,23 +34,20 @@ metadata:
 
 spec:
   rules:
-  - host: foo.com
-    http:
-      paths:
-      - path: /bar
-        backend:
-          serviceName: service1
-          servicePort: 80
-      - path: /foo
-        backend:
-          serviceName: service1
-          servicePort: 80
+    - host: foo.com
+      http:
+        paths:
+          - path: /bar
+            backend:
+              serviceName: service1
+              servicePort: 80
+          - path: /foo
+            backend:
+              serviceName: service1
+              servicePort: 80
 ```
 
-## Provider Configuration Options
-
-!!! tip "Browse the Reference"
-    If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) configuration reference.
+## Provider Configuration
 
 ### `endpoint`
 
@@ -168,8 +165,8 @@ _Optional, Default: all namespaces (empty array)_
 providers:
   kubernetesIngress:
     namespaces:
-    - "default"
-    - "production"
+      - "default"
+      - "production"
     # ...
 ```
 
@@ -305,6 +302,27 @@ providers:
 
 Published Kubernetes Service to copy status from.
 
+### `throttleDuration`
+
+_Optional, Default: 0 (no throttling)_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  throttleDuration = "10s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    throttleDuration: "10s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.throttleDuration="10s"
+```
+
 ## Further
 
 If one wants to know more about the various aspects of the Ingress spec that Traefik supports, many examples of Ingresses definitions are located in the tests [data](https://github.com/containous/traefik/tree/v2.0/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

docs/content/providers/marathon.md

@@ -49,10 +49,11 @@ See also [Marathon user guide](../user-guides/marathon.md).
 	}
     ```
 
-## Provider Configuration Options
+## Routing Configuration
 
-!!! tip "Browse the Reference"
-    If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) and the [dynamic](../reference/dynamic-configuration/marathon.md) configuration references.
+See the dedicated section in [routing](../routing/providers/marathon.md).
+
+## Provider Configuration
 
 ### `basic`
 
@@ -243,7 +244,7 @@ That is to say, if none of the application's labels match the expression, no rou
 In addition, the expression also matched against the application's constraints, such as described in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
 If the expression is empty, all detected applications are included.
 
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp("key", "value")`, as well as the usual boolean logic.
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")`, as well as the usual boolean logic.
 In addition, to match against marathon constraints, the function `MarathonConstraint("field:operator:value")` can be used, where the field, operator, and value parts are joined together in a single string with the `:` separator.
 
 ??? example "Constraints Expression Examples"
@@ -275,7 +276,7 @@ In addition, to match against marathon constraints, the function `MarathonConstr
     
     ```toml
     # Includes only applications having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegexp(`a.label.name`, `a.+`)"
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
     ```
 
     ```toml
@@ -398,37 +399,121 @@ when waiting for the first response header from a Marathon master.
 
 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration), or directly as a number of seconds.
 
-### `TLS`
+### `tls`
 
 _Optional_
 
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to Marathon.
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+Policy followed for the secured connection to Marathon with TLS Client Authentication.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to Marathon.
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.cert=path/to/foo.cert
+--providers.marathon.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+Private certificate used for the secured connection to Marathon.
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.cert=path/to/foo.cert
+--providers.marathon.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS for the connection to Marathon accepts any certificate presented by the server and any host name in that certificate.
+
 ```toml tab="File (TOML)"
 [providers.marathon.tls]
-  ca = "/etc/ssl/ca.crt"
-  cert = "/etc/ssl/marathon.cert"
-  key = "/etc/ssl/marathon.key"
   insecureSkipVerify = true
 ```
 
 ```yaml tab="File (YAML)"
 providers:
-  marathon
+  marathon:
     tls:
-      ca: "/etc/ssl/ca.crt"
-      cert: "/etc/ssl/marathon.cert"
-      key: "/etc/ssl/marathon.key"
-      insecureSkipVerify:  true
+      insecureSkipVerify: true
 ```
 
 ```bash tab="CLI"
---providers.marathon.tls.ca="/etc/ssl/ca.crt"
---providers.marathon.tls.cert="/etc/ssl/marathon.cert"
---providers.marathon.tls.key="/etc/ssl/marathon.key"
---providers.marathon.tls.insecureskipverify=true
+--providers.marathon.tls.insecureSkipVerify=true
 ```
 
-TLS client configuration. [tls/#Config](https://golang.org/pkg/crypto/tls/#Config).
-
 ### `tlsHandshakeTimeout`
 
 _Optional, Default=5s_
@@ -505,84 +590,3 @@ providers:
 ```
 
 Enables watching for Marathon changes.
-
-## Routing Configuration Options
-
-### General
-
-Traefik creates, for each Marathon application, a corresponding [service](../routing/services/index.md) and [router](../routing/routers/index.md).
-
-The Service automatically gets a server per instance of the application,
-and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels).
-
-### Routers
-
-To update the configuration of the Router automatically attached to the application,
-add labels starting with `traefik.http.routers.{router-name-of-your-choice}.` and followed by the option you want to change.
-For example, to change the routing rule, you could add the label ```traefik.http.routers.routername.rule=Host(`my-domain`)```.
-
-Every [Router](../routing/routers/index.md) parameter can be updated this way.
-
-### Services
-
-To update the configuration of the Service automatically attached to the container,
-add labels starting with `traefik.http.services.{service-name-of-your-choice}.`, followed by the option you want to change.
-For example, to change the passHostHeader behavior, you'd add the label `traefik.http.services.servicename.loadbalancer.passhostheader=false`.
-
-Every [Service](../routing/services/index.md) parameter can be updated this way.
-
-### Middleware
-
-You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options.
-For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
-
-??? example "Declaring and Referencing a Middleware"
-
-    ```json
-	{
-		...
-		"labels": {
-			"traefik.http.middlewares.my-redirect.redirectscheme.scheme": "https",
-			"traefik.http.routers.my-container.middlewares": "my-redirect"
-		}
-	}
-    ```
-
-!!! warning "Conflicts in Declaration"
-
-    If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
-
-More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md).
-
-### TCP
-
-You can declare TCP Routers and/or Services using labels.
-
-??? example "Declaring TCP Routers and Services"
-
-    ```json
-	{
-		...
-		"labels": {
-			"traefik.tcp.routers.my-router.rule": "HostSNI(`my-host.com`)",
-			"traefik.tcp.routers.my-router.tls": "true",
-			"traefik.tcp.services.my-service.loadbalancer.server.port": "4123"
-		}
-	}
-    ```
-
-!!! warning "TCP and HTTP"
-
-    If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (as it would by default if no TCP Router/Service is defined).
-    Both a TCP Router/Service and an HTTP Router/Service can be created for the same application, but it has to be done explicitly in the config.
-
-### Specific Options
-
-#### `traefik.enable`
-
-Setting this option controls whether Traefik exposes the application.
-It overrides the value of `exposedByDefault`.
-
-#### `traefik.marathon.ipadressidx`
-
-If a task has several IP addresses, this option specifies which one, in the list of available addresses, to select.

docs/content/providers/overview.md

@@ -32,12 +32,12 @@ Below is the list of the currently supported providers in Traefik.
 | [Kubernetes](./kubernetes-crd.md) | Orchestrator | Custom Resource    |
 | [Marathon](./marathon.md)         | Orchestrator | Label              |
 | [Rancher](./rancher.md)           | Orchestrator | Label              |
-| [File](./file.md)                 | Manual       | TOML format        |
+| [File](./file.md)                 | Manual       | TOML/YAML format   |
 
-!!! note "More Providers"
+!!! info "More Providers"
 
-    The current version of Traefik is in development and doesn't support (yet) every provider.
-    See the previous version (1.7) for more providers.
+    The current version of Traefik doesn't support (yet) every provider.
+    See the [previous version (v1.7)](https://docs.traefik.io/v1.7/) for more providers.
 
 <!--
 TODO (document TCP VS HTTP dynamic configuration)
@@ -69,3 +69,4 @@ List of providers that support constraints:
 - [Rancher](./rancher.md#constraints)
 - [Marathon](./marathon.md#constraints)
 - [Kubernetes CRD](./kubernetes-crd.md#labelselector)
+- [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)

docs/content/providers/rancher.md

@@ -7,8 +7,8 @@ A Story of Labels, Services & Containers
 
 Attach labels to your services and let Traefik do the rest!
 
-!!! important
-    This provider is specific to Rancher 1.x.
+!!! important "This provider is specific to Rancher 1.x."
+    
     Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
     As such, Rancher 2.x users should utilize the [Kubernetes provider](./kubernetes-crd.md) directly.
 
@@ -35,10 +35,14 @@ Attach labels to your services and let Traefik do the rest!
 
     ```yaml
     labels:
-      - traefik.http.services.my-service.rule=Host(`my-domain`)
+      - traefik.http.services.my-service.rule=Host(`mydomain.com`)
     ```
 
-## Provider Configuration Options
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/rancher.md).
+
+## Provider Configuration
 
 ??? tip "Browse the Reference"
     If you're in a hurry, maybe you'd rather go through the configuration reference:
@@ -55,8 +59,6 @@ Attach labels to your services and let Traefik do the rest!
     --8<-- "content/providers/rancher.txt"
     ```
 
-List of all available labels for the [dynamic](../reference/dynamic-configuration/rancher.md) configuration references.
-
 ### `exposedByDefault`
 
 _Optional, Default=true_
@@ -239,7 +241,7 @@ Constraints is an expression that Traefik matches against the container's labels
 That is to say, if none of the container's labels match the expression, no route for the container is created.
 If the expression is empty, all detected containers are included.
 
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
 
 ??? example "Constraints Expression Examples"
 
@@ -270,63 +272,7 @@ The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp(
     
     ```toml
     # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegexp(`a.label.name`, `a.+`)"
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
     ```
 
 See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
-## Routing Configuration Options
-
-### General
-
-Traefik creates, for each rancher service, a corresponding [service](../routing/services/index.md) and [router](../routing/routers/index.md).
-
-The Service automatically gets a server per container in this rancher service, and the router gets a default rule attached to it, based on the service name.
-
-### Routers
-
-To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change.
-For example, to change the rule, you could add the label `traefik.http.routers.my-container.rule=Host(my-domain)`.
-
-Every [Router](../routing/routers/index.md) parameter can be updated this way.
-
-### Services
-
-To update the configuration of the Service automatically attached to the container, add labels starting with `traefik.http.services.{name-of-your-choice}.`,
-followed by the option you want to change. For example, to change the passhostheader behavior,
-you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false`.
-
-Every [Service](../routing/services/index.md) parameter can be updated this way.
-
-### Middleware
-
-You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.
-For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
-
-??? example "Declaring and Referencing a Middleware"
-    
-    ```yaml
-    # ...
-    labels:
-     - traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
-     - traefik.http.routers.my-container.middlewares=my-redirect
-    ```
-
-!!! warning "Conflicts in Declaration"
-
-    If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
-
-More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md).
-
-### Specific Options
-
-#### `traefik.enable`
-
-You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false.
-
-This option overrides the value of `exposedByDefault`.
-
-#### Port Lookup
-
-Traefik is now capable of detecting the port to use, by following the default rancher flow.
-That means, if you just expose lets say port :1337 on the rancher ui, traefik will pick up this port and use it.

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -184,4 +184,6 @@
 - "traefik.tcp.routers.tcprouter1.tls.options=foobar"
 - "traefik.tcp.routers.tcprouter1.tls.passthrough=true"
 - "traefik.tcp.services.tcpservice0.loadbalancer.server.port=foobar"
+- "traefik.tcp.services.tcpservice0.loadbalancer.terminationdelay=100"
 - "traefik.tcp.services.tcpservice1.loadbalancer.server.port=foobar"
+- "traefik.tcp.services.tcpservice1.loadbalancer.terminationdelay=100"

docs/content/reference/dynamic-configuration/file.toml

@@ -286,14 +286,17 @@
   [tcp.services]
     [tcp.services.TCPService0]
       [tcp.services.TCPService0.loadBalancer]
+        terminationDelay = 100
 
         [[tcp.services.TCPService0.loadBalancer.servers]]
           address = "foobar"
 
         [[tcp.services.TCPService0.loadBalancer.servers]]
           address = "foobar"
+
     [tcp.services.TCPService1]
       [tcp.services.TCPService1.loadBalancer]
+        terminationDelay = 100
 
         [[tcp.services.TCPService1.loadBalancer.servers]]
           address = "foobar"

docs/content/reference/dynamic-configuration/file.yaml

@@ -2,11 +2,11 @@ http:
   routers:
     Router0:
       entryPoints:
-      - foobar
-      - foobar
+        - foobar
+        - foobar
       middlewares:
-      - foobar
-      - foobar
+        - foobar
+        - foobar
       service: foobar
       rule: foobar
       priority: 42
@@ -14,21 +14,21 @@ http:
         options: foobar
         certResolver: foobar
         domains:
-        - main: foobar
-          sans:
-          - foobar
-          - foobar
-        - main: foobar
-          sans:
-          - foobar
-          - foobar
+          - main: foobar
+            sans:
+              - foobar
+              - foobar
+          - main: foobar
+            sans:
+              - foobar
+              - foobar
     Router1:
       entryPoints:
-      - foobar
-      - foobar
+        - foobar
+        - foobar
       middlewares:
-      - foobar
-      - foobar
+        - foobar
+        - foobar
       service: foobar
       rule: foobar
       priority: 42
@@ -36,14 +36,14 @@ http:
         options: foobar
         certResolver: foobar
         domains:
-        - main: foobar
-          sans:
-          - foobar
-          - foobar
-        - main: foobar
-          sans:
-          - foobar
-          - foobar
+          - main: foobar
+            sans:
+              - foobar
+              - foobar
+          - main: foobar
+            sans:
+              - foobar
+              - foobar
   services:
     Service01:
       loadBalancer:
@@ -53,8 +53,8 @@ http:
             secure: true
             httpOnly: true
         servers:
-        - url: foobar
-        - url: foobar
+          - url: foobar
+          - url: foobar
         healthCheck:
           scheme: foobar
           path: foobar
@@ -72,17 +72,17 @@ http:
       mirroring:
         service: foobar
         mirrors:
-        - name: foobar
-          percent: 42
-        - name: foobar
-          percent: 42
+          - name: foobar
+            percent: 42
+          - name: foobar
+            percent: 42
     Service03:
       weighted:
         services:
-        - name: foobar
-          weight: 42
-        - name: foobar
-          weight: 42
+          - name: foobar
+            weight: 42
+          - name: foobar
+            weight: 42
         sticky:
           cookie:
             name: foobar
@@ -95,8 +95,8 @@ http:
     Middleware01:
       basicAuth:
         users:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
         usersFile: foobar
         realm: foobar
         removeHeader: true
@@ -111,8 +111,8 @@ http:
     Middleware03:
       chain:
         middlewares:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
     Middleware04:
       circuitBreaker:
         expression: foobar
@@ -121,8 +121,8 @@ http:
     Middleware06:
       digestAuth:
         users:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
         usersFile: foobar
         removeHeader: true
         realm: foobar
@@ -130,8 +130,8 @@ http:
     Middleware07:
       errors:
         status:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
         service: foobar
         query: foobar
     Middleware08:
@@ -145,8 +145,8 @@ http:
           insecureSkipVerify: true
         trustForwardHeader: true
         authResponseHeaders:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
     Middleware09:
       headers:
         customRequestHeaders:
@@ -157,23 +157,23 @@ http:
           name1: foobar
         accessControlAllowCredentials: true
         accessControlAllowHeaders:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
         accessControlAllowMethods:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
         accessControlAllowOrigin: foobar
         accessControlExposeHeaders:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
         accessControlMaxAge: 42
         addVaryHeader: true
         allowedHosts:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
         hostsProxyHeaders:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
         sslRedirect: true
         sslTemporaryRedirect: true
         sslHost: foobar
@@ -198,13 +198,13 @@ http:
     Middleware10:
       ipWhiteList:
         sourceRange:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
         ipStrategy:
           depth: 42
           excludedIPs:
-          - foobar
-          - foobar
+            - foobar
+            - foobar
     Middleware11:
       inFlightReq:
         amount: 42
@@ -212,8 +212,8 @@ http:
           ipstrategy:
             depth: 42
             excludedIPs:
-            - foobar
-            - foobar
+              - foobar
+              - foobar
           requestHeaderName: foobar
           requestHost: true
     Middleware12:
@@ -247,8 +247,8 @@ http:
           ipstrategy:
             depth: 42
             excludedIPs:
-            - foobar
-            - foobar
+              - foobar
+              - foobar
           requestHeaderName: foobar
           requestHost: true
     Middleware14:
@@ -274,19 +274,19 @@ http:
     Middleware19:
       stripPrefix:
         prefixes:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
     Middleware20:
       stripPrefixRegex:
         regex:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
 tcp:
   routers:
     TCPRouter0:
       entryPoints:
-      - foobar
-      - foobar
+        - foobar
+        - foobar
       service: foobar
       rule: foobar
       tls:
@@ -294,18 +294,18 @@ tcp:
         options: foobar
         certResolver: foobar
         domains:
-        - main: foobar
-          sans:
-          - foobar
-          - foobar
-        - main: foobar
-          sans:
-          - foobar
-          - foobar
+          - main: foobar
+            sans:
+              - foobar
+              - foobar
+          - main: foobar
+            sans:
+              - foobar
+              - foobar
     TCPRouter1:
       entryPoints:
-      - foobar
-      - foobar
+        - foobar
+        - foobar
       service: foobar
       rule: foobar
       tls:
@@ -313,58 +313,60 @@ tcp:
         options: foobar
         certResolver: foobar
         domains:
-        - main: foobar
-          sans:
-          - foobar
-          - foobar
-        - main: foobar
-          sans:
-          - foobar
-          - foobar
+          - main: foobar
+            sans:
+              - foobar
+              - foobar
+          - main: foobar
+            sans:
+              - foobar
+              - foobar
   services:
     TCPService0:
       loadBalancer:
+        terminationDelay: 100
         servers:
-        - address: foobar
-        - address: foobar
+          - address: foobar
+          - address: foobar
     TCPService1:
       loadBalancer:
+        terminationDelay: 100
         servers:
-        - address: foobar
-        - address: foobar
+          - address: foobar
+          - address: foobar
 tls:
   certificates:
-  - certFile: foobar
-    keyFile: foobar
-    stores:
-    - foobar
-    - foobar
-  - certFile: foobar
-    keyFile: foobar
-    stores:
-    - foobar
-    - foobar
+    - certFile: foobar
+      keyFile: foobar
+      stores:
+        - foobar
+        - foobar
+    - certFile: foobar
+      keyFile: foobar
+      stores:
+        - foobar
+        - foobar
   options:
     Options0:
       minVersion: foobar
       cipherSuites:
-      - foobar
-      - foobar
+        - foobar
+        - foobar
       clientAuth:
         caFiles:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
         clientAuthType: foobar
       sniStrict: true
     Options1:
       minVersion: foobar
       cipherSuites:
-      - foobar
-      - foobar
+        - foobar
+        - foobar
       clientAuth:
         caFiles:
-        - foobar
-        - foobar
+          - foobar
+          - foobar
         clientAuthType: foobar
       sniStrict: true
   stores:

docs/content/reference/dynamic-configuration/marathon-labels.json

@@ -184,4 +184,6 @@
 "traefik.tcp.routers.tcprouter1.tls.options": "foobar",
 "traefik.tcp.routers.tcprouter1.tls.passthrough": "true",
 "traefik.tcp.services.tcpservice0.loadbalancer.server.port": "foobar",
+"traefik.tcp.services.tcpservice0.loadbalancer.terminationDelay": "100",
 "traefik.tcp.services.tcpservice1.loadbalancer.server.port": "foobar"
+"traefik.tcp.services.tcpservice1.loadbalancer.terminationDelay": "100",

docs/content/reference/static-configuration/cli-ref.md

@@ -45,6 +45,9 @@ Activate dashboard. (Default: ```true```)
 `--api.debug`:  
 Enable additional endpoints for debugging and profiling. (Default: ```false```)
 
+`--api.insecure`:  
+Activate API directly on the entryPoint named traefik. (Default: ```false```)
+
 `--certificatesresolvers.<name>`:  
 Certificates resolvers configuration. (Default: ```false```)
 
@@ -207,6 +210,9 @@ Enable metrics on services. (Default: ```true```)
 `--metrics.prometheus.buckets`:  
 Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)
 
+`--metrics.prometheus.entrypoint`:  
+EntryPoint (Default: ```traefik```)
+
 `--metrics.statsd`:  
 StatsD metrics exporter type. (Default: ```false```)
 
@@ -223,7 +229,10 @@ Enable metrics on services. (Default: ```true```)
 StatsD push interval. (Default: ```10```)
 
 `--ping`:  
-Enable ping. (Default: ```true```)
+Enable ping. (Default: ```false```)
+
+`--ping.entrypoint`:  
+EntryPoint (Default: ```traefik```)
 
 `--providers.docker`:  
 Enable Docker backend with default settings. (Default: ```false```)
@@ -274,10 +283,10 @@ Watch provider. (Default: ```true```)
 Enable debug logging of generated configuration template. (Default: ```false```)
 
 `--providers.file.directory`:  
-Load configuration from one or more .toml files in a directory.
+Load dynamic configuration from one or more .toml or .yml files in a directory.
 
 `--providers.file.filename`:  
-Override default configuration template. For advanced users :)
+Load dynamic configuration from a file.
 
 `--providers.file.watch`:  
 Watch provider. (Default: ```true```)
@@ -303,6 +312,9 @@ Kubernetes label selector to use.
 `--providers.kubernetescrd.namespaces`:  
 Kubernetes namespaces.
 
+`--providers.kubernetescrd.throttleduration`:  
+Ingress refresh throttle duration (Default: ```0```)
+
 `--providers.kubernetescrd.token`:  
 Kubernetes bearer token (not needed for in-cluster client).
 
@@ -336,6 +348,9 @@ Kubernetes Ingress label selector to use.
 `--providers.kubernetesingress.namespaces`:  
 Kubernetes namespaces.
 
+`--providers.kubernetesingress.throttleduration`:  
+Ingress refresh throttle duration (Default: ```0```)
+
 `--providers.kubernetesingress.token`:  
 Kubernetes bearer token (not needed for in-cluster client).
 
@@ -433,7 +448,10 @@ Defines the polling interval in seconds. (Default: ```15```)
 Watch provider. (Default: ```true```)
 
 `--providers.rest`:  
-Enable Rest backend with default settings. (Default: ```true```)
+Enable Rest backend with default settings. (Default: ```false```)
+
+`--providers.rest.insecure`:  
+Activate REST Provider directly on the entryPoint named traefik. (Default: ```false```)
 
 `--serverstransport.forwardingtimeouts.dialtimeout`:  
 The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)

docs/content/reference/static-configuration/env-ref.md

@@ -45,6 +45,9 @@ Activate dashboard. (Default: ```true```)
 `TRAEFIK_API_DEBUG`:  
 Enable additional endpoints for debugging and profiling. (Default: ```false```)
 
+`TRAEFIK_API_INSECURE`:  
+Activate API directly on the entryPoint named traefik. (Default: ```false```)
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>`:  
 Certificates resolvers configuration. (Default: ```false```)
 
@@ -207,6 +210,9 @@ Enable metrics on services. (Default: ```true```)
 `TRAEFIK_METRICS_PROMETHEUS_BUCKETS`:  
 Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)
 
+`TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT`:  
+EntryPoint (Default: ```traefik```)
+
 `TRAEFIK_METRICS_STATSD`:  
 StatsD metrics exporter type. (Default: ```false```)
 
@@ -223,7 +229,10 @@ Enable metrics on services. (Default: ```true```)
 StatsD push interval. (Default: ```10```)
 
 `TRAEFIK_PING`:  
-Enable ping. (Default: ```true```)
+Enable ping. (Default: ```false```)
+
+`TRAEFIK_PING_ENTRYPOINT`:  
+EntryPoint (Default: ```traefik```)
 
 `TRAEFIK_PROVIDERS_DOCKER`:  
 Enable Docker backend with default settings. (Default: ```false```)
@@ -274,10 +283,10 @@ Watch provider. (Default: ```true```)
 Enable debug logging of generated configuration template. (Default: ```false```)
 
 `TRAEFIK_PROVIDERS_FILE_DIRECTORY`:  
-Load configuration from one or more .toml files in a directory.
+Load dynamic configuration from one or more .toml or .yml files in a directory.
 
 `TRAEFIK_PROVIDERS_FILE_FILENAME`:  
-Override default configuration template. For advanced users :)
+Load dynamic configuration from a file.
 
 `TRAEFIK_PROVIDERS_FILE_WATCH`:  
 Watch provider. (Default: ```true```)
@@ -303,6 +312,9 @@ Kubernetes label selector to use.
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_NAMESPACES`:  
 Kubernetes namespaces.
 
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_THROTTLEDURATION`:  
+Ingress refresh throttle duration (Default: ```0```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_TOKEN`:  
 Kubernetes bearer token (not needed for in-cluster client).
 
@@ -336,6 +348,9 @@ Kubernetes Ingress label selector to use.
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_NAMESPACES`:  
 Kubernetes namespaces.
 
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_THROTTLEDURATION`:  
+Ingress refresh throttle duration (Default: ```0```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_TOKEN`:  
 Kubernetes bearer token (not needed for in-cluster client).
 
@@ -433,7 +448,10 @@ Defines the polling interval in seconds. (Default: ```15```)
 Watch provider. (Default: ```true```)
 
 `TRAEFIK_PROVIDERS_REST`:  
-Enable Rest backend with default settings. (Default: ```true```)
+Enable Rest backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_REST_INSECURE`:  
+Activate REST Provider directly on the entryPoint named traefik. (Default: ```false```)
 
 `TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_DIALTIMEOUT`:  
 The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)

docs/content/reference/static-configuration/file.toml

@@ -83,6 +83,7 @@
     namespaces = ["foobar", "foobar"]
     labelSelector = "foobar"
     ingressClass = "foobar"
+    throttleDuration = "10s"
     [providers.kubernetesIngress.ingressEndpoint]
       ip = "foobar"
       hostname = "foobar"
@@ -95,7 +96,9 @@
     namespaces = ["foobar", "foobar"]
     labelSelector = "foobar"
     ingressClass = "foobar"
+    throttleDuration = "10s"
   [providers.rest]
+    insecure = true
   [providers.rancher]
     constraints = "foobar"
     watch = true
@@ -107,6 +110,7 @@
     prefix = "foobar"
 
 [api]
+  insecure = true
   dashboard = true
   debug = true
 
@@ -115,6 +119,7 @@
     buckets = [42.0, 42.0]
     addEntryPointsLabels = true
     addServicesLabels = true
+    entryPoint = "foobar"
   [metrics.datadog]
     address = "foobar"
     pushInterval = "10s"
@@ -137,6 +142,7 @@
     addServicesLabels = true
 
 [ping]
+  entryPoint = "foobar"
 
 [log]
   level = "foobar"

docs/content/reference/static-configuration/file.yaml

@@ -88,6 +88,7 @@ providers:
     - foobar
     labelSelector: foobar
     ingressClass: foobar
+    throttleDuration: 10s
     ingressEndpoint:
       ip: foobar
       hostname: foobar
@@ -102,7 +103,9 @@ providers:
     - foobar
     labelSelector: foobar
     ingressClass: foobar
-  rest: {}
+    throttleDuration: 10s
+  rest:
+    insecure: true
   rancher:
     constraints: foobar
     watch: true
@@ -113,6 +116,7 @@ providers:
     intervalPoll: true
     prefix: foobar
 api:
+  insecure: true
   dashboard: true
   debug: true
 metrics:
@@ -122,6 +126,7 @@ metrics:
     - 42
     addEntryPointsLabels: true
     addServicesLabels: true
+    entryPoint: foobar
   datadog:
     address: foobar
     pushInterval: 42
@@ -142,7 +147,8 @@ metrics:
     password: foobar
     addEntryPointsLabels: true
     addServicesLabels: true
-ping: {}
+ping:
+  entryPoint: foobar
 log:
   level: foobar
   filePath: foobar

docs/content/routing/entrypoints.md

@@ -13,18 +13,21 @@ They define the port which will receive the requests (whether HTTP or TCP).
 ??? example "Port 80 only"
 
     ```toml tab="File (TOML)"
+    ## Static configuration
     [entryPoints]
       [entryPoints.web]
         address = ":80"
     ```
     
     ```yaml tab="File (YAML)"
+    ## Static configuration
     entryPoints:
       web:
        address: ":80"
     ```
     
     ```bash tab="CLI"
+    ## Static configuration
     --entryPoints.web.address=:80
     ```
 
@@ -33,6 +36,7 @@ They define the port which will receive the requests (whether HTTP or TCP).
 ??? example "Port 80 & 443" 
 
     ```toml tab="File (TOML)"
+    ## Static configuration
     [entryPoints]
       [entryPoints.web]
         address = ":80"
@@ -42,6 +46,7 @@ They define the port which will receive the requests (whether HTTP or TCP).
     ```
     
     ```yaml tab="File (YAML)"
+    ## Static configuration
     entryPoints:
       web:
         address: ":80"
@@ -51,13 +56,14 @@ They define the port which will receive the requests (whether HTTP or TCP).
     ```
     
     ```bash tab="CLI"
+    ## Static configuration
     --entryPoints.web.address=:80
     --entryPoints.web-secure.address=:443
     ```
 
     - Two entrypoints are defined: one called `web`, and the other called `web-secure`.
     - `web` listens on port `80`, and `web-secure` on port `443`. 
-    
+
 ## Configuration
 
 ### General
@@ -65,78 +71,341 @@ They define the port which will receive the requests (whether HTTP or TCP).
 EntryPoints are part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
 You can define them using a toml file, CLI arguments, or a key-value store.
 
-See the complete reference for the list of available options:
+??? info "See the complete reference for the list of available options"
+    
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.name]
+        address = ":8888"
+        [entryPoints.name.transport]
+          [entryPoints.name.transport.lifeCycle]
+            requestAcceptGraceTimeout = 42
+            graceTimeOut = 42
+          [entryPoints.name.transport.respondingTimeouts]
+            readTimeout = 42
+            writeTimeout = 42
+            idleTimeout = 42
+        [entryPoints.name.proxyProtocol]
+          insecure = true
+          trustedIPs = ["127.0.0.1", "192.168.0.1"]
+        [entryPoints.name.forwardedHeaders]
+          insecure = true
+          trustedIPs = ["127.0.0.1", "192.168.0.1"]
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      name:
+        address: ":8888"
+        transport:
+          lifeCycle:
+            requestAcceptGraceTimeout: 42
+            graceTimeOut: 42
+          respondingTimeouts:
+            readTimeout: 42
+            writeTimeout: 42
+            idleTimeout: 42
+        proxyProtocol:
+          insecure: true
+          trustedIPs:
+            - "127.0.0.1"
+            - "192.168.0.1"
+        forwardedHeaders:
+          insecure: true
+          trustedIPs:
+            - "127.0.0.1"
+            - "192.168.0.1"
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.name.address=:8888
+    --entryPoints.name.transport.lifeCycle.requestAcceptGraceTimeout=42
+    --entryPoints.name.transport.lifeCycle.graceTimeOut=42
+    --entryPoints.name.transport.respondingTimeouts.readTimeout=42
+    --entryPoints.name.transport.respondingTimeouts.writeTimeout=42
+    --entryPoints.name.transport.respondingTimeouts.idleTimeout=42
+    --entryPoints.name.proxyProtocol.insecure=true
+    --entryPoints.name.proxyProtocol.trustedIPs="127.0.0.1,192.168.0.1"
+    --entryPoints.name.forwardedHeaders.insecure=true
+    --entryPoints.name.forwardedHeaders.trustedIPs="127.0.0.1,192.168.0.1"
+    ```
 
-```toml tab="File (TOML)"
-[entryPoints]
+### Forwarded Header
 
-  [entryPoints.EntryPoint0]
-    address = ":8888"
-    [entryPoints.EntryPoint0.transport]
-      [entryPoints.EntryPoint0.transport.lifeCycle]
-        requestAcceptGraceTimeout = 42
-        graceTimeOut = 42
-      [entryPoints.EntryPoint0.transport.respondingTimeouts]
-        readTimeout = 42
-        writeTimeout = 42
-        idleTimeout = 42
-    [entryPoints.EntryPoint0.proxyProtocol]
-      insecure = true
-      trustedIPs = ["foobar", "foobar"]
-    [entryPoints.EntryPoint0.forwardedHeaders]
-      insecure = true
-      trustedIPs = ["foobar", "foobar"]
-```
+You can configure Traefik to trust the forwarded headers information (`X-Forwarded-*`).
 
-```yaml tab="File (YAML)"
-entryPoints:
+??? info "`forwardedHeaders.trustedIPs`"
+    
+    Trusting Forwarded Headers from specific IPs.
 
-  EntryPoint0:
-    address: ":8888"
-    transport:
-      lifeCycle:
-        requestAcceptGraceTimeout: 42
-        graceTimeOut: 42
-      respondingTimeouts:
-        readTimeout: 42
-        writeTimeout: 42
-        idleTimeout: 42
-    proxyProtocol:
-      insecure: true
-      trustedIPs:
-      - "foobar"
-      - "foobar"
-    forwardedHeaders:
-      insecure: true
-      trustedIPs:
-      - "foobar"
-      - "foobar"
-```
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+    
+        [entryPoints.web.forwardedHeaders]
+          trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        forwardedHeaders:
+          trustedIPs:
+            - "127.0.0.1/32"
+            - "192.168.1.7"
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,192.168.1.7
+    ```
 
-```bash tab="CLI"
---entryPoints.EntryPoint0.address=:8888
---entryPoints.EntryPoint0.transport.lifeCycle.requestAcceptGraceTimeout=42
---entryPoints.EntryPoint0.transport.lifeCycle.graceTimeOut=42
---entryPoints.EntryPoint0.transport.respondingTimeouts.readTimeout=42
---entryPoints.EntryPoint0.transport.respondingTimeouts.writeTimeout=42
---entryPoints.EntryPoint0.transport.respondingTimeouts.idleTimeout=42
---entryPoints.EntryPoint0.proxyProtocol.insecure=true
---entryPoints.EntryPoint0.proxyProtocol.trustedIPs=foobar,foobar
---entryPoints.EntryPoint0.forwardedHeaders.insecure=true
---entryPoints.EntryPoint0.forwardedHeaders.trustedIPs=foobar,foobar
-```
+??? info "`forwardedHeaders.insecure`"
+    
+    Insecure Mode (Always Trusting Forwarded Headers).
 
-## ProxyProtocol
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+    
+        [entryPoints.web.forwardedHeaders]
+          insecure = true
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        forwardedHeaders:
+          insecure: true
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.forwardedHeaders.insecure
+    ```
+
+### Transport
+
+#### `respondingTimeouts`
+
+`respondingTimeouts` are timeouts for incoming requests to the Traefik instance.
+
+??? info "`transport.respondingTimeouts.readTimeout`"
+    
+    _Optional, Default=0s_
+    
+    `readTimeout` is the maximum duration for reading the entire request, including the body.  
+    
+    If zero, no timeout exists.  
+    Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
+    If no units are provided, the value is parsed assuming seconds.
+    
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.name]
+        address = ":8888"
+        [entryPoints.name.transport]
+          [entryPoints.name.transport.respondingTimeouts]
+            readTimeout = 42
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      name:
+        address: ":8888"
+        transport:
+          respondingTimeouts:
+            readTimeout: 42
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.name.address=:8888
+    --entryPoints.name.transport.respondingTimeouts.readTimeout=42
+    ```
+
+??? info "`transport.respondingTimeouts.writeTimeout`"
+    
+    _Optional, Default=0s_
+    
+    `writeTimeout` is the maximum duration before timing out writes of the response.
+      
+    It covers the time from the end of the request header read to the end of the response write.
+    If zero, no timeout exists.  
+    Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
+    If no units are provided, the value is parsed assuming seconds.
+    
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.name]
+        address = ":8888"
+        [entryPoints.name.transport]
+          [entryPoints.name.transport.respondingTimeouts]
+            writeTimeout = 42
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      name:
+        address: ":8888"
+        transport:
+          respondingTimeouts:
+            writeTimeout: 42
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.name.address=:8888
+    --entryPoints.name.transport.respondingTimeouts.writeTimeout=42
+    ```
+
+??? info "`transport.respondingTimeouts.idleTimeout`"
+    
+    _Optional, Default=180s_
+    
+    `idleTimeout` is the maximum duration an idle (keep-alive) connection will remain idle before closing itself.  
+    
+    If zero, no timeout exists.  
+    Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
+    If no units are provided, the value is parsed assuming seconds.
+    
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.name]
+        address = ":8888"
+        [entryPoints.name.transport]
+          [entryPoints.name.transport.respondingTimeouts]
+            idleTimeout = 42
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      name:
+        address: ":8888"
+        transport:
+          respondingTimeouts:
+            idleTimeout: 42
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.name.address=:8888
+    --entryPoints.name.transport.respondingTimeouts.idleTimeout=42
+    ```
+
+#### `lifeCycle`
+
+Controls the behavior of Traefik during the shutdown phase.
+
+??? info "`lifeCycle.requestAcceptGraceTimeout`"
+    
+    _Optional, Default=0s_
+    
+    Duration to keep accepting requests prior to initiating the graceful termination period (as defined by the `graceTimeOut` option).
+    This option is meant to give downstream load-balancers sufficient time to take Traefik out of rotation.
+    
+    Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
+    
+    If no units are provided, the value is parsed assuming seconds.
+    The zero duration disables the request accepting grace period, i.e., Traefik will immediately proceed to the grace period.
+    
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.name]
+        address = ":8888"
+        [entryPoints.name.transport]
+          [entryPoints.name.transport.lifeCycle]
+            requestAcceptGraceTimeout = 42
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      name:
+        address: ":8888"
+        transport:
+          lifeCycle:
+            requestAcceptGraceTimeout: 42
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.name.address=:8888
+    --entryPoints.name.transport.lifeCycle.requestAcceptGraceTimeout=42
+    ```
+
+??? info "`lifeCycle.graceTimeOut`"
+    
+    _Optional, Default=10s_
+    
+    Duration to give active requests a chance to finish before Traefik stops.
+    
+    Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
+    
+    If no units are provided, the value is parsed assuming seconds.
+    
+    !!! warning "In this time frame no new requests are accepted."
+    
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.name]
+        address = ":8888"
+        [entryPoints.name.transport]
+          [entryPoints.name.transport.lifeCycle]
+            graceTimeOut = 42
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      name:
+        address: ":8888"
+        transport:
+          lifeCycle:
+            graceTimeOut: 42
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.name.address=:8888
+    --entryPoints.name.transport.lifeCycle.graceTimeOut=42
+    ```
+
+### ProxyProtocol
 
 Traefik supports [ProxyProtocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2.
 
-If proxyprotocol header parsing is enabled for the entry point, this entry point can accept connections with or without proxyprotocol headers.
+If Proxy Protocol header parsing is enabled for the entry point, this entry point can accept connections with or without Proxy Protocol headers.
 
-If the proxyprotocol header is passed, then the version is determined automatically.
+If the Proxy Protocol header is passed, then the version is determined automatically.
 
-??? example "Enabling Proxy Protocol with Trusted IPs" 
+??? info "`proxyProtocol.trustedIPs`" 
+    
+    Enabling Proxy Protocol with Trusted IPs.
 
     ```toml tab="File (TOML)"
+    ## Static configuration
     [entryPoints]
       [entryPoints.web]
         address = ":80"
@@ -146,13 +415,14 @@ If the proxyprotocol header is passed, then the version is determined automatica
     ```
     
     ```yaml tab="File (YAML)"
+    ## Static configuration
     entryPoints:
       web:
         address: ":80"
-        proxyProtocol
+        proxyProtocol:
           trustedIPs:
-          - "127.0.0.1/32"
-          - "192.168.1.7"
+            - "127.0.0.1/32"
+            - "192.168.1.7"
     ```
     
     ```bash tab="CLI"
@@ -161,13 +431,16 @@ If the proxyprotocol header is passed, then the version is determined automatica
     ```
 
     IPs in `trustedIPs` only will lead to remote client address replacement: Declare load-balancer IPs or CIDR range here.
-    
-??? example "Insecure Mode -- Testing Environment Only"
 
+??? info "`proxyProtocol.insecure`"
+
+    Insecure Mode (Testing Environment Only).
+    
     In a test environments, you can configure Traefik to trust every incoming connection.
     Doing so, every remote client address will be replaced (`trustedIPs` won't have any effect)
 
     ```toml tab="File (TOML)"
+    ## Static configuration
     [entryPoints]
       [entryPoints.web]
         address = ":80"
@@ -177,6 +450,7 @@ If the proxyprotocol header is passed, then the version is determined automatica
     ```
     
     ```yaml tab="File (YAML)"
+    ## Static configuration
     entryPoints:
       web:
         address: ":80"
@@ -193,57 +467,3 @@ If the proxyprotocol header is passed, then the version is determined automatica
 
     When queuing Traefik behind another load-balancer, make sure to configure Proxy Protocol on both sides.
     Not doing so could introduce a security risk in your system (enabling request forgery).
-
-## Forwarded Header
-
-You can configure Traefik to trust the forwarded headers information (`X-Forwarded-*`)
-
-??? example "Trusting Forwarded Headers from specific IPs"
-
-    ```toml tab="File (TOML)"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-    
-        [entryPoints.web.forwardedHeaders]
-          trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
-    ```
-    
-    ```yaml tab="File (YAML)"
-    entryPoints:
-      web:
-        address: ":80"
-        forwardedHeaders
-          trustedIPs:
-          - "127.0.0.1/32"
-          - "192.168.1.7"
-    ```
-    
-    ```bash tab="CLI"
-    --entryPoints.web.address=:80
-    --entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,192.168.1.7
-    ```
-
-??? example "Insecure Mode -- Always Trusting Forwarded Headers"
-
-    ```toml tab="File (TOML)"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-    
-        [entryPoints.web.forwardedHeaders]
-          insecure = true
-    ```
-    
-    ```yaml tab="File (YAML)"
-    entryPoints:
-      web:
-        address: ":80"
-        forwardedHeaders:
-          insecure: true
-    ```
-    
-    ```bash tab="CLI"
-    --entryPoints.web.address=:80
-    --entryPoints.web.forwardedHeaders.insecure
-    ```

docs/content/routing/overview.md

@@ -112,19 +112,19 @@ http:
         - url: http://private/whoami-service
 ```
 
-!!! note "The File Provider"
+!!! info ""
 
     In this example, we use the [file provider](../providers/file.md).
     Even if it is one of the least magical way of configuring Traefik, it explicitly describes every available notion.
 
-!!! note "HTTP / TCP"
+!!! info "HTTP / TCP"
 
     In this example, we've defined routing rules for http requests only.
     Traefik also supports TCP requests. To add [TCP routers](./routers/index.md) and [TCP services](./services/index.md), declare them in a TCP section like in the following.
 
     ??? example "Adding a TCP route for TLS requests on whoami.traefik.io"
 
-        Static configuration:
+        **Static Configuration**
         
         ```toml tab="File (TOML)"
         [entryPoints]
@@ -157,7 +157,7 @@ http:
         --providers.file.filename=dynamic_conf.toml
         ```
         
-        Dynamic configuration:
+        **Dynamic Configuration**
 
         ```toml tab="TOML"
         # http routing section

docs/content/routing/providers/docker.md

@@ -0,0 +1,518 @@
+# Traefik & Docker
+
+A Story of Labels & Containers
+{: .subtitle }
+
+![Docker](../../assets/img/providers/docker.png)
+
+Attach labels to your containers and let Traefik do the rest!
+
+## Configuration Examples
+
+??? example "Configuring Docker & Deploying / Exposing Services"
+
+    Enabling the docker provider
+    
+    ```toml tab="File (TOML)"
+    [providers.docker]
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      docker: {}
+    ```
+    
+    ```bash tab="CLI"
+    --providers.docker=true
+    ```
+
+    Attaching labels to containers (in your docker compose file)
+
+    ```yaml
+    version: "3"
+    services:
+      my-container:
+        # ...
+        labels:
+          - traefik.http.routers.my-container.rule=Host(`mydomain.com`)
+    ```
+
+??? example "Configuring Docker Swarm & Deploying / Exposing Services"
+
+    Enabling the docker provider (Swarm Mode)
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      # swarm classic (1.12-)
+      # endpoint = "tcp://127.0.0.1:2375"
+      # docker swarm mode (1.12+)
+      endpoint = "tcp://127.0.0.1:2377"
+      swarmMode = true
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        # swarm classic (1.12-)
+        # endpoint = "tcp://127.0.0.1:2375"
+        # docker swarm mode (1.12+)
+        endpoint: "tcp://127.0.0.1:2375"
+        swarmMode: true
+    ```
+    
+    ```bash tab="CLI"
+    --providers.docker.endpoint="tcp://127.0.0.1:2375"
+    --providers.docker.swarmMode=true
+    ```
+
+    Attach labels to services (not to containers) while in Swarm mode (in your docker compose file)
+
+    ```yaml
+    version: "3"
+    services:
+      my-container:
+        deploy:
+          labels:
+            - traefik.http.routers.my-container.rule=Host(`mydomain.com`)
+            - traefik.http.services.my-container-service.loadbalancer.server.port=8080
+    ```
+
+    !!! important "Labels in Docker Swarm Mode"
+        While in Swarm Mode, Traefik uses labels found on services, not on individual containers.
+        Therefore, if you use a compose file with Swarm Mode, labels should be defined in the `deploy` part of your service.
+        This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
+
+## Routing Configuration
+
+!!! info "Labels"
+    
+    - Labels are case insensitive.
+    - The complete list of labels can be found in [the reference page](../../reference/dynamic-configuration/docker.md).
+
+### General
+
+Traefik creates, for each container, a corresponding [service](../services/index.md) and [router](../routers/index.md).
+
+The Service automatically gets a server per instance of the container,
+and the router automatically gets a rule defined by `defaultRule` (if no rule for it was defined in labels).
+
+#### Service definition
+
+--8<-- "content/routing/providers/service-by-label.md"
+
+??? example "Automatic service assignment with labels"
+
+    With labels in a compose file
+
+    ```yaml
+    labels:
+      - "traefik.http.routers.myproxy.rule=Host(`foo.com`)"
+      # service myservice gets automatically assigned to router myproxy
+      - "traefik.http.services.myservice.loadbalancer.server.port=80"
+    ```
+
+??? example "Automatic service creation and assignment with labels"
+
+    With labels in a compose file
+
+    ```yaml
+    labels:
+      # no service specified or defined and yet one gets automatically created
+      # and assigned to router myproxy.
+      - "traefik.http.routers.myproxy.rule=Host(`foo.com`)"
+    ```
+
+### Routers
+
+To update the configuration of the Router automatically attached to the container,
+add labels starting with `traefik.http.routers.<name-of-your-choice>.` and followed by the option you want to change.
+
+For example, to change the rule, you could add the label ```traefik.http.routers.my-container.rule=Host(`mydomain.com`)```.
+
+??? info "`traefik.http.routers.<router_name>.rule`"
+    
+    See [rule](../routers/index.md#rule) for more information. 
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.rule=Host(`mydomain.com`)"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.entrypoints`"
+    
+    See [entry points](../routers/index.md#entrypoints) for more information. 
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.entrypoints=web,websecure"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.middlewares`"
+    
+    See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information. 
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.middlewares=auth,prefix,cb"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.service`"
+    
+    See [rule](../routers/index.md#service) for more information. 
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.service=myservice"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls`"
+    
+    See [tls](../routers/index.md#tls) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter>.tls=true"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.certresolver`"
+    
+    See [certResolver](../routers/index.md#certresolver) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.tls.certresolver=myresolver"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.domains[n].main`"
+    
+    See [domains](../routers/index.md#domains) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.tls.domains[0].main=foobar.com"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.domains[n].sans`"
+    
+    See [domains](../routers/index.md#domains) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.options`"
+    
+    See [options](../routers/index.md#options) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.tls.options=foobar"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.priority`"
+    
+    See [options](../routers/index.md#priority) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.priority=42"
+    ```
+
+### Services
+
+To update the configuration of the Service automatically attached to the container,
+add labels starting with `traefik.http.services.<name-of-your-choice>.`, followed by the option you want to change.
+
+For example, to change the `passHostHeader` behavior,
+you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.passhostheader=false`.
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.server.port`"
+    
+    Registers a port.
+    Useful when the container exposes multiples ports.
+    
+    Mandatory for Docker Swarm.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.server.port=8080"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.server.scheme`"
+    
+    Overrides the default scheme.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.server.scheme=http"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.passhostheader`"
+    <!-- TODO doc passHostHeader in services page -->
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.passhostheader=true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.headers.<header_name>`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo=foobar"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.hostname`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.hostname=foobar.com"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.interval`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.port=42"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.scheme`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.scheme=http"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.timeout`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky=true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.httponly`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly=true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.name`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval`"
+    <!-- TODO doc responseforwarding in services page -->
+    
+    FlushInterval specifies the flush interval to flush to the client while copying the response body.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10"
+    ```
+
+### Middleware
+
+You can declare pieces of middleware using labels starting with `traefik.http.middlewares.<name-of-your-choice>.`,
+followed by the middleware type/options.
+
+For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`,
+you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme=https`.
+
+More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).
+
+??? example "Declaring and Referencing a Middleware"
+
+    ```yaml
+       services:
+         my-container:
+           # ...
+           labels:
+             # Declaring a middleware
+             - traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
+             # Referencing a middleware
+             - traefik.http.routers.my-container.middlewares=my-redirect
+    ```
+
+!!! warning "Conflicts in Declaration"
+
+    If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
+
+### TCP
+
+You can declare TCP Routers and/or Services using labels.
+
+??? example "Declaring TCP Routers and Services"
+
+    ```yaml
+       services:
+         my-container:
+           # ...
+           labels:
+             - "traefik.tcp.routers.my-router.rule=HostSNI(`my-host.com`)"
+             - "traefik.tcp.routers.my-router.tls=true"
+             - "traefik.tcp.services.my-service.loadbalancer.server.port=4123"
+    ```
+
+!!! warning "TCP and HTTP"
+
+    If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined).
+    You can declare both a TCP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).
+
+#### TCP Routers
+
+??? info "`traefik.tcp.routers.<router_name>.entrypoints`"
+    
+    See [entry points](../routers/index.md#entrypoints_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.entrypoints=ep1,ep2"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.rule`"
+    
+    See [rule](../routers/index.md#rule_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.rule=HostSNI(`myhost.com`)"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.service`"
+    
+    See [service](../routers/index.md#services) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.service=myservice"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls`"
+    
+    See [TLS](../routers/index.md#tls_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls=true"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.certresolver`"
+    
+    See [certResolver](../routers/index.md#certresolver_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls.certresolver=myresolver"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].main`"
+    
+    See [domains](../routers/index.md#domains_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls.domains[0].main=foobar.com"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].sans`"
+    
+    See [domains](../routers/index.md#domains_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.options`"
+    
+    See [options](../routers/index.md#options_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls.options=mysoptions"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
+    
+    See [TLS](../routers/index.md#tls_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls.passthrough=true"
+    ```
+
+#### TCP Services
+
+??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.port`"
+    
+    Registers a port of the application.
+    
+    ```yaml
+    - "traefik.tcp.services.mytcpservice.loadbalancer.server.port=423"
+    ```
+
+??? info "`traefik.tcp.services.<service_name>.loadbalancer.terminationdelay`"
+        
+    See [termination delay](../services/index.md#termination-delay) for more information.
+    
+    ```yaml
+    - "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100"
+    ```
+
+### Specific Provider Options
+
+#### `traefik.enable`
+
+```yaml
+- "traefik.enable=true"
+```
+
+You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false.
+
+This option overrides the value of `exposedByDefault`.
+
+#### `traefik.docker.network`
+
+```yaml
+- "traefik.docker.network=mynetwork"
+```
+
+Overrides the default docker network to use for connections to the container.
+
+If a container is linked to several networks, be sure to set the proper network name (you can check this with `docker inspect <container_id>`),
+otherwise it will randomly pick one (depending on how docker is returning them).
+
+!!! warning
+    When deploying a stack from a compose file `stack`, the networks defined are prefixed with `stack`.
+
+#### `traefik.docker.lbswarm`
+
+```yaml
+- "traefik.docker.lbswarm=true"
+```
+
+Enables Swarm's inbuilt load balancer (only relevant in Swarm Mode).
+
+If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs.
+Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm.

docs/content/routing/providers/kubernetes-crd.md

@@ -0,0 +1,205 @@
+# Traefik & Kubernetes
+
+The Kubernetes Ingress Controller, The Custom Resource Way.
+{: .subtitle }
+
+## Resource Configuration
+
+If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../../reference/dynamic-configuration/kubernetes-crd.md) reference.
+
+### Traefik IngressRoute definition
+
+```yaml
+--8<-- "content/routing/providers/crd_ingress_route.yml"
+```
+
+That `IngressRoute` kind can then be used to define an `IngressRoute` object, such as in:
+
+```yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ingressroutefoo
+
+spec:
+  entryPoints:
+    - web
+  routes:
+  # Match is the rule corresponding to an underlying router.
+  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
+  # but for now we only support a traefik style matching rule.
+  - match: Host(`foo.com`) && PathPrefix(`/bar`)
+    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
+    # "Parameter", etc, to support simpler forms of rule matching, but for now we
+    # only support "Rule".
+    kind: Rule
+    # (optional) Priority disambiguates rules of the same length, for route matching.
+    priority: 12
+    services:
+    - name: whoami
+      port: 80
+      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+      weight: 1
+      # (default true) PassHostHeader controls whether to leave the request's Host
+      # Header as it was before it reached the proxy, or whether to let the proxy set it
+      # to the destination (backend) host.
+      passHostHeader: true
+      responseForwarding:
+        # (default 100ms) Interval between flushes of the buffered response body to the client.
+        flushInterval: 100ms
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: ingressroutetcpfoo.crd
+
+spec:
+  entryPoints:
+    - footcp
+  routes:
+  # Match is the rule corresponding to an underlying router.
+  - match: HostSNI(`*`)
+    services:
+    - name: whoamitcp
+      port: 8080
+```
+
+### Middleware
+
+Additionally, to allow for the use of middlewares in an `IngressRoute`, we defined the CRD below for the `Middleware` kind.
+
+```yaml
+--8<-- "content/routing/providers/crd_middlewares.yml"
+```
+
+Once the `Middleware` kind has been registered with the Kubernetes cluster, it can then be used in `IngressRoute` definitions, such as:
+
+```yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: stripprefix
+  namespace: foo
+
+spec:
+  stripPrefix:
+    prefixes:
+      - /stripit
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ingressroutebar
+
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`bar.com`) && PathPrefix(`/stripit`)
+    kind: Rule
+    services:
+    - name: whoami
+      port: 80
+    middlewares:
+    - name: stripprefix
+      namespace: foo
+```
+
+!!! important "Cross-provider namespace"
+
+	As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource
+	(in the reference to the middleware) with the [provider namespace](../../middlewares/overview.md#provider-namespace),
+	when the definition of the middleware is from another provider.
+	In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored.
+
+More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).
+
+### TLS Option
+
+Additionally, to allow for the use of TLS options in an IngressRoute, we defined the CRD below for the TLSOption kind.
+More information about TLS Options is available in the dedicated [TLS Configuration Options](../../../https/tls/#tls-options).
+
+```yaml
+--8<-- "content/routing/providers/crd_tls_option.yml"
+```
+
+Once the TLSOption kind has been registered with the Kubernetes cluster or defined in the File Provider, it can then be used in IngressRoute definitions, such as:
+
+```yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: mytlsoption
+  namespace: default
+
+spec:
+  minVersion: VersionTLS12
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ingressroutebar
+
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`bar.com`) && PathPrefix(`/stripit`)
+    kind: Rule
+    services:
+    - name: whoami
+      port: 80
+  tls:
+    options: 
+      name: mytlsoption
+      namespace: default
+```
+
+!!! important "References and namespaces"
+
+    If the optional `namespace` attribute is not set, the configuration will be applied with the namespace of the IngressRoute.
+
+	Additionally, when the definition of the TLS option is from another provider,
+	the cross-provider syntax (`middlewarename@provider`) should be used to refer to the TLS option,
+	just as in the [middleware case](../../middlewares/overview.md#provider-namespace).
+	Specifying a namespace attribute in this case would not make any sense, and will be ignored.
+
+### TLS
+
+To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute`:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: supersecret
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ingressroutetls
+
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`foo.com`) && PathPrefix(`/bar`)
+    kind: Rule
+    services:
+    - name: whoami
+      port: 443
+  tls:
+    secretName: supersecret
+```
+
+## Further
+
+Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt.

docs/content/routing/providers/marathon.md

@@ -0,0 +1,419 @@
+# Traefik & Marathon
+
+Traefik can be configured to use Marathon as a provider.
+{: .subtitle }
+
+See also [Marathon user guide](../../user-guides/marathon.md).
+
+## Routing Configuration
+
+!!! info "Labels"
+    
+    - Labels are case insensitive.
+    - The complete list of labels can be found in [the reference page](../../reference/dynamic-configuration/marathon.md).
+
+### General
+
+Traefik creates, for each Marathon application, a corresponding [service](../services/index.md) and [router](../routers/index.md).
+
+The Service automatically gets a server per instance of the application,
+and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels).
+
+#### Service definition
+
+--8<-- "content/routing/providers/service-by-label.md"
+
+??? example "Automatic service assignment with labels"
+
+    Service myservice gets automatically assigned to router myproxy.
+
+    ```json
+    labels: {
+      "traefik.http.routers.myproxy.rule": "Host(`foo.com`)",
+      "traefik.http.services.myservice.loadbalancer.server.port": "80"
+    }
+    ```
+
+??? example "Automatic service creation and assignment with labels"
+
+    No service specified or defined, and yet one gets automatically created.
+    and assigned to router myproxy.
+
+    ```json
+    labels: {
+      "traefik.http.routers.myproxy.rule": "Host(`foo.com`)"
+	}
+    ```
+
+### Routers
+
+To update the configuration of the Router automatically attached to the application,
+add labels starting with `traefik.http.routers.{router-name-of-your-choice}.` and followed by the option you want to change.
+
+For example, to change the routing rule, you could add the label ```"traefik.http.routers.routername.rule": "Host(`mydomain.com`)"```.
+
+??? info "`traefik.http.routers.<router_name>.rule`"
+    
+    See [rule](../routers/index.md#rule) for more information. 
+    
+    ```json
+    "traefik.http.routers.myrouter.rule": "Host(`mydomain.com`)"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.entrypoints`"
+    
+    See [entry points](../routers/index.md#entrypoints) for more information. 
+    
+    ```json
+    "traefik.http.routers.myrouter.entrypoints": "web,websecure"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.middlewares`"
+    
+    See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information. 
+    
+    ```json
+    "traefik.http.routers.myrouter.middlewares": "auth,prefix,cb"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.service`"
+    
+    See [rule](../routers/index.md#service) for more information. 
+    
+    ```json
+    "traefik.http.routers.myrouter.service": "myservice"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls`"
+    
+    See [tls](../routers/index.md#tls) for more information.
+    
+    ```json
+    "traefik.http.routers.myrouter>.tls": "true"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.certresolver`"
+    
+    See [certResolver](../routers/index.md#certresolver) for more information.
+    
+    ```json
+    "traefik.http.routers.myrouter.tls.certresolver": "myresolver"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.domains[n].main`"
+    
+    See [domains](../routers/index.md#domains) for more information.
+    
+    ```json
+    "traefik.http.routers.myrouter.tls.domains[0].main": "foobar.com"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.domains[n].sans`"
+    
+    See [domains](../routers/index.md#domains) for more information.
+    
+    ```json
+    "traefik.http.routers.myrouter.tls.domains[0].sans": "test.foobar.com,dev.foobar.com"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.options`"
+    
+    See [options](../routers/index.md#options) for more information.
+    
+    ```json
+    "traefik.http.routers.myrouter.tls.options": "foobar"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.priority`"
+    
+    See [options](../routers/index.md#priority) for more information.
+    
+    ```json
+    "traefik.http.routers.myrouter.priority": "42"
+    ```
+
+### Services
+
+To update the configuration of the Service automatically attached to the container,
+add labels starting with `traefik.http.services.{service-name-of-your-choice}.`, followed by the option you want to change.
+
+For example, to change the passHostHeader behavior, you'd add the label `"traefik.http.services.servicename.loadbalancer.passhostheader": "false"`.
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.server.port`"
+    
+    Registers a port.
+    Useful when the container exposes multiples ports.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.server.port": "8080"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.server.scheme`"
+    
+    Overrides the default scheme.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.server.scheme": "http"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.passhostheader`"
+    <!-- TODO doc passHostHeader in services page -->
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.passhostheader": "true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.headers.<header_name>`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo": "foobar"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.hostname`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.healthcheck.hostname": "foobar.com"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.interval`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.healthcheck.interval": "10"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.healthcheck.path": "/foo"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.healthcheck.port": "42"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.scheme`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.healthcheck.scheme": "http"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.timeout`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.healthcheck.timeout": "10"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.sticky": "true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.httponly`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly": "true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.name`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.sticky.cookie.name": "foobar"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.sticky.cookie.secure": "true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval`"
+    <!-- TODO doc responseforwarding in services page -->
+    
+    FlushInterval specifies the flush interval to flush to the client while copying the response body.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval": "10"
+    ```
+
+### Middleware
+
+You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options.
+
+For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`, you'd write `"traefik.http.middlewares.my-redirect.redirectscheme.scheme": "https"`.
+
+More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).
+
+??? example "Declaring and Referencing a Middleware"
+
+    ```json
+	{
+		...
+		"labels": {
+			"traefik.http.middlewares.my-redirect.redirectscheme.scheme": "https",
+			"traefik.http.routers.my-container.middlewares": "my-redirect"
+		}
+	}
+    ```
+
+!!! warning "Conflicts in Declaration"
+
+    If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
+
+### TCP
+
+You can declare TCP Routers and/or Services using labels.
+
+??? example "Declaring TCP Routers and Services"
+
+    ```json
+	{
+		...
+		"labels": {
+			"traefik.tcp.routers.my-router.rule": "HostSNI(`my-host.com`)",
+			"traefik.tcp.routers.my-router.tls": "true",
+			"traefik.tcp.services.my-service.loadbalancer.server.port": "4123"
+		}
+	}
+    ```
+
+!!! warning "TCP and HTTP"
+
+    If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined).
+    You can declare both a TCP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).
+
+#### TCP Routers
+
+??? info "`traefik.tcp.routers.<router_name>.entrypoints`"
+    
+    See [entry points](../routers/index.md#entrypoints_1) for more information.
+    
+     ```json
+     "traefik.tcp.routers.mytcprouter.entrypoints": "ep1,ep2"
+     ```
+
+
+??? info "`traefik.tcp.routers.<router_name>.rule`"
+    
+    See [rule](../routers/index.md#rule_1) for more information.
+    
+    ```json
+    "traefik.tcp.routers.mytcprouter.rule": "HostSNI(`myhost.com`)"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.service`"
+    
+    See [service](../routers/index.md#services) for more information.
+    
+    ```json
+    "traefik.tcp.routers.mytcprouter.service": "myservice"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls`"
+    
+    See [TLS](../routers/index.md#tls_1) for more information.
+    
+    ```json
+    "traefik.tcp.routers.mytcprouter.tls": "true
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.certresolver`"
+    
+    See [certResolver](../routers/index.md#certresolver_1) for more information.
+    
+    ```json
+    "traefik.tcp.routers.mytcprouter.tls.certresolver": "myresolver"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].main`"
+    
+    See [domains](../routers/index.md#domains_1) for more information.
+    
+    ```json
+    "traefik.tcp.routers.mytcprouter.tls.domains[0].main": "foobar.com"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].sans`"
+    
+    See [domains](../routers/index.md#domains_1) for more information.
+    
+    ```json
+    "traefik.tcp.routers.mytcprouter.tls.domains[0].sans": "test.foobar.com,dev.foobar.com"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.options`"
+    
+    See [options](../routers/index.md#options_1) for more information.
+    
+    ```json
+    "traefik.tcp.routers.mytcprouter.tls.options": "mysoptions"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
+    
+    See [TLS](../routers/index.md#tls_1) for more information.
+    
+    ```json
+    "traefik.tcp.routers.mytcprouter.tls.passthrough": "true"
+    ```
+
+#### TCP Services
+
+??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.port`"
+    
+    Registers a port of the application.
+    
+    ```json
+    "traefik.tcp.services.mytcpservice.loadbalancer.server.port": "423"
+    ```
+
+??? info "`traefik.tcp.services.<service_name>.loadbalancer.terminationdelay`"
+        
+    See [termination delay](../services/index.md#termination-delay) for more information.
+    
+    ```json
+    "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay": "100"
+    ```
+
+### Specific Provider Options
+
+#### `traefik.enable`
+
+```json
+"traefik.enable": "true"
+```
+
+Setting this option controls whether Traefik exposes the application.
+It overrides the value of `exposedByDefault`.
+
+#### `traefik.marathon.ipadressidx`
+
+```json
+"traefik.marathon.ipadressidx": "1"
+```
+
+If a task has several IP addresses, this option specifies which one, in the list of available addresses, to select.

docs/content/routing/providers/rancher.md

@@ -0,0 +1,420 @@
+# Traefik & Rancher
+
+A Story of Labels, Services & Containers
+{: .subtitle }
+
+![Rancher](../../assets/img/providers/rancher.png)
+
+Attach labels to your services and let Traefik do the rest!
+
+!!! important "This provider is specific to Rancher 1.x."
+    
+    Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
+    As such, Rancher 2.x users should utilize the [Kubernetes provider](./kubernetes-crd.md) directly.
+
+## Routing Configuration
+
+!!! info "Labels"
+    
+    - Labels are case insensitive.
+    - The complete list of labels can be found in [the reference page](../../reference/dynamic-configuration/rancher.md).
+
+### General
+
+Traefik creates, for each rancher service, a corresponding [service](../services/index.md) and [router](../routers/index.md).
+
+The Service automatically gets a server per container in this rancher service, and the router gets a default rule attached to it, based on the service name.
+
+#### Service definition
+
+--8<-- "content/routing/providers/service-by-label.md"
+
+??? example "Automatic service assignment with labels"
+
+    With labels in a compose file
+
+    ```yaml
+    labels:
+      - "traefik.http.routers.myproxy.rule=Host(`foo.com`)"
+      # service myservice gets automatically assigned to router myproxy
+      - "traefik.http.services.myservice.loadbalancer.server.port=80"
+    ```
+
+??? example "Automatic service creation and assignment with labels"
+
+    With labels in a compose file
+
+    ```yaml
+    labels:
+      # no service specified or defined and yet one gets automatically created
+      # and assigned to router myproxy.
+      - "traefik.http.routers.myproxy.rule=Host(`foo.com`)"
+    ```
+
+### Routers
+
+To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change.
+
+For example, to change the rule, you could add the label ```traefik.http.routers.my-container.rule=Host(`mydomain.com`)```.
+
+??? info "`traefik.http.routers.<router_name>.rule`"
+    
+    See [rule](../routers/index.md#rule) for more information. 
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.rule=Host(`mydomain.com`)"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.entrypoints`"
+    
+    See [entry points](../routers/index.md#entrypoints) for more information. 
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.entrypoints=web,websecure"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.middlewares`"
+    
+    See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information. 
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.middlewares=auth,prefix,cb"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.service`"
+    
+    See [rule](../routers/index.md#service) for more information. 
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.service=myservice"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls`"
+    
+    See [tls](../routers/index.md#tls) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter>.tls=true"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.certresolver`"
+    
+    See [certResolver](../routers/index.md#certresolver) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.tls.certresolver=myresolver"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.domains[n].main`"
+    
+    See [domains](../routers/index.md#domains) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.tls.domains[0].main=foobar.com"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.domains[n].sans`"
+    
+    See [domains](../routers/index.md#domains) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.tls.options`"
+    
+    See [options](../routers/index.md#options) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.tls.options=foobar"
+    ```
+
+??? info "`traefik.http.routers.<router_name>.priority`"
+    
+    See [options](../routers/index.md#priority) for more information.
+    
+    ```yaml
+    - "traefik.http.routers.myrouter.priority=42"
+    ```
+
+### Services
+
+To update the configuration of the Service automatically attached to the container,
+add labels starting with `traefik.http.services.{name-of-your-choice}.`, followed by the option you want to change.
+
+For example, to change the `passHostHeader` behavior,
+you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false`.
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.server.port`"
+    
+    Registers a port.
+    Useful when the container exposes multiples ports.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.server.port=8080"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.server.scheme`"
+    
+    Overrides the default scheme.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.server.scheme=http"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.passhostheader`"
+    <!-- TODO doc passHostHeader in services page -->
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.passhostheader=true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.headers.<header_name>`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo=foobar"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.hostname`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.hostname=foobar.com"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.interval`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.port=42"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.scheme`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.scheme=http"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.timeout`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky=true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.httponly`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly=true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.name`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval`"
+    <!-- TODO doc responseforwarding in services page -->
+    
+    FlushInterval specifies the flush interval to flush to the client while copying the response body.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10"
+    ```
+
+### Middleware
+
+You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.
+
+For example, to declare a middleware [`redirectscheme`](../../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
+
+More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).
+
+??? example "Declaring and Referencing a Middleware"
+    
+    ```yaml
+    # ...
+    labels:
+      # Declaring a middleware
+      - traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
+      # Referencing a middleware
+      - traefik.http.routers.my-container.middlewares=my-redirect
+    ```
+
+!!! warning "Conflicts in Declaration"
+
+    If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
+
+### TCP
+
+You can declare TCP Routers and/or Services using labels.
+
+??? example "Declaring TCP Routers and Services"
+
+    ```yaml
+       services:
+         my-container:
+           # ...
+           labels:
+             - "traefik.tcp.routers.my-router.rule=HostSNI(`my-host.com`)"
+             - "traefik.tcp.routers.my-router.tls=true"
+             - "traefik.tcp.services.my-service.loadbalancer.server.port=4123"
+    ```
+
+!!! warning "TCP and HTTP"
+
+    If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined).
+    You can declare both a TCP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).
+
+#### TCP Routers
+
+??? info "`traefik.tcp.routers.<router_name>.entrypoints`"
+    
+    See [entry points](../routers/index.md#entrypoints_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.entrypoints=ep1,ep2"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.rule`"
+    
+    See [rule](../routers/index.md#rule_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.rule=HostSNI(`myhost.com`)"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.service`"
+    
+    See [service](../routers/index.md#services) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.service=myservice"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls`"
+    
+    See [TLS](../routers/index.md#tls_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls=true"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.certresolver`"
+    
+    See [certResolver](../routers/index.md#certresolver_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls.certresolver=myresolver"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].main`"
+    
+    See [domains](../routers/index.md#domains_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls.domains[0].main=foobar.com"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].sans`"
+    
+    See [domains](../routers/index.md#domains_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.options`"
+    
+    See [options](../routers/index.md#options_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls.options=mysoptions"
+    ```
+
+??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
+    
+    See [TLS](../routers/index.md#tls_1) for more information.
+    
+    ```yaml
+    - "traefik.tcp.routers.mytcprouter.tls.passthrough=true"
+    ```
+
+#### TCP Services
+
+??? info "`traefik.tcp.services.<service_name>.loadbalancer.server.port`"
+    
+    Registers a port of the application.
+    
+    ```yaml
+    - "traefik.tcp.services.mytcpservice.loadbalancer.server.port=423"
+    ```
+
+??? info "`traefik.tcp.services.<service_name>.loadbalancer.terminationdelay`"
+        
+    See [termination delay](../services/index.md#termination-delay) for more information.
+    
+    ```yaml
+    - "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100"
+    ```
+
+### Specific Provider Options
+
+#### `traefik.enable`
+
+```yaml
+- "traefik.enable=true"
+```
+
+You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false.
+
+This option overrides the value of `exposedByDefault`.
+
+#### Port Lookup
+
+Traefik is capable of detecting the port to use, by following the default rancher flow.
+That means, if you just expose lets say port `:1337` on the rancher ui, traefik will pick up this port and use it.

docs/content/routing/providers/service-by-label.md

@@ -0,0 +1,16 @@
+In general when configuring a Traefik provider,
+a service assigned to one (or several) router(s) must be defined as well for the routing to be functional.
+
+There are, however, exceptions when using label-based configurations:
+
+1. If a label defines a router (e.g. through a router Rule)
+and a label defines a service (e.g. implicitly through a loadbalancer server port value),
+but the router does not specify any service,
+then that service is automatically assigned to the router.
+1. If a label defines a router (e.g. through a router Rule)
+but no service is defined, then a service is automatically created
+and assigned to the router.
+
+!!! info ""
+    As one would expect, in either of these cases, if in addition a service is specified for the router,
+    then that service is the one assigned, regardless of whether it actually is defined or whatever else other services are defined.

docs/content/routing/routers/index.md

@@ -13,84 +13,74 @@ In the process, routers may use pieces of [middleware](../../middlewares/overvie
 ??? example "Requests /foo are Handled by service-foo -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
-      [http.routers]
-        [http.routers.my-router]
-          rule = "Path(`/foo`)"
-          service = "service-foo"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.my-router]
+        rule = "Path(`/foo`)"
+        service = "service-foo"
     ```
 
     ```yaml tab="YAML"
-      http:
-        routers:
-          my-router:
-            rule: "Path(`/foo`)"
-            service: service-foo
-    ```
-
-??? example "With a [middleware](../../middlewares/overview.md) -- using the [File Provider](../../providers/file.md)"
-
-    ```toml tab="TOML"
-      [http.routers]
-        [http.routers.my-router]
-          rule = "Path(`/foo`)"
-          # declared elsewhere
-          middlewares = ["authentication"]
-          service = "service-foo"
-    ```
-
-    ```yaml tab="YAML"
-      http:
-        routers:
-          my-router:
-            rule: "Path(`/foo`)"
-            # declared elsewhere
-            middlewares:
-            - authentication
-            service: service-foo
+    ## Dynamic configuration
+    http:
+      routers:
+        my-router:
+          rule: "Path(`/foo`)"
+          service: service-foo
     ```
 
 ??? example "Forwarding all (non-tls) requests on port 3306 to a database service"
     
-    ```toml tab="TOML"
-    ## Static configuration ##
-    
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-      [entryPoints.mysql-default]
-        address = ":3306"   
-    
-    ## Dynamic configuration ##
+    **Dynamic Configuration**
     
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
     [tcp]
       [tcp.routers]
         [tcp.routers.to-database]
-          entryPoints = ["mysql-default"]
+          entryPoints = ["mysql"]
           # Catch every request (only available rule for non-tls routers. See below.)
           rule = "HostSNI(`*`)"
           service = "database"
     ```
     
-    ```yaml tab="YAML"
-    ## Static configuration ##
-    
-    entryPoints:
-      web:
-        address: ":80"
-      mysql-default:
-        address: ":3306"   
-    
-    ## Dynamic configuration ##
-    
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
     tcp:
       routers:
         to-database:
           entryPoints:
-          - "mysql-default"
+            - "mysql"
           # Catch every request (only available rule for non-tls routers. See below.)
           rule: "HostSNI(`*`)"
           service: database
     ```
+    
+    **Static Configuration**
+    
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+      [entryPoints.mysql]
+        address = ":3306"   
+    ```
+     
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+      mysql:
+        address: ":3306"   
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=":80"
+    --entryPoints.mysql.address=":3306"   
+    ```
 
 ## Configuring HTTP Routers
 
@@ -101,20 +91,10 @@ If you want to limit the router scope to a set of entry points, set the `entryPo
 
 ??? example "Listens to Every EntryPoint"
     
-    ```toml tab="TOML"
-    ## Static configuration ##
+    **Dynamic Configuration**
     
-    [entryPoints]
-      [entryPoints.web]
-        # ...
-      [entryPoints.web-secure]
-        # ...
-      [entryPoints.other]
-        # ...
-    
-    
-    ## Dynamic configuration ##
-        
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
     [http.routers]
       [http.routers.Router-1]
         # By default, routers listen to every entry points
@@ -122,19 +102,8 @@ If you want to limit the router scope to a set of entry points, set the `entryPo
         service = "service-1"
     ```
     
-    ```yaml tab="YAML"
-    ## Static configuration ##
-    
-    entryPoints:
-      web:
-        # ...
-      web-secure:
-        # ...
-      other:
-        # ...
-    
-    ## Dynamic configuration ##
-        
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
     http:
       routers:
         Router-1:
@@ -142,66 +111,108 @@ If you want to limit the router scope to a set of entry points, set the `entryPo
           rule: "Host(`traefik.io`)"
           service: "service-1"
     ```
+    
+    **Static Configuration**
+    
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+      [entryPoints.websecure]
+        address = ":443"
+      [entryPoints.other]
+        address = ":9090"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+      websecure:
+        address: ":443"
+      other:
+        address: ":9090"
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entrypoints.web.address=":80"
+    --entrypoints.websecure.address=":443"
+    --entrypoints.other.address=":9090"
+    ```
 
 ??? example "Listens to Specific EntryPoints"
     
-    ```toml tab="TOML"
-    ## Static configuration ##
-    
-    [entryPoints]
-      [entryPoints.web]
-        # ...
-      [entryPoints.web-secure]
-        # ...
-      [entryPoints.other]
-        # ...
-        
-    ## Dynamic configuration ##
+    **Dynamic Configuration**
     
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
     [http.routers]
       [http.routers.Router-1]
         # won't listen to entry point web
-        entryPoints = ["web-secure", "other"]
+        entryPoints = ["websecure", "other"]
         rule = "Host(`traefik.io`)"
         service = "service-1"
     ```
     
-    ```yaml tab="YAML"
-    ## Static configuration ##
-    
-    entryPoints:
-      web:
-        # ...
-      web-secure:
-        # ...
-      other:
-        # ...
-        
-    ## Dynamic configuration ##
-    
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
     http:
       routers:
         Router-1:
           # won't listen to entry point web
           entryPoints:
-          - "web-secure"
-          - "other"
+            - "websecure"
+            - "other"
           rule: "Host(`traefik.io`)"
           service: "service-1"
     ```
 
+    **Static Configuration**
+    
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+      [entryPoints.websecure]
+        address = ":443"
+      [entryPoints.other]
+        address = ":9090"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+      websecure:
+        address: ":443"
+      other:
+        address: ":9090"
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entrypoints.web.address=":80"
+    --entrypoints.websecure.address=":443"
+    --entrypoints.other.address=":9090"
+    ```
+
 ### Rule
 
 Rules are a set of matchers that determine if a particular request matches specific criteria.
 If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service.
 
-??? example "Host is traefik.io"
+!!! example "Host is traefik.io"
 
     ```toml
     rule = "Host(`traefik.io`)"
     ```
 
-??? example "Host is traefik.io OR Host is containo.us AND path is /traefik"
+!!! example "Host is traefik.io OR Host is containo.us AND path is /traefik"
 
     ```toml
     rule = "Host(`traefik.io`) || (Host(`containo.us`) && Path(`/traefik`))"
@@ -226,7 +237,7 @@ The table below lists all the available matchers:
     you must declare an arbitrarily named variable followed by the colon-separated regular expression, all enclosed in curly braces.
     Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used (example: `/posts/{id:[0-9]+}`).
 
-!!! tip "Combining Matchers Using Operators and Parenthesis"
+!!! info "Combining Matchers Using Operators and Parenthesis"
 
     You can combine multiple matchers using the AND (`&&`) and OR (`||`) operators. You can also use parenthesis.
 
@@ -234,7 +245,7 @@ The table below lists all the available matchers:
 
     The rule is evaluated "before" any middleware has the opportunity to work, and "before" the request is forwarded to the service.
 
-!!! tip "Path Vs PathPrefix"
+!!! info "Path Vs PathPrefix"
 
     Use `Path` if your service listens on the exact path only. For instance, `Path: /products` would match `/products` but not `/products/shoes`.
 
@@ -242,19 +253,130 @@ The table below lists all the available matchers:
     For instance, `PathPrefix: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
     Since the path is forwarded as-is, your service is expected to listen on `/products`.
 
+### Priority
+
+To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority.
+
+A value of `0` for the priority is ignored: `priority = 0` means that the default rules length sorting is used.
+
+??? info "How default priorities are computed"
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.Router-1]
+        rule = "HostRegexp(`.*\.traefik\.com`)"
+        # ...
+      [http.routers.Router-2]
+        rule = "Host(`foobar.traefik.com`)"
+        # ...
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        Router-1:
+          rule: "HostRegexp(`.*\.traefik\.com`)"
+          # ...
+        Router-2:
+          rule: "Host(`foobar.traefik.com`)"
+          # ...
+    ```
+    
+    In this case, all requests with host `foobar.traefik.com` will be routed through `Router-1` instead of `Router-2`.
+    
+    | Name     | Rule                                 | Priority |
+    |----------|--------------------------------------|----------|
+    | Router-1 | ```HostRegexp(`.*\.traefik\.com`)``` | 30       |
+    | Router-2 | ```Host(`foobar.traefik.com`)```     | 26       |
+    
+    The previous table shows that `Router-1` has a higher priority than `Router-2`.
+    
+    To solve this issue, the priority must be setted.
+
+??? example "Set priorities -- using the [File Provider](../../providers/file.md)"
+    
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.Router-1]
+        rule = "HostRegexp(`.*\.traefik\.com`)"
+        entryPoints = ["web"]
+        service = "service-1"
+        priority = 1
+      [http.routers.Router-2]
+        rule = "Host(`foobar.traefik.com`)"
+        entryPoints = ["web"]
+        priority = 2
+        service = "service-2"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        Router-1:
+          rule: "HostRegexp(`.*\.traefik\.com`)"
+          entryPoints:
+          - "web"
+          service: service-1
+          priority: 1
+        Router-2:
+          rule: "Host(`foobar.traefik.com`)"
+          entryPoints:
+          - "web"
+          priority: 2
+          service: service-2
+    ```
+
+    In this configuration, the priority is configured to allow `Router-2` to handle requests with the `foobar.traefik.com` host.
+
 ### Middlewares
 
 You can attach a list of [middlewares](../../middlewares/overview.md) to each HTTP router.
 The middlewares will take effect only if the rule matches, and before forwarding the request to the service.
 
+!!! tip "Middlewares order"
+    
+    Middlewares are applied in the same order as their declaration in **router**.
+
+??? example "With a [middleware](../../middlewares/overview.md) -- using the [File Provider](../../providers/file.md)"
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.my-router]
+        rule = "Path(`/foo`)"
+        # declared elsewhere
+        middlewares = ["authentication"]
+        service = "service-foo"
+    ```
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    http:
+      routers:
+        my-router:
+          rule: "Path(`/foo`)"
+          # declared elsewhere
+          middlewares:
+          - authentication
+          service: service-foo
+    ```
+
 ### Service
 
-You must attach a [service](../services/index.md) per router.
-Services are the target for the router.
+Each request must eventually be handled by a [service](../services/index.md),
+which is why each router definition should include a service target,
+which is basically where the request will be passed along to.
 
-!!! note "HTTP Only"
+In general, a service assigned to a router should have been defined,
+but there are exceptions for label-based providers.
+See the specific [docker](../providers/docker.md#service-definition), [rancher](../providers/rancher.md#service-definition),
+or [marathon](../providers/marathon.md#service-definition) documentation.
 
-    HTTP routers can only target HTTP services (not TCP services).
+!!! important "HTTP routers can only target HTTP services (not TCP services)."
 
 ### TLS
 
@@ -265,7 +387,8 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
 
 ??? example "Configuring the router to accept HTTPS requests only"
 
-    ```toml tab="TOML"
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
     [http.routers]
       [http.routers.Router-1]
         rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
@@ -274,7 +397,8 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
         [http.routers.Router-1.tls]
     ```
     
-    ```yaml tab="YAML"
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
     http:
       routers:
         Router-1:
@@ -284,17 +408,19 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
           tls: {}
     ```
 
-!!! note "HTTPS & ACME"
+!!! info "HTTPS & ACME"
 
     In the current version, with [ACME](../../https/acme.md) enabled, automatic certificate generation will apply to every router declaring a TLS section.
 
 !!! important "Routers for HTTP & HTTPS"
 
-    If you need to define the same route for both HTTP and HTTPS requests, you will need to define two different routers: one with the tls section, one without.
+    If you need to define the same route for both HTTP and HTTPS requests, you will need to define two different routers:
+    one with the tls section, one without.
 
     ??? example "HTTP & HTTPS routes"
 
-        ```toml tab="TOML"
+        ```toml tab="File (TOML)"
+        ## Dynamic configuration
         [http.routers]
           [http.routers.my-https-router]
             rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
@@ -307,7 +433,8 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
             service = "service-id"
         ```
 
-        ```yaml tab="YAML"
+        ```yaml tab="File (YAML)"
+        ## Dynamic configuration
         http:
           routers:
             my-https-router:
@@ -326,15 +453,20 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted
 The `options` field enables fine-grained control of the TLS parameters.
 It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.
 
-!!! note "Server Name Association"
+!!! info "Server Name Association"
 
-    Even though one might get the impression that a TLS options reference is mapped to a router, or a router rule, one should realize that it is actually mapped only to the host name found in the `Host` part of the rule. Of course, there could also be several `Host` parts in a rule, in which case the TLS options reference would be mapped to as many host names.
+    Even though one might get the impression that a TLS options reference is mapped to a router, or a router rule,
+    one should realize that it is actually mapped only to the host name found in the `Host` part of the rule.
+    Of course, there could also be several `Host` parts in a rule, in which case the TLS options reference would be mapped to as many host names.
 
-    Another thing to keep in mind is: the TLS option is picked from the mapping mentioned above and based on the server name provided during the TLS handshake, and it all happens before routing actually occurs.
+    Another thing to keep in mind is:
+    the TLS option is picked from the mapping mentioned above and based on the server name provided during the TLS handshake,
+    and it all happens before routing actually occurs.
 
 ??? example "Configuring the TLS options"
 
-    ```toml tab="TOML"
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
     [http.routers]
       [http.routers.Router-1]
         rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
@@ -352,7 +484,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
         ]
     ```
     
-    ```yaml tab="YAML"
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
     http:
       routers:
         Router-1:
@@ -367,15 +500,18 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
         foo:
           minVersion: VersionTLS12
           cipherSuites:
-          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-          - TLS_RSA_WITH_AES_256_GCM_SHA384
+            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+            - TLS_RSA_WITH_AES_256_GCM_SHA384
     ```
 
 !!! important "Conflicting TLS Options"
 
-    Since a TLS options reference is mapped to a host name, if a configuration introduces a situation where the same host name (from a `Host` rule) gets matched with two TLS options references, a conflict occurs, such as in the example below:
+    Since a TLS options reference is mapped to a host name,
+    if a configuration introduces a situation where the same host name (from a `Host` rule) gets matched with two TLS options references,
+    a conflict occurs, such as in the example below:
 
-    ```toml tab="TOML"
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
     [http.routers]
       [http.routers.routerfoo]
         rule = "Host(`snitest.com`) && Path(`/foo`)"
@@ -389,7 +525,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
           options = "bar"
     ```
 
-    ```yaml tab="YAML"
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
     http:
       routers:
         routerfoo:
@@ -409,7 +546,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
 
 If `certResolver` is defined, Traefik will try to generate certificates based on routers `Host` & `HostSNI` rules.
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+## Dynamic configuration
 [http.routers]
   [http.routers.routerfoo]
     rule = "Host(`snitest.com`) && Path(`/foo`)"
@@ -417,7 +555,8 @@ If `certResolver` is defined, Traefik will try to generate certificates based on
       certResolver = "foo"
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+## Dynamic configuration
 http:
   routers:
     routerfoo:
@@ -426,8 +565,8 @@ http:
         certResolver: foo
 ```
 
-!!! note "Multiple Hosts in a Rule"
-    The rule `Host(test1.traefik.io,test2.traefik.io)` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`.
+!!! info "Multiple Hosts in a Rule"
+    The rule ```Host(`test1.traefik.io`,`test2.traefik.io`)``` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`.
 
 #### `domains`
 
@@ -435,7 +574,8 @@ You can set SANs (alternative domains) for each main domain.
 Every domain must have A/AAAA records pointing to Traefik.
 Each domain & SAN will lead to a certificate request.
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+## Dynamic configuration
 [http.routers]
   [http.routers.routerbar]
     rule = "Host(`snitest.com`) && Path(`/bar`)"
@@ -443,10 +583,11 @@ Each domain & SAN will lead to a certificate request.
       certResolver = "bar"
       [[http.routers.routerbar.tls.domains]]
         main = "snitest.com"
-        sans = "*.snitest.com"
+        sans = ["*.snitest.com"]
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+## Dynamic configuration
 http:
   routers:
     routerbar:
@@ -454,8 +595,8 @@ http:
       tls:
         certResolver: "bar"
         domains:
-        - main: "snitest.com"
-          sans: "*.snitest.com"
+          - main: "snitest.com"
+            sans: "*.snitest.com"
 ```
 
 [ACME v2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
@@ -466,13 +607,12 @@ In this case the generated DNS TXT record for both domains is the same.
 Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant,
 it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the `DNS-01` challenge fail.
 
-The Traefik ACME client library [LEGO](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue.
-The [Supported `provider` table](../../https/acme.md#providers) indicates if they allow generating certificates for a wildcard domain and its root domain.
+The Traefik ACME client library [lego](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue.
+The [supported `provider` table](../../https/acme.md#providers) indicates if they allow generating certificates for a wildcard domain and its root domain.
 
-!!! note
-    Wildcard certificates can only be verified through a [`DNS-01` challenge](../../https/acme.md#dnschallenge).
+!!! important "Wildcard certificates can only be verified through a [`DNS-01` challenge](../../https/acme.md#dnschallenge)."
 
-!!! note "Double Wildcard Certificates"
+!!! warning "Double Wildcard Certificates"
     It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
 
 ## Configuring TCP Routers
@@ -488,19 +628,11 @@ If not specified, TCP routers will accept requests from all defined entry points
 If you want to limit the router scope to a set of entry points, set the entry points option.
 
 ??? example "Listens to Every Entry Point"
+    
+    **Dynamic Configuration**
 
-    ```toml tab="TOML"
-    ## Static configuration ##
-    
-    [entryPoints]
-      [entryPoints.web]
-        # ...
-      [entryPoints.web-secure]
-        # ...
-      [entryPoints.other]
-        # ...
-    
-    ## Dynamic configuration ##
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
     
     [tcp.routers]
       [tcp.routers.Router-1]
@@ -511,18 +643,8 @@ If you want to limit the router scope to a set of entry points, set the entry po
         [tcp.routers.Router-1.tls]
     ```
     
-    ```yaml tab="YAML"
-    ## Static configuration ##
-    
-    entryPoints:
-      web:
-        # ...
-      web-secure:
-        # ...
-      other:
-        # ...
-    
-    ## Dynamic configuration ##
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
     
     tcp:
       routers:
@@ -534,57 +656,103 @@ If you want to limit the router scope to a set of entry points, set the entry po
           tls: {}
     ```
 
-??? example "Listens to Specific Entry Points"
+    **Static Configuration**
     
-    ```toml tab="TOML"
-    ## Static configuration ##
+    ```toml tab="File (TOML)"
+    ## Static configuration
     
     [entryPoints]
       [entryPoints.web]
-        # ...
-      [entryPoints.web-secure]
-        # ...
+        address = ":80"
+      [entryPoints.websecure]
+        address = ":443"
       [entryPoints.other]
-        # ...
-        
-    ## Dynamic configuration ##
+        address = ":9090"
+    ```
     
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    
+    entryPoints:
+      web:
+        address: ":80"
+      websecure:
+        address: ":443"
+      other:
+        address: ":9090"
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entrypoints.web.address=":80"
+    --entrypoints.websecure.address=":443"
+    --entrypoints.other.address=":9090"
+    ```
+
+??? example "Listens to Specific Entry Points"
+    
+    **Dynamic Configuration**
+    
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
     [tcp.routers]
       [tcp.routers.Router-1]
         # won't listen to entry point web
-        entryPoints = ["web-secure", "other"]
+        entryPoints = ["websecure", "other"]
         rule = "HostSNI(`traefik.io`)"
         service = "service-1"
         # will route TLS requests (and ignore non tls requests)
         [tcp.routers.Router-1.tls]
     ```
     
-    ```yaml tab="YAML"
-    ## Static configuration ##
-    
-    entryPoints:
-      web:
-        # ...
-      web-secure:
-        # ...
-      other:
-        # ...
-        
-    ## Dynamic configuration ##
-    
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
     tcp:
       routers:
         Router-1:
           # won't listen to entry point web
           entryPoints:
-          - "web-secure"
-          - "other"
+            - "websecure"
+            - "other"
           rule: "HostSNI(`traefik.io`)"
           service: "service-1"
           # will route TLS requests (and ignore non tls requests)
           tls: {}
     ```
 
+    **Static Configuration**
+    
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+      [entryPoints.websecure]
+        address = ":443"
+      [entryPoints.other]
+        address = ":9090"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    
+    entryPoints:
+      web:
+        address: ":80"
+      websecure:
+        address: ":443"
+      other:
+        address: ":9090"
+    ```
+    
+    ```bash tab="CLI"
+    ## Static configuration
+    --entrypoints.web.address=":80"
+    --entrypoints.websecure.address=":443"
+    --entrypoints.other.address=":9090"
+    ```
+
 ### Rule
 
 | Rule                           | Description                                                             |
@@ -602,20 +770,20 @@ If you want to limit the router scope to a set of entry points, set the entry po
 You must attach a TCP [service](../services/index.md) per TCP router.
 Services are the target for the router.
 
-!!! note "TCP Only"
-
-    TCP routers can only target TCP services (not HTTP services).
+!!! important "TCP routers can only target TCP services (not HTTP services)."
 
 ### TLS
 
 #### General
 
  When a TLS section is specified, it instructs Traefik that the current router is dedicated to TLS requests only (and that the router should ignore non-TLS requests).
+ 
  By default, Traefik will terminate the SSL connections (meaning that it will send decrypted data to the services), but Traefik can be configured in order to let the requests pass through (keeping the data encrypted), and be forwarded to the service "as is". 
 
 ??? example "Configuring TLS Termination"
 
-    ```toml tab="TOML"
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
     [tcp.routers]
       [tcp.routers.Router-1]
         rule = "HostSNI(`foo-domain`)"
@@ -624,19 +792,21 @@ Services are the target for the router.
         [tcp.routers.Router-1.tls]
     ```
 
-    ```yaml tab="YAML"
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
     tcp:
       routers:
         Router-1:
           rule: "HostSNI(`foo-domain`)"
           service: service-id
           # will terminate the TLS request by default
-          tld: {}
+          tls: {}
     ```
 
 ??? example "Configuring passthrough"
 
-    ```toml tab="TOML"
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
     [tcp.routers]
       [tcp.routers.Router-1]
         rule = "HostSNI(`foo-domain`)"
@@ -645,7 +815,8 @@ Services are the target for the router.
           passthrough = true
     ```
 
-    ```yaml tab="YAML"
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
     tcp:
       routers:
         Router-1:
@@ -655,7 +826,7 @@ Services are the target for the router.
             passthrough: true
     ```
 
-!!! note "TLS & ACME"
+!!! info "TLS & ACME"
 
     In the current version, with [ACME](../../https/acme.md) enabled, automatic certificate generation will apply to every router declaring a TLS section.
 
@@ -664,9 +835,10 @@ Services are the target for the router.
 The `options` field enables fine-grained control of the TLS parameters.  
 It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.
 
-??? example "Configuring the tls options"
+!!! example "Configuring the tls options"
 
-    ```toml tab="TOML"
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
     [tcp.routers]
       [tcp.routers.Router-1]
         rule = "HostSNI(`foo-domain`)"
@@ -684,7 +856,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
         ]
     ```
 
-    ```yaml tab="YAML"
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
     tcp:
       routers:
         Router-1:
@@ -699,15 +872,16 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
         foo:
           minVersion: VersionTLS12
           cipherSuites:
-          - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
-          - "TLS_RSA_WITH_AES_256_GCM_SHA384"
+            - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+            - "TLS_RSA_WITH_AES_256_GCM_SHA384"
     ```
 
 #### `certResolver`
 
 See [`certResolver` for HTTP router](./index.md#certresolver) for more information.
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+## Dynamic configuration
 [tcp.routers]
   [tcp.routers.routerfoo]
     rule = "HostSNI(`snitest.com`)"
@@ -715,7 +889,8 @@ See [`certResolver` for HTTP router](./index.md#certresolver) for more informati
       certResolver = "foo"
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+## Dynamic configuration
 tcp:
   routers:
     routerfoo:
@@ -728,7 +903,8 @@ tcp:
 
 See [`domains` for HTTP router](./index.md#domains) for more information.
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+## Dynamic configuration
 [tcp.routers]
   [tcp.routers.routerbar]
     rule = "HostSNI(`snitest.com`)"
@@ -736,10 +912,11 @@ See [`domains` for HTTP router](./index.md#domains) for more information.
       certResolver = "bar"
       [[tcp.routers.routerbar.tls.domains]]
         main = "snitest.com"
-        sans = "*.snitest.com"
+        sans = ["*.snitest.com"]
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+## Dynamic configuration
 tcp:
   routers:
     routerbar:
@@ -747,6 +924,6 @@ tcp:
       tls:
         certResolver: "bar"
         domains:
-        - main: "snitest.com"
-          sans: "*.snitest.com"
+          - main: "snitest.com"
+            sans: "*.snitest.com"
 ```

docs/content/routing/services/index.md

@@ -12,6 +12,7 @@ The `Services` are responsible for configuring how to reach the actual services
 ??? example "Declaring an HTTP Service with Two Servers -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [http.services]
       [http.services.my-service.loadBalancer]
 
@@ -22,6 +23,7 @@ The `Services` are responsible for configuring how to reach the actual services
     ```
     
     ```yaml tab="YAML"
+    ## Dynamic configuration
     http:
       services:
         my-service:
@@ -34,6 +36,7 @@ The `Services` are responsible for configuring how to reach the actual services
 ??? example "Declaring a TCP Service with Two Servers -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [tcp.services]
       [tcp.services.my-service.loadBalancer]
          [[tcp.services.my-service.loadBalancer.servers]]
@@ -61,6 +64,7 @@ The load balancers are able to load balance the requests between multiple instan
 ??? example "Declaring a Service with Two Servers (with Load Balancing) -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [http.services]
       [http.services.my-service.loadBalancer]
 
@@ -85,14 +89,15 @@ The load balancers are able to load balance the requests between multiple instan
 Servers declare a single instance of your program.
 The `url` option point to a specific instance. 
 
-!!! note
-    Paths in the servers' `url` have no effet. 
+!!! info ""
+    Paths in the servers' `url` have no effect. 
     If you want the requests to be sent to a specific path on your servers,
     configure your [`routers`](../routers/index.md) to use a corresponding [middleware](../../middlewares/overview.md) (e.g. the [AddPrefix](../../middlewares/addprefix.md) or [ReplacePath](../../middlewares/replacepath.md)) middlewares.
 
 ??? example "A Service with One Server -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [http.services]
       [http.services.my-service.loadBalancer]
         [[http.services.my-service.loadBalancer.servers]]
@@ -100,12 +105,13 @@ The `url` option point to a specific instance.
     ```
     
     ```yaml tab="YAML"
+    ## Dynamic configuration
     http:
       services:
         my-service:
           loadBalancer:
             servers:
-              url: "http://private-ip-server-1/"
+              - url: "http://private-ip-server-1/"
     ```
 
 #### Load-balancing
@@ -115,6 +121,7 @@ For now, only round robin load balancing is supported:
 ??? example "Load Balancing -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [http.services]
       [http.services.my-service.loadBalancer]
         [[http.services.my-service.loadBalancer.servers]]
@@ -124,6 +131,7 @@ For now, only round robin load balancing is supported:
     ```
 
     ```yaml tab="YAML"
+    ## Dynamic configuration
     http:
       services:
         my-service:
@@ -138,27 +146,29 @@ For now, only round robin load balancing is supported:
 When sticky sessions are enabled, a cookie is set on the initial request to track which server handles the first response.
 On subsequent requests, the client is forwarded to the same server.
 
-!!! note "Stickiness & Unhealthy Servers"
+!!! info "Stickiness & Unhealthy Servers"
    
     If the server specified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).
 
-!!! note "Cookie Name" 
+!!! info "Cookie Name" 
     
     The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
 
-!!! note "Secure & HTTPOnly flags"
+!!! info "Secure & HTTPOnly flags"
 
     By default, the affinity cookie is created without those flags. One however can change that through configuration. 
 
-??? example "Adding Stickiness"
+??? example "Adding Stickiness -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [http.services]
       [http.services.my-service]
         [http.services.my-service.loadBalancer.sticky.cookie]
     ```
     
     ```yaml tab="YAML"
+    ## Dynamic configuration
     http:
       services:
         my-service:
@@ -167,9 +177,10 @@ On subsequent requests, the client is forwarded to the same server.
              cookie: {}
     ```
 
-??? example "Adding Stickiness with custom Options"
+??? example "Adding Stickiness with custom Options -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [http.services]
       [http.services.my-service]
         [http.services.my-service.loadBalancer.sticky.cookie]
@@ -179,6 +190,7 @@ On subsequent requests, the client is forwarded to the same server.
     ```
 
     ```yaml tab="YAML"
+    ## Dynamic configuration
     http:
       services:
         my-service:
@@ -205,12 +217,12 @@ Below are the available options for the health check mechanism:
 - `timeout` defines the maximum duration Traefik will wait for a health check request before considering the server failed (unhealthy).
 - `headers` defines custom headers to be sent to the health check endpoint.
 
-!!! note "Interval & Timeout Format"
+!!! info "Interval & Timeout Format"
 
     Interval and timeout are to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
     The interval must be greater than the timeout. If configuration doesn't reflect this, the interval will be set to timeout + 1 second.
 
-!!! note "Recovering Servers"
+!!! info "Recovering Servers"
    
     Traefik keeps monitoring the health of unhealthy servers. 
     If a server has recovered (returning `2xx` -> `3xx` responses again), it will be added back to the load balacer rotation pool.
@@ -218,6 +230,7 @@ Below are the available options for the health check mechanism:
 ??? example "Custom Interval & Timeout -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [http.services]
       [http.servicess.Service-1]
         [http.services.Service-1.loadBalancer.healthCheck]
@@ -227,6 +240,7 @@ Below are the available options for the health check mechanism:
     ```
 
     ```yaml tab="YAML"
+    ## Dynamic configuration
     http:
       servicess:
         Service-1:
@@ -240,6 +254,7 @@ Below are the available options for the health check mechanism:
 ??? example "Custom Port -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [http.services]
       [http.services.Service-1]
         [http.services.Service-1.loadBalancer.healthCheck]
@@ -248,6 +263,7 @@ Below are the available options for the health check mechanism:
     ```
     
     ```yaml tab="YAML"
+    ## Dynamic configuration
     http:
       services:
         Service-1:
@@ -260,6 +276,7 @@ Below are the available options for the health check mechanism:
 ??? example "Custom Scheme -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [http.services]
       [http.services.Service-1]
         [http.services.Service-1.loadBalancer.healthCheck]
@@ -268,6 +285,7 @@ Below are the available options for the health check mechanism:
     ```
     
     ```yaml tab="YAML"
+    ## Dynamic configuration
     http:
       services:
         Service-1:
@@ -280,6 +298,7 @@ Below are the available options for the health check mechanism:
 ??? example "Additional HTTP Headers -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [http.services]
       [http.services.Service-1]
         [http.services.Service-1.loadBalancer.healthCheck]
@@ -291,6 +310,7 @@ Below are the available options for the health check mechanism:
     ```
     
     ```yaml tab="YAML"
+    ## Dynamic configuration
     http:
       services:
         Service-1:
@@ -308,15 +328,16 @@ The WRR is able to load balance the requests between multiple services based on
 
 This strategy is only available to load balance between [services](./index.md) and not between [servers](./index.md#servers).
 
-This strategy can be defined only with [File](../../providers/file.md).
+!!! info "This strategy can be defined only with [File](../../providers/file.md)."
 
 ```toml tab="TOML"
+## Dynamic configuration
 [http.services]
-  [http.services.canary]
-    [[http.services.canary.weighted.services]]
+  [http.services.app]
+    [[http.services.app.weighted.services]]
       name = "appv1"
       weight = 3
-    [[http.services.canary.weighted.services]]
+    [[http.services.app.weighted.services]]
       name = "appv2"
       weight = 1
 
@@ -332,9 +353,10 @@ This strategy can be defined only with [File](../../providers/file.md).
 ```
 
 ```yaml tab="YAML"
+## Dynamic configuration
 http:
   services:
-    canary:
+    app:
       weighted:
         services:
         - name: appv1
@@ -357,44 +379,46 @@ http:
 
 The mirroring is able to mirror requests sent to a service to other services.
 
-This strategy can be defined only with [File](../../providers/file.md).
+!!! info "This strategy can be defined only with [File](../../providers/file.md)."
 
 ```toml tab="TOML"
+## Dynamic configuration
 [http.services]
-  [http.services.mirroring]
-    [http.services.mirroring.mirroring]
-      service = "app"
-    [[http.services.mirroring.mirroring.mirrors]]
-      name = "mirror"
+  [http.services.mirrored-api]
+    [http.services.mirrored-api.mirroring]
+      service = "appv1"
+    [[http.services.mirrored-api.mirroring.mirrors]]
+      name = "appv2"
       percent = 10
 
-  [http.services.app]
-    [http.services.app.loadBalancer]
+  [http.services.appv1]
+    [http.services.appv1.loadBalancer]
       [[http.services.appv1.loadBalancer.servers]]
         url = "http://private-ip-server-1/"
 
-  [http.services.mirror]
-    [http.services.mirror.loadBalancer]
-      [[http.services.mirror.loadBalancer.servers]]
+  [http.services.appv2]
+    [http.services.appv2.loadBalancer]
+      [[http.services.appv2.loadBalancer.servers]]
         url = "http://private-ip-server-2/"
 ```
 
 ```yaml tab="YAML"
+## Dynamic configuration
 http:
   services:
-    mirroring:
+    mirrored-api:
       mirroring:
-        service: app
+        service: appv1
         mirrors:
-        - name: mirror
+        - name: appv2
           percent: 10
 
-    app:
+    appv1:
       loadBalancer:
         servers:
         - url: "http://private-ip-server-1/"
 
-    mirror:
+    appv2:
       loadBalancer:
         servers:
         - url: "http://private-ip-server-2/"
@@ -404,17 +428,19 @@ http:
 
 ### General
 
-Currently, `LoadBalancer` is the only supported kind of TCP `Service`.
-However, since Traefik is an ever evolving project, other kind of TCP Services will be available in the future,
-reason why you have to specify it. 
+Each of the fields of the service section represents a kind of service.
+Which means, that for each specified service, one of the fields, and only one,
+has to be enabled to define what kind of service is created.
+Currently, the two available kinds are `LoadBalancer`, and `Weighted`.
 
-### Load Balancer
+### Servers Load Balancer
 
-The load balancers are able to load balance the requests between multiple instances of your programs. 
+The servers load balancer is in charge of balancing the requests between the servers of the same service.
 
 ??? example "Declaring a Service with Two Servers -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [tcp.services]
       [tcp.services.my-service.loadBalancer]
         [[tcp.services.my-service.loadBalancer.servers]]
@@ -424,6 +450,7 @@ The load balancers are able to load balance the requests between multiple instan
     ```
 
     ```yaml tab="YAML"
+    ## Dynamic configuration
     tcp:
       services:
         my-service:
@@ -441,6 +468,7 @@ The `address` option (IP:Port) point to a specific instance.
 ??? example "A Service with One Server -- Using the [File Provider](../../providers/file.md)"
 
     ```toml tab="TOML"
+    ## Dynamic configuration
     [tcp.services]
       [tcp.services.my-service.loadBalancer]
         [[tcp.services.my-service.loadBalancer.servers]]
@@ -448,6 +476,7 @@ The `address` option (IP:Port) point to a specific instance.
     ```
 
     ```yaml tab="YAML"
+    ## Dynamic configuration
     tcp:
       services:
         my-service:
@@ -455,3 +484,89 @@ The `address` option (IP:Port) point to a specific instance.
             servers:
               address: "xx.xx.xx.xx:xx"
     ```
+
+#### Termination Delay
+
+As a proxy between a client and a server, it can happen that either side (e.g. client side) decides to terminate its writing capability on the connection (i.e. issuance of a FIN packet).
+The proxy needs to propagate that intent to the other side, and so when that happens, it also does the same on its connection with the other side (e.g. backend side).
+
+However, if for some reason (bad implementation, or malicious intent) the other side does not eventually do the same as well,
+the connection would stay half-open, which would lock resources for however long.
+
+To that end, as soon as the proxy enters this termination sequence, it sets a deadline on fully terminating the connections on both sides.
+
+The termination delay controls that deadline.
+It is a duration in milliseconds, defaulting to 100.
+A negative value means an infinite deadline (i.e. the connection is never fully terminated by the proxy itself).
+
+??? example "A Service with a termination delay -- Using the [File Provider](../../providers/file.md)"
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [tcp.services]
+      [tcp.services.my-service.loadBalancer]
+        [[tcp.services.my-service.loadBalancer]]
+          terminationDelay = 200
+    ```
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    tcp:
+      services:
+        my-service:
+          loadBalancer:
+            terminationDelay: 200
+    ```
+
+### Weighted Round Robin
+
+The Weighted Round Robin (alias `WRR`) load-balancer of services is in charge of balancing the requests between multiple services based on provided weights.
+
+This strategy is only available to load balance between [services](./index.md) and not between [servers](./index.md#servers).
+
+This strategy can only be defined with [File](../../providers/file.md).
+
+```toml tab="TOML"
+## Dynamic configuration
+[tcp.services]
+  [tcp.services.app]
+    [[tcp.services.app.weighted.services]]
+      name = "appv1"
+      weight = 3
+    [[tcp.services.app.weighted.services]]
+      name = "appv2"
+      weight = 1
+
+  [tcp.services.appv1]
+    [tcp.services.appv1.loadBalancer]
+      [[tcp.services.appv1.loadBalancer.servers]]
+        address = "private-ip-server-1/:8080"
+
+  [tcp.services.appv2]
+    [tcp.services.appv2.loadBalancer]
+      [[tcp.services.appv2.loadBalancer.servers]]
+        address = "private-ip-server-2/:8080"
+```
+
+```yaml tab="YAML"
+## Dynamic configuration
+tcp:
+  services:
+    app:
+      weighted:
+        services:
+        - name: appv1
+          weight: 3
+        - name: appv2
+          weight: 1
+
+    appv1:
+      loadBalancer:
+        servers:
+        - address: "xxx.xxx.xxx.xxx:8080"
+
+    appv2:
+      loadBalancer:
+        servers:
+        - address: "xxx.xxx.xxx.xxx:8080"
+```

docs/content/user-guides/crd-acme/03-deployments.yml

@@ -28,7 +28,7 @@ spec:
         - name: traefik
           image: traefik:v2.0
           args:
-            - --api
+            - --api.insecure
             - --accesslog
             - --entrypoints.web.Address=:8000
             - --entrypoints.websecure.Address=:4443

docs/content/user-guides/crd-acme/index.md

@@ -18,7 +18,7 @@ In the following, the Kubernetes resources defined in YAML configuration files c
 
 !!! important "Kubectl Version"
 
-    With the `rancher/k3s` version used in this guide (`0.8.0`), the kubectl version needs to be >= `0.11`.
+    With the `rancher/k3s` version used in this guide (`0.8.0`), the kubectl version needs to be >= `1.11`.
 
 ## k3s Docker-compose Configuration
 

docs/content/user-guides/docker-compose/acme-dns/docker-compose.yml

@@ -3,11 +3,11 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v2.0.0-beta1"
+    image: "traefik:v2.0.0-rc3"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"
-      - "--api=true"
+      - "--api.insecure=true"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"

docs/content/user-guides/docker-compose/acme-dns/docker-compose_secrets.yml

@@ -13,11 +13,11 @@ secrets:
 services:
 
   traefik:
-    image: "traefik:v2.0.0-beta1"
+    image: "traefik:v2.0.0-rc3"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"
-      - "--api=true"
+      - "--api.insecure=true"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"

docs/content/user-guides/docker-compose/acme-http/docker-compose.yml

@@ -3,11 +3,11 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v2.0.0-beta1"
+    image: "traefik:v2.0.0-rc3"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"
-      - "--api=true"
+      - "--api.insecure=true"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"

docs/content/user-guides/docker-compose/acme-tls/docker-compose.yml

@@ -3,11 +3,11 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v2.0.0-beta1"
+    image: "traefik:v2.0.0-rc3"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"
-      - "--api=true"
+      - "--api.insecure=true"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.websecure.address=:443"

docs/content/user-guides/docker-compose/basic-example/docker-compose.yml

@@ -3,11 +3,11 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v2.0.0-beta1"
+    image: "traefik:v2.0.0-rc3"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"
-      - "--api=true"
+      - "--api.insecure=true"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"

docs/content/user-guides/docker-compose/basic-example/index.md

@@ -53,7 +53,7 @@ ports:
 ```yaml
 command:
   # Traefik will listen on port 8080 by default for API request.
-  - "--api=true"
+  - "--api.insecure=true"
 
 ports:
   - "8080:8080"

docs/content/user-guides/grpc.md

@@ -34,7 +34,7 @@ api: {}
 ```yaml tab="CLI"
 --entryPoints.web.address=":80"
 --providers.file.filename=dynamic_conf.toml
---api=true
+--api.insecure=true
 ```
 
 `dynamic_conf.{toml,yml}`:
@@ -143,7 +143,7 @@ entryPoints:
 serversTransport:
   # For secure connection on backend.local
   rootCAs:
-  - ./backend.cert
+    - ./backend.cert
 
 providers:
   file:
@@ -157,7 +157,7 @@ api: {}
 # For secure connection on backend.local
 --serversTransport.rootCAs=./backend.cert
 --providers.file.filename=dynamic_conf.toml
---api=true
+--api.insecure=true
 ```
 
 `dynamic_conf.{toml,yml}`:

docs/mkdocs.yml

@@ -58,9 +58,9 @@ markdown_extensions:
   - pymdownx.tasklist
   - pymdownx.snippets:
       check_paths: true
-  - markdown_include.include:
-      base_path: content/includes/
-      encoding: utf-8
+#  - markdown_include.include:
+#      base_path: content/includes/
+#      encoding: utf-8
   - toc:
       permalink: true
 
@@ -82,9 +82,14 @@ nav:
       - 'Marathon': 'providers/marathon.md'
   - 'Routing & Load Balancing':
       - 'Overview': 'routing/overview.md'
-      - 'Entrypoints': 'routing/entrypoints.md'
+      - 'EntryPoints': 'routing/entrypoints.md'
       - 'Routers': 'routing/routers/index.md'
       - 'Services': 'routing/services/index.md'
+      - 'Providers':
+          - 'Docker': 'routing/providers/docker.md'
+          - 'Kubernetes IngressRoute': 'routing/providers/kubernetes-crd.md'
+          - 'Rancher': 'routing/providers/rancher.md'
+          - 'Marathon': 'routing/providers/marathon.md'
   - 'HTTPS & TLS':
       - 'Overview': 'https/overview.md'
       - 'TLS': 'https/tls.md'

exp.Dockerfile

@@ -12,7 +12,7 @@ RUN yarn install
 RUN npm run build
 
 # BUILD
-FROM golang:1.13rc2-alpine as gobuild
+FROM golang:1.13-alpine as gobuild
 
 RUN apk --update upgrade \
     && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \

go.mod

@@ -51,7 +51,7 @@ require (
 	github.com/huandu/xstrings v1.2.0 // indirect
 	github.com/influxdata/influxdb1-client v0.0.0-20190402204710-8ff2fc3824fc
 	github.com/instana/go-sensor v1.4.17-0.20190515112224-78c14625025a
-	github.com/labbsr0x/goh v0.0.0-20190610190554-60aa50bcbca7 // indirect
+	github.com/labbsr0x/goh v0.0.0-20190830205702-3d6988c73e10 // indirect
 	github.com/libkermit/compose v0.0.0-20171122111507-c04e39c026ad
 	github.com/libkermit/docker v0.0.0-20171122101128-e6674d32b807
 	github.com/libkermit/docker-check v0.0.0-20171122104347-1113af38e591
@@ -85,7 +85,7 @@ require (
 	github.com/uber/jaeger-client-go v2.16.0+incompatible
 	github.com/uber/jaeger-lib v2.0.0+incompatible
 	github.com/unrolled/render v1.0.1
-	github.com/unrolled/secure v1.0.1
+	github.com/unrolled/secure v1.0.4
 	github.com/vdemeester/shakers v0.1.0
 	github.com/vulcand/oxy v1.0.0
 	github.com/vulcand/predicate v1.1.0

go.sum

@@ -307,8 +307,8 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/labbsr0x/bindman-dns-webhook v1.0.0 h1:gooRvyQtVOCtV/l9ZCI4CManZeVN/kUWG/vugRqHqv4=
 github.com/labbsr0x/bindman-dns-webhook v1.0.0/go.mod h1:pn4jcNjxSywRWDPDyGkFzgSnwty18OFdiUFc6S6fpgc=
 github.com/labbsr0x/goh v0.0.0-20190417202808-8b16b4848295/go.mod h1:RBxeaayaaMmp7GxwHiKANjkg9e+rxjOm4mB5vD5rt/I=
-github.com/labbsr0x/goh v0.0.0-20190610190554-60aa50bcbca7 h1:ocfbpesrzMqybD816LDEjourU4jiHj6gDGMieAcU8Io=
-github.com/labbsr0x/goh v0.0.0-20190610190554-60aa50bcbca7/go.mod h1:RBxeaayaaMmp7GxwHiKANjkg9e+rxjOm4mB5vD5rt/I=
+github.com/labbsr0x/goh v0.0.0-20190830205702-3d6988c73e10 h1:mrPTy7qNJPGHaUkkN301r8Y+13l2/vsiC8Lvi09e6sI=
+github.com/labbsr0x/goh v0.0.0-20190830205702-3d6988c73e10/go.mod h1:RBxeaayaaMmp7GxwHiKANjkg9e+rxjOm4mB5vD5rt/I=
 github.com/libkermit/compose v0.0.0-20171122111507-c04e39c026ad h1:nTyRWZ864mnHUnusBCVA628AZFgfGHwRUpbHqGhRQr8=
 github.com/libkermit/compose v0.0.0-20171122111507-c04e39c026ad/go.mod h1:GyCk/ifDcqsU1tsRMMWqXANnTtxzcwEWscb7j5qmblM=
 github.com/libkermit/docker v0.0.0-20171122101128-e6674d32b807 h1:/7J1WDQd6Xn1Pr8KtE2I/7/cKw66AV3hBUOyxqyXo84=
@@ -472,8 +472,8 @@ github.com/uber/jaeger-lib v2.0.0+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6
 github.com/ugorji/go v0.0.0-20171019201919-bdcc60b419d1/go.mod h1:hnLbHMwcvSihnDhEfx2/BzKp2xb0Y+ErdfYcrs9tkJQ=
 github.com/unrolled/render v1.0.1 h1:VDDnQQVfBMsOsp3VaCJszSO0nkBIVEYoPWeRThk9spY=
 github.com/unrolled/render v1.0.1/go.mod h1:gN9T0NhL4Bfbwu8ann7Ry/TGHYfosul+J0obPf6NBdM=
-github.com/unrolled/secure v1.0.1 h1:PZ79/VmnyIrDWRAUp9lWSwmckdf8H0v9djiqZxAb8Tc=
-github.com/unrolled/secure v1.0.1/go.mod h1:R6rugAuzh4TQpbFAq69oqZggyBQxFRFQIewtz5z7Jsc=
+github.com/unrolled/secure v1.0.4 h1:DksfKsRTyXP2R8quDdOOuRpRO45VprFL0X9t9+JX1PU=
+github.com/unrolled/secure v1.0.4/go.mod h1:R6rugAuzh4TQpbFAq69oqZggyBQxFRFQIewtz5z7Jsc=
 github.com/urfave/cli v1.21.0/go.mod h1:lxDj6qX9Q6lWQxIrbrT0nwecwUtRnhVZAJjJZrVUZZQ=
 github.com/vdemeester/shakers v0.1.0 h1:K+n9sSyUCg2ywmZkv+3c7vsYZfivcfKhMh8kRxCrONM=
 github.com/vdemeester/shakers v0.1.0/go.mod h1:IZ1HHynUOQt32iQ3rvAeVddXLd19h/6LWiKsh9RZtAQ=

integration/access_log_test.go

@@ -46,7 +46,7 @@ func (s *AccessLogSuite) SetUpSuite(c *check.C) {
 
 func (s *AccessLogSuite) TearDownTest(c *check.C) {
 	displayTraefikLogFile(c, traefikTestLogFile)
-	os.Remove(traefikTestAccessLogFile)
+	_ = os.Remove(traefikTestAccessLogFile)
 }
 
 func (s *AccessLogSuite) TestAccessLog(c *check.C) {
@@ -59,7 +59,7 @@ func (s *AccessLogSuite) TestAccessLog(c *check.C) {
 	defer func() {
 		traefikLog, err := ioutil.ReadFile(traefikTestLogFile)
 		c.Assert(err, checker.IsNil)
-		log.Info(string(traefikLog))
+		log.WithoutContext().Info(string(traefikLog))
 	}()
 
 	err := cmd.Start()
@@ -233,7 +233,7 @@ func digestParts(resp *http.Response) map[string]string {
 func getMD5(data string) string {
 	digest := md5.New()
 	if _, err := digest.Write([]byte(data)); err != nil {
-		log.Error(err)
+		log.WithoutContext().Error(err)
 	}
 	return fmt.Sprintf("%x", digest.Sum(nil))
 }
@@ -241,7 +241,7 @@ func getMD5(data string) string {
 func getCnonce() string {
 	b := make([]byte, 8)
 	if _, err := io.ReadFull(rand.Reader, b); err != nil {
-		log.Error(err)
+		log.WithoutContext().Error(err)
 	}
 	return fmt.Sprintf("%x", b)[:16]
 }

integration/docker_compose_test.go

@@ -77,7 +77,7 @@ func (s *DockerComposeSuite) TestComposeScale(c *check.C) {
 	services := rtconf.Services
 	c.Assert(services, checker.HasLen, 1)
 	for k, v := range services {
-		c.Assert(k, checker.Equals, composeService+"_integrationtest"+composeProject+"@docker")
+		c.Assert(k, checker.Equals, composeService+"-integrationtest"+composeProject+"@docker")
 		c.Assert(v.LoadBalancer.Servers, checker.HasLen, serviceCount)
 		// We could break here, but we don't just to keep us honest.
 	}

integration/error_pages_test.go

@@ -47,7 +47,6 @@ func (s *ErrorPagesSuite) TestSimpleConfiguration(c *check.C) {
 }
 
 func (s *ErrorPagesSuite) TestErrorPage(c *check.C) {
-
 	// error.toml contains a mis-configuration of the backend host
 	file := s.adaptFile(c, "fixtures/error_pages/error.toml", struct {
 		Server1 string

integration/fake_dns_server.go

@@ -15,6 +15,8 @@ type handler struct{}
 // Simplified version of the Challenge Test Server from Boulder
 // https://github.com/letsencrypt/boulder/blob/a6597b9f120207eff192c3e4107a7e49972a0250/test/challtestsrv/dnsone.go#L40
 func (s *handler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	logger := log.WithoutContext()
+
 	m := new(dns.Msg)
 	m.SetReply(r)
 	m.Compress = false
@@ -23,8 +25,9 @@ func (s *handler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	if fakeDNS == "" {
 		fakeDNS = "127.0.0.1"
 	}
+
 	for _, q := range r.Question {
-		log.Infof("Query -- [%s] %s", q.Name, dns.TypeToString[q.Qtype])
+		logger.Infof("Query -- [%s] %s", q.Name, dns.TypeToString[q.Qtype])
 
 		switch q.Qtype {
 		case dns.TypeA:
@@ -94,7 +97,7 @@ func (s *handler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	m.Ns = append(m.Ns, auth)
 
 	if err := w.WriteMsg(m); err != nil {
-		log.Fatalf("Failed to write message %v", err)
+		logger.Fatalf("Failed to write message %v", err)
 	}
 }
 
@@ -106,9 +109,9 @@ func startFakeDNSServer() *dns.Server {
 	}
 
 	go func() {
-		log.Infof("Start a fake DNS server.")
+		log.WithoutContext().Infof("Start a fake DNS server.")
 		if err := srv.ListenAndServe(); err != nil {
-			log.Fatalf("Failed to set udp listener %v", err)
+			log.WithoutContext().Fatalf("Failed to set udp listener %v", err)
 		}
 	}()