Prepare release v2.10.3

Co-authored-by: Romain <rtribotte@users.noreply.github.com>

.dockerignore

@@ -1,3 +1,5 @@
 dist/
 !dist/traefik
 site/
+vendor/
+.idea/

.github/CODEOWNERS

@@ -1,24 +0,0 @@
-provider/kubernetes/**  @containous/kubernetes
-provider/rancher/**     @containous/rancher
-provider/marathon/**    @containous/marathon
-provider/docker/**      @containous/docker
-
-docs/user-guide/kubernetes.md       @containous/kubernetes
-docs/user-guide/marathon.md         @containous/marathon
-docs/user-guide/swarm.md            @containous/docker
-docs/user-guide/swarm-mode.md       @containous/docker
-
-docs/configuration/backends/docker.md       @containous/docker
-docs/configuration/backends/kubernetes.md   @containous/kubernetes
-docs/configuration/backends/marathon.md     @containous/marathon
-docs/configuration/backends/rancher.md      @containous/rancher
-
-examples/k8s/                   @containous/kubernetes
-examples/compose-k8s.yaml       @containous/kubernetes
-examples/k8s.namespace.yaml     @containous/kubernetes
-examples/compose-rancher.yml    @containous/rancher
-examples/compose-marathon.yml   @containous/marathon
-
-vendor/github.com/gambol99/go-marathon  @containous/marathon
-vendor/github.com/rancher               @containous/rancher
-vendor/k8s.io/                          @containous/kubernetes

.github/ISSUE_TEMPLATE.md

@@ -1,28 +1,23 @@
+<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
+
+### Do you want to request a *feature* or report a *bug*?
+
 <!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 
 The issue tracker is for reporting bugs and feature requests only.
 For end-user related support questions, please refer to one of the following:
 
-- the Traefik community forum: https://community.containo.us/
+- the Traefik community forum: https://community.traefik.io/
 
 -->
 
-
-### Do you want to request a *feature* or report a *bug*?
-
-<!--
-If you intend to ask a support question: DO NOT FILE AN ISSUE.
--->
-
-### Did you try using a 1.7.x configuration for the version 2.0?
-
-- [ ] Yes
-- [ ] No
+Bug
 
 <!--
 
-If you just checked the "Yes" box, be aware that this is probably not a bug. The configurations between 1.X and 2.X are NOT compatible. Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+The configurations between 1.X and 2.X are NOT compatible.
+Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.
 
 -->
 
@@ -30,7 +25,7 @@ If you just checked the "Yes" box, be aware that this is probably not a bug. The
 
 <!--
 
-HOW TO WRITE A GOOD ISSUE?
+HOW TO WRITE A GOOD BUG REPORT?
 
 - Respect the issue template as much as possible.
 - The title should be short and descriptive.
@@ -52,13 +47,12 @@ HOW TO WRITE A GOOD ISSUE?
 ### Output of `traefik version`: (_What version of Traefik are you using?_)
 
 <!--
+`latest` is not considered as a valid version.
+
 For the Traefik Docker image:
     docker run [IMAGE] version
     ex: docker run traefik version
 
-For the alpine Traefik Docker image:
-    docker run [IMAGE] traefik version
-    ex: docker run traefik traefik version
 -->
 
 ```
@@ -70,12 +64,13 @@ For the alpine Traefik Docker image:
 ```toml
 # (paste your configuration here)
 ```
+
 <!--
 Add more configuration information here.
 -->
 
 
-### If applicable, please paste the log output at DEBUG level (`--log.level=DEBUG` switch)
+### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
 
 ```
 (paste your output here)

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -1,87 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-
----
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
-- the Traefik community forum: https://community.containo.us/
-
--->
-
-
-### Do you want to request a *feature* or report a *bug*?
-
-Bug
-
-### Did you try using a 1.7.x configuration for the version 2.0?
-
-- [ ] Yes
-- [ ] No
-
-<!--
-
-If you just checked the "Yes" box, be aware that this is probably not a bug. The configurations between 1.X and 2.X are NOT compatible. Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
-
--->
-
-### What did you do?
-
-<!--
-
-HOW TO WRITE A GOOD BUG REPORT?
-
-- Respect the issue template as much as possible.
-- The title should be short and descriptive.
-- Explain the conditions which led you to report this issue: the context.
-- The context should lead to something, an idea or a problem that you’re facing.
-- Remain clear and concise.
-- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
--->
-
-### What did you expect to see?
-
-
-
-### What did you see instead?
-
-
-
-### Output of `traefik version`: (_What version of Traefik are you using?_)
-
-<!--
-For the Traefik Docker image:
-    docker run [IMAGE] version
-    ex: docker run traefik version
-
-For the alpine Traefik Docker image:
-    docker run [IMAGE] traefik version
-    ex: docker run traefik traefik version
--->
-
-```
-(paste your output here)
-```
-
-### What is your environment & configuration (arguments, toml, provider, platform, ...)?
-
-```toml
-# (paste your configuration here)
-```
-
-<!--
-Add more configuration information here.
--->
-
-
-### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
-
-```
-(paste your output here)
-```

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -1,35 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-
----
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
-- the Traefik community forum: https://community.containo.us/
-
--->
-
-
-### Do you want to request a *feature* or report a *bug*?
-
-Feature
-
-### What did you expect to see?
-
-<!--
-
-HOW TO WRITE A GOOD ISSUE?
-
-- Respect the issue template as much as possible.
-- The title should be short and descriptive.
-- Explain the conditions which led you to report this issue: the context.
-- The context should lead to something, an idea or a problem that you’re facing.
-- Remain clear and concise.
-- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
--->

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,82 @@
+name: Bug Report (Traefik)
+description: Create a report to help us improve.
+body:
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Welcome!
+      description: |
+        The issue tracker is for reporting bugs and feature requests only.
+        For end-user related support questions, please use the [Traefik community forum](https://community.traefik.io/).
+
+        All new/updated issues are triaged regularly by the maintainers.
+        All issues closed by a bot are subsequently double-checked by the maintainers.
+
+        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+
+      options:
+        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
+          required: true
+        - label: Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: What did you do?
+      description: |
+        How to write a good bug report?
+
+        - Respect the issue template as much as possible.
+        - The title should be short and descriptive.
+        - Explain the conditions which led you to report this issue: the context.
+        - The context should lead to something, an idea or a problem that you’re facing.
+        - Remain clear and concise.
+        - Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+      placeholder: What did you do?
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What did you see instead?
+      placeholder: What did you see instead?
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What version of Traefik are you using?
+      description: |
+        `latest` is not considered as a valid version.
+
+        Output of `traefik version`.
+
+        For the Traefik Docker image (`docker run [IMAGE] version`), example:
+        ```console
+        $ docker run traefik version
+        ```
+      placeholder: Paste your output here.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What is your environment & configuration?
+      description: arguments, toml, provider, platform, ...
+      placeholder: Add information here.
+      value: |
+        ```yaml
+        # (paste your configuration here)
+        ```
+
+        Add more configuration information here.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: If applicable, please paste the log output in DEBUG level
+      description: "`--log.level=DEBUG` switch."
+      placeholder: Paste your output here.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Traefik Community Support
+    url: https://community.traefik.io/
+    about: If you have a question, or are looking for advice, please post on our Discuss forum! The community loves to chime in to help. Happy Coding!
+  - name: Traefik Helm Chart Issues
+    url: https://github.com/traefik/traefik-helm-chart
+    about: Are you submitting an issue or feature enhancement for the Traefik helm chart? Please post in the traefik-helm-chart GitHub Issues.

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -0,0 +1,33 @@
+name: Feature Request (Traefik)
+description: Suggest an idea for this project.
+body:
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Welcome!
+      description: |
+        The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
+        - the Traefik community forum: https://community.traefik.io/
+
+        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+      options:
+        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
+          required: true
+        - label: Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: What did you expect to see?
+      description: |
+        How to write a good issue?
+
+        - Respect the issue template as much as possible.
+        - The title should be short and descriptive.
+        - Explain the conditions which led you to report this issue: the context.
+        - The context should lead to something, an idea or a problem that you’re facing.
+        - Remain clear and concise.
+        - Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+      placeholder: What did you expect to see?
+    validations:
+      required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,18 +1,19 @@
 <!--
 PLEASE READ THIS MESSAGE.
 
-HOW TO WRITE A GOOD PULL REQUEST?
+Documentation fixes or enhancements:
+- for Traefik v2: use branch v2.10
+- for Traefik v3: use branch v3.0
 
-- Make it small.
-- Do only one thing.
-- Avoid re-formatting.
-- Make sure the code builds.
-- Make sure all tests pass.
-- Add tests.
-- Write useful descriptions and titles.
-- Address review comments in terms of additional commits.
-- Do not amend/squash existing ones unless the PR is trivial.
-- Read the contributing guide: https://github.com/containous/traefik/blob/master/CONTRIBUTING.md.
+Bug fixes:
+- for Traefik v2: use branch v2.10
+- for Traefik v3: use branch v3.0
+
+Enhancements:
+- for Traefik v2: we only accept bug fixes
+- for Traefik v3: use branch master
+
+HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
 
 -->
 

.github/workflows/build.yaml

@@ -0,0 +1,79 @@
+name: Build Binaries
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: '1.20'
+  CGO_ENABLED: 0
+  IN_DOCKER: ""
+
+jobs:
+
+  build-webui:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Build webui
+        run: |
+          make clean-webui generate-webui
+          tar czvf webui.tar.gz ./webui/static/
+
+      - name: Artifact webui
+        uses: actions/upload-artifact@v2
+        with:
+          name: webui.tar.gz
+          path: webui.tar.gz
+
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ ubuntu-20.04, macos-latest, windows-latest ]
+    needs:
+      - build-webui
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+            ~/Library/Caches/go-build
+            '%LocalAppData%\go-build'
+          key: ${{ runner.os }}-build-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-build-go-
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v2
+        with:
+          name: webui.tar.gz
+          path: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+      - name: Untar webui
+        run: tar xvf webui.tar.gz
+
+      - name: Build
+        run: make binary

.github/workflows/check_doc.yml

@@ -0,0 +1,25 @@
+name: Check Documentation
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+
+  docs:
+    name: Check, verify and build documentation
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Check documentation
+        run: make docs-pull-images docs
+        env:
+          # These variables are not passed to workflows that are triggered by a pull request from a fork.
+          DOCS_VERIFY_SKIP: ${{ vars.DOCS_VERIFY_SKIP }}
+          DOCS_LINT_SKIP: ${{ vars.DOCS_LINT_SKIP }}

.github/workflows/documentation.yml

@@ -0,0 +1,52 @@
+name: Build and Publish Documentation
+
+on:
+  push:
+    branches:
+      - master
+      - v*
+
+env:
+  STRUCTOR_VERSION: v1.13.2
+  MIXTUS_VERSION: v0.4.1
+
+jobs:
+
+  docs:
+    name: Doc Process
+    runs-on: ubuntu-20.04
+    if: github.repository == 'traefik/traefik'
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Install Structor ${{ env.STRUCTOR_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/structor/master/godownloader.sh | sh -s -- -b $HOME/bin ${STRUCTOR_VERSION}
+
+      - name: Install Seo-doc
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/seo-doc/master/godownloader.sh | sh -s -- -b "${HOME}/bin"
+
+      - name: Install Mixtus ${{ env.MIXTUS_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}
+
+      - name: Build documentation
+        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
+        env:
+          STRUCTOR_LATEST_TAG: ${{ vars.STRUCTOR_LATEST_TAG }}
+
+      - name: Apply seo
+        run: $HOME/bin/seo -path=./site -product=traefik
+
+      - name: Publish documentation
+        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_REPO }}

.github/workflows/experimental.yaml

@@ -0,0 +1,37 @@
+name: Build experimental image on branch
+
+on:
+  push:
+    branches:
+      - master
+      - v*
+
+jobs:
+
+  experimental:
+    if: github.repository == 'traefik/traefik'
+    name: Build experimental image on branch
+    runs-on: ubuntu-20.04
+
+    steps:
+
+      # https://github.com/marketplace/actions/checkout
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Branch name
+        run: echo ${GITHUB_REF##*/}
+
+      - name: Build docker experimental image
+        run: docker build -t traefik/traefik:experimental-${GITHUB_REF##*/} -f exp.Dockerfile .
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Push to Docker Hub
+        run: docker push traefik/traefik:experimental-${GITHUB_REF##*/}

.github/workflows/test-unit.yaml

@@ -0,0 +1,46 @@
+name: Test Unit
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: '1.20'
+  IN_DOCKER: ""
+
+jobs:
+
+  test-unit:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-test-unit-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-test-unit-go-
+
+      - name: Avoid generating webui
+        run: touch webui/static/index.html
+
+      - name: Tests
+        run: make test-unit

.github/workflows/validate.yaml

@@ -0,0 +1,97 @@
+name: Validate
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: '1.20'
+  GOLANGCI_LINT_VERSION: v1.53.1
+  MISSSPELL_VERSION: v0.4.0
+  IN_DOCKER: ""
+
+jobs:
+
+  validate:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-validate-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-validate-go-
+
+      - name: Install golangci-lint ${{ env.GOLANGCI_LINT_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
+
+      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
+        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
+
+      - name: Avoid generating webui
+        run: touch webui/static/index.html
+
+      - name: Validate
+        run: make validate
+
+  validate-generate:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-validate-generate-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-validate-generate-go-
+
+      - name: go generate
+        run: |
+          go generate
+          git diff --exit-code
+
+      - name: go mod tidy
+        run: |
+          go mod tidy
+          git diff --exit-code
+
+      - name: make generate-crd
+        run: |
+          make generate-crd
+          git diff --exit-code

.gitignore

@@ -7,7 +7,6 @@
 /webui/.tmp/
 /site/
 /docs/site/
-/static/
 /autogen/
 /traefik
 /traefik.toml
@@ -16,3 +15,7 @@
 *.exe
 cover.out
 vendor/
+plugins-storage/
+plugins-local/
+traefik_changelog.md
+integration/tailscale.secret

.golangci.toml

@@ -1,90 +0,0 @@
-[run]
-  deadline = "10m"
-  skip-files = []
-
-[linters-settings]
-
-  [linters-settings.govet]
-    check-shadowing = false
-
-  [linters-settings.golint]
-    min-confidence = 0.0
-
-  [linters-settings.gocyclo]
-    min-complexity = 14.0
-
-  [linters-settings.maligned]
-    suggest-new = true
-
-  [linters-settings.goconst]
-    min-len = 3.0
-    min-occurrences = 4.0
-
-  [linters-settings.misspell]
-    locale = "US"
-
-  [linters-settings.funlen]
-    lines = 230 # default 60
-    statements = 120 # default 40
-
-[linters]
-  enable-all = true
-  disable = [
-    "gocyclo", # FIXME must be fixed
-    "gosec",
-    "dupl",
-    "maligned",
-    "lll",
-    "unparam",
-    "prealloc",
-    "scopelint",
-    "gochecknoinits",
-    "gochecknoglobals",
-    "bodyclose", # Too many false-positive and panics.
-  ]
-
-[issues]
-  exclude-use-default = false
-  max-per-linter = 0
-  max-same-issues = 0
-  exclude = [
-    "SA1019: http.CloseNotifier is deprecated: the CloseNotifier interface predates Go's context package. New code should use Request.Context instead.", # FIXME must be fixed
-    "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked",
-    "should have a package comment, unless it's in another file for this package",
-  ]
- [[issues.exclude-rules]]
-    path = "(.+)_test.go"
-    linters = ["goconst", "funlen"]
- [[issues.exclude-rules]]
-    path = "integration/.+_test.go"
-    text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
- [[issues.exclude-rules]]
-    path = "integration/(consul_catalog_test|constraint_test).go"
-    text = "Error return value of `(s.deregisterService|s.deregisterAgentService)` is not checked"
- [[issues.exclude-rules]]
-    path = "integration/grpc_test.go"
-    text = "Error return value of `closer` is not checked"
- [[issues.exclude-rules]]
-    path = "pkg/h2c/h2c.go"
-    text = "Error return value of `rw.Write` is not checked"
- [[issues.exclude-rules]]
-    path = "pkg/middlewares/recovery/recovery.go"
-    text = "`logger` can be `github.com/stretchr/testify/assert.TestingT`"
- [[issues.exclude-rules]]
-    path = "pkg/provider/docker/builder_test.go"
-    text = "(U1000: func )?`(.+)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
-    text = "(U1000: func )?`(.+)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/config/parser/.+_test.go"
-    text = "U1000: field `(foo|fuu)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/server/service/bufferpool.go"
-    text = "SA6002: argument should be pointer-like to avoid allocations"
- [[issues.exclude-rules]]
-    path = "cmd/configuration.go"
-    text = "string `traefik` has (\\d) occurrences, make it a constant"
- [[issues.exclude-rules]] # FIXME must be fixed
-    path = "cmd/context.go"
-    text = "S1000: should use a simple channel send/receive instead of `select` with a single case"

.golangci.yml

@@ -0,0 +1,271 @@
+run:
+  timeout: 10m
+  skip-files: []
+  skip-dirs:
+    - pkg/provider/kubernetes/crd/generated/
+
+linters-settings:
+  govet:
+    enable-all: true
+    disable:
+      - shadow
+      - fieldalignment
+  gocyclo:
+    min-complexity: 14
+  goconst:
+    min-len: 3
+    min-occurrences: 4
+  misspell:
+    locale: US
+  funlen:
+    lines: -1
+    statements: 120
+  forbidigo:
+    forbid:
+      - ^print(ln)?$
+      - ^spew\.Print(f|ln)?$
+      - ^spew\.Dump$
+  depguard:
+    rules:
+      main:
+        deny:
+          - pkg: "github.com/instana/testify"
+            desc: not allowed
+          - pkg: "github.com/pkg/errors"
+            desc: Should be replaced by standard lib errors package
+  godox:
+    keywords:
+      - FIXME
+  importas:
+    no-unaliased: true
+    alias:
+      - alias: composeapi
+        pkg: github.com/docker/compose/v2/pkg/api
+
+      # Standard Kubernetes rewrites:
+      - alias: corev1
+        pkg: "k8s.io/api/core/v1"
+      - alias: netv1
+        pkg: "k8s.io/api/networking/v1"
+      - alias: netv1beta1
+        pkg: "k8s.io/api/networking/v1beta1"
+      - alias: admv1
+        pkg: "k8s.io/api/admission/v1"
+      - alias: admv1beta1
+        pkg: "k8s.io/api/admission/v1beta1"
+      - alias: extv1beta1
+        pkg: "k8s.io/api/extensions/v1beta1"
+      - alias: metav1
+        pkg: "k8s.io/apimachinery/pkg/apis/meta/v1"
+      - alias: ktypes
+        pkg: "k8s.io/apimachinery/pkg/types"
+      - alias: kerror
+        pkg: "k8s.io/apimachinery/pkg/api/errors"
+      - alias: kclientset
+        pkg: "k8s.io/client-go/kubernetes"
+      - alias: kinformers
+        pkg: "k8s.io/client-go/informers"
+      - alias: ktesting
+        pkg: "k8s.io/client-go/testing"
+      - alias: kschema
+        pkg: "k8s.io/apimachinery/pkg/runtime/schema"
+      - alias: kscheme
+        pkg: "k8s.io/client-go/kubernetes/scheme"
+      - alias: kversion
+        pkg: "k8s.io/apimachinery/pkg/version"
+      - alias: kubefake
+        pkg: "k8s.io/client-go/kubernetes/fake"
+      - alias: discoveryfake
+        pkg: "k8s.io/client-go/discovery/fake"
+
+      # Kubernetes Gateway rewrites:
+      - alias: gateclientset
+        pkg: "sigs.k8s.io/gateway-api/pkg/client/clientset/gateway/versioned"
+      - alias: gateinformers
+        pkg: "sigs.k8s.io/gateway-api/pkg/client/informers/gateway/externalversions"
+      - alias: gatev1alpha2
+        pkg: "sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+      # Traefik Kubernetes rewrites:
+      - alias: containousv1alpha1
+        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikcontainous/v1alpha1"
+      - alias: traefikv1alpha1
+        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1"
+      - alias: traefikclientset
+        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned"
+      - alias: traefikinformers
+        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/informers/externalversions"
+      - alias: traefikscheme
+        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme"
+      - alias: traefikcrdfake
+        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake"
+  tagalign:
+    align: false
+    sort: true
+    order:
+      - description
+      - json
+      - toml
+      - yaml
+      - yml
+      - label
+      - label-slice-as-struct
+      - file
+      - kv
+      - export
+  revive:
+    rules:
+      - name: struct-tag
+      - name: blank-imports
+      - name: context-as-argument
+      - name: context-keys-type
+      - name: dot-imports
+      - name: error-return
+      - name: error-strings
+      - name: error-naming
+      - name: exported
+        disabled: true
+      - name: if-return
+      - name: increment-decrement
+      - name: var-naming
+      - name: var-declaration
+      - name: package-comments
+        disabled: true
+      - name: range
+      - name: receiver-naming
+      - name: time-naming
+      - name: unexported-return
+      - name: indent-error-flow
+      - name: errorf
+      - name: empty-block
+      - name: superfluous-else
+      - name: unused-parameter
+        disabled: true
+      - name: unreachable-code
+      - name: redefines-builtin-id
+  gomoddirectives:
+    replace-allow-list:
+      - github.com/abbot/go-http-auth
+      - github.com/go-check/check
+      - github.com/gorilla/mux
+      - github.com/mailgun/minheap
+      - github.com/mailgun/multibuf
+      - github.com/jaguilar/vt100
+
+linters:
+  enable-all: true
+  disable:
+    - deadcode # deprecated
+    - exhaustivestruct # deprecated
+    - golint # deprecated
+    - ifshort # deprecated
+    - interfacer # deprecated
+    - maligned # deprecated
+    - nosnakecase # deprecated
+    - scopelint # deprecated
+    - scopelint # deprecated
+    - structcheck # deprecated
+    - varcheck # deprecated
+    - sqlclosecheck # not relevant (SQL)
+    - rowserrcheck # not relevant (SQL)
+    - execinquery # not relevant (SQL)
+    - cyclop # duplicate of gocyclo
+    - lll # Not relevant
+    - gocyclo # FIXME must be fixed
+    - gocognit # Too strict
+    - nestif # Too many false-positive.
+    - prealloc # Too many false-positive.
+    - makezero # Not relevant
+    - dupl # Too strict
+    - gosec # Too strict
+    - gochecknoinits
+    - gochecknoglobals
+    - wsl # Too strict
+    - nlreturn # Not relevant
+    - gomnd # Too strict
+    - stylecheck # skip because report issues related to some generated files.
+    - testpackage # Too strict
+    - tparallel # Not relevant
+    - paralleltest # Not relevant
+    - exhaustive # Not relevant
+    - exhaustruct # Not relevant
+    - goerr113 # Too strict
+    - wrapcheck # Too strict
+    - noctx # Too strict
+    - bodyclose # too many false-positive
+    - forcetypeassert # Too strict
+    - tagliatelle # Too strict
+    - varnamelen # Not relevant
+    - nilnil # Not relevant
+    - ireturn # Not relevant
+    - contextcheck # too many false-positive
+    - containedctx # too many false-positive
+    - maintidx # kind of duplicate of gocyclo
+    - nonamedreturns # Too strict
+    - gosmopolitan  # not relevant
+
+issues:
+  exclude-use-default: false
+  max-per-linter: 0
+  max-same-issues: 0
+  exclude:
+    - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
+    - "should have a package comment, unless it's in another file for this package"
+    - 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
+    - 'SA1019: cfg.SSLRedirect is deprecated'
+    - 'SA1019: cfg.SSLTemporaryRedirect is deprecated'
+    - 'SA1019: cfg.SSLHost is deprecated'
+    - 'SA1019: cfg.SSLForceHost is deprecated'
+    - 'SA1019: cfg.FeaturePolicy is deprecated'
+    - 'SA1019: c.Providers.ConsulCatalog.Namespace is deprecated'
+    - 'SA1019: c.Providers.Consul.Namespace is deprecated'
+    - 'SA1019: c.Providers.Nomad.Namespace is deprecated'
+  exclude-rules:
+    - path: '(.+)_test.go'
+      linters:
+        - goconst
+        - funlen
+        - godot
+    - path: '(.+)_test.go'
+      text: ' always receives '
+      linters:
+        - unparam
+    - path: '(.+)\.go'
+      text: 'struct-tag: unknown option ''inline'' in JSON tag'
+      linters:
+        - revive
+    - path: pkg/server/service/bufferpool.go
+      text: 'SA6002: argument should be pointer-like to avoid allocations'
+    - path: pkg/server/middleware/middlewares.go
+      text: "Function 'buildConstructor' has too many statements"
+      linters:
+        - funlen
+    - path: pkg/tracing/haystack/logger.go
+      linters:
+        - goprintffuncname
+    - path: pkg/tracing/tracing.go
+      text: "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
+      linters:
+        - goprintffuncname
+    - path: pkg/tls/tlsmanager_test.go
+      text: 'SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18'
+    - path: pkg/types/tls_test.go
+      text: 'SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18'
+    - path: pkg/provider/kubernetes/(crd|gateway)/client.go
+      linters:
+        - interfacebloat
+    - path: pkg/metrics/metrics.go
+      linters:
+        - interfacebloat
+    - path: integration/healthcheck_test.go
+      text: 'Duplicate words \(wsp2,\) found'
+      linters:
+        - dupword
+    - path: pkg/types/domain_test.go
+      text: 'Duplicate words \(sub\) found'
+      linters:
+        - dupword
+    - path: pkg/provider/kubernetes/gateway/client_mock_test.go
+      text: 'unusedwrite: unused write to field'
+      linters:
+        - govet

.goreleaser.yml

@@ -7,12 +7,13 @@ before:
 builds:
   - binary: traefik
 
-    main: ./cmd/traefik/traefik.go
+    main: ./cmd/traefik/
     env:
       - CGO_ENABLED=0
     ldflags:
-      - -s -w -X github.com/containous/traefik/v2/pkg/version.Version={{.Version}} -X github.com/containous/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/containous/traefik/v2/pkg/version.BuildDate={{.Date}}
-
+      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}
+    flags:
+      - -trimpath
     goos:
       - linux
       - darwin
@@ -21,21 +22,27 @@ builds:
       - openbsd
     goarch:
       - amd64
-      - 386
+      - '386'
       - arm
       - arm64
       - ppc64le
+      - s390x
     goarm:
-      - 7
-      - 6
-      - 5
+      - '7'
+      - '6'
     ignore:
       - goos: darwin
-        goarch: 386
+        goarch: '386'
       - goos: openbsd
         goarch: arm
+      - goos: openbsd
+        goarch: arm64
       - goos: freebsd
         goarch: arm
+      - goos: freebsd
+        goarch: arm64
+      - goos: windows
+        goarch: arm
 
 changelog:
   skip: true

.semaphore/semaphore.yml

@@ -0,0 +1,83 @@
+version: v1.0
+name: Traefik
+agent:
+  machine:
+    type: e1-standard-4
+    os_image: ubuntu2004
+
+fail_fast:
+  stop:
+    when: "branch != 'master'"
+
+auto_cancel:
+  queued:
+    when: "branch != 'master'"
+  running:
+    when: "branch != 'master'"
+
+global_job_config:
+  prologue:
+    commands:
+      - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
+      - sudo semgo go1.20
+      - export "GOPATH=$(go env GOPATH)"
+      - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
+      - export "PATH=${GOPATH}/bin:${PATH}"
+      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
+      - export GOPROXY=https://proxy.golang.org,direct
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.52.2
+      - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
+      - checkout
+      - cache restore traefik-$(checksum go.sum)
+
+blocks:
+  - name: Test Integration
+    dependencies: []
+    run:
+      when: "branch =~ '.*' OR pull_request =~'.*'"
+    task:
+      jobs:
+        - name: Test Integration
+          commands:
+            - make pull-images
+            - touch webui/static/index.html # Avoid generating webui
+            - IN_DOCKER="" make binary
+            - make test-integration
+            - df -h
+      epilogue:
+        always:
+          commands:
+            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
+
+  - name: Release
+    dependencies: []
+    run:
+      when: "tag =~ '.*'"
+    task:
+      agent:
+        machine:
+          type: e1-standard-8
+          os_image: ubuntu2004
+      secrets:
+        - name: traefik
+      env_vars:
+        - name: GH_VERSION
+          value: 1.12.1
+        - name: CODENAME
+          value: "saintmarcelin"
+        - name: IN_DOCKER
+          value: ""
+      prologue:
+        commands:
+          - export VERSION=${SEMAPHORE_GIT_TAG_NAME}
+          - curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
+          - tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
+          - sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
+          - sudo rm -rf ~/.phpbrew ~/.kerl ~/.sbt ~/.nvm ~/.npm ~/.kiex /usr/lib/jvm /opt/az /opt/firefox /usr/lib/google-cloud-sdk ~/.rbenv ~/.pip_download_cache # Remove unnecessary data.
+          - sudo service docker stop && sudo umount /var/lib/docker && sudo service docker start # Unmounts the docker disk and the whole system disk is usable.
+      jobs:
+        - name: Release
+          commands:
+            - make release-packages
+            - gh release create ${SEMAPHORE_GIT_TAG_NAME} ./dist/traefik*.* --repo traefik/traefik --title ${SEMAPHORE_GIT_TAG_NAME} --notes ${SEMAPHORE_GIT_TAG_NAME}
+            - ./script/deploy.sh

.semaphoreci/cleanup.sh

@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-sudo rm -rf static

.semaphoreci/golang.sh

@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-curl -O https://dl.google.com/go/go"${GO_VERSION}".linux-amd64.tar.gz
-
-tar -xvf go"${GO_VERSION}".linux-amd64.tar.gz
-rm -rf go"${GO_VERSION}".linux-amd64.tar.gz
-
-sudo mkdir -p /usr/local/golang/"${GO_VERSION}"/go
-sudo mv go /usr/local/golang/"${GO_VERSION}"/
-
-sudo rm /usr/local/bin/go
-sudo chmod +x /usr/local/golang/"${GO_VERSION}"/go/bin/go
-sudo ln -s /usr/local/golang/"${GO_VERSION}"/go/bin/go /usr/local/bin/go
-
-export GOROOT="/usr/local/golang/${GO_VERSION}/go"
-export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"
-
-go version

.semaphoreci/job1.sh

@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make pull-images; fi
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-integration; fi

.semaphoreci/job2.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-ci_retry make validate
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-unit; fi
-
-if [ -n "$SHOULD_TEST" ]; then make -j"${N_MAKE_JOBS}" crossbinary-default-parallel; fi

.semaphoreci/setup.sh

@@ -1,35 +0,0 @@
-# For personnal CI
-# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/containous/
-# cd /home/runner/workspace/src/github.com/containous/traefik/
-for s in apache2 cassandra elasticsearch memcached mysql mongod postgresql sphinxsearch rethinkdb rabbitmq-server redis-server; do sudo service $s stop; done
-sudo swapoff -a
-sudo dd if=/dev/zero of=/swapfile bs=1M count=3072
-sudo mkswap /swapfile
-sudo swapon /swapfile
-sudo rm -rf /home/runner/.rbenv
-sudo rm -rf /usr/local/golang/{1.4.3,1.5.4,1.6.4,1.7.6,1.8.6,1.9.7,1.10.3,1.11}
-#export DOCKER_VERSION=18.06.3
-source .semaphoreci/vars
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
-echo ${SHOULD_TEST}
-if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
-echo ${TEMP_STORAGE}
-echo ${SHOULD_TEST}
-#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
-#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
-if [ -n "$SHOULD_TEST" ]; then docker version; fi
-export GO_VERSION=1.12
-if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
-#if [ "${GO_VERSION}" == '1.13' ]; then export GO_VERSION=1.13rc2; fi
-echo "Selected Go version: ${GO_VERSION}"
-
-if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi
-if [ -f "./.semaphoreci/golang.sh" ]; then export GOROOT="/usr/local/golang/${GO_VERSION}/go"; fi
-if [ -f "./.semaphoreci/golang.sh" ]; then export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"; fi
-go version
-
-if [ -f "./go.mod" ]; then export GO111MODULE=on; fi
-if [ -f "./go.mod" ]; then export GOPROXY=https://proxy.golang.org; fi
-if [ -f "./go.mod" ]; then go mod download; fi
-
-df

.semaphoreci/vars

@@ -1,36 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-export REPO='containous/traefik'
-
-if VERSION=$(git describe --exact-match --abbrev=0 --tags);
-then
-  export VERSION
-else
-  export VERSION=''
-fi
-
-export CODENAME=montdor
-
-export N_MAKE_JOBS=2
-
-
-function ci_retry {
-
-    local NRETRY=3
-    local NSLEEP=5
-    local n=0
-
-    until [ $n -ge $NRETRY ]
-    do
-        "$@" && break
-        n=$((n+1))
-        echo "${*} failed, attempt ${n}/${NRETRY}"
-        sleep $NSLEEP
-    done
-
-    [ $n -lt $NRETRY ]
-
-}
-
-export -f ci_retry

.travis.yml

@@ -1,58 +0,0 @@
-sudo: required
-dist: trusty
-
-git:
-  depth: false
-
-services:
-  - docker
-
-env:
-  global:
-    - REPO=$TRAVIS_REPO_SLUG
-    - VERSION=$TRAVIS_TAG
-    - CODENAME=montdor
-    - GO111MODULE=on
-
-script:
-- echo "Skipping tests... (Tests are executed on SemaphoreCI)"
-- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs; fi
-
-before_deploy:
-  - >
-    if ! [ "$BEFORE_DEPLOY_RUN" ]; then
-      export BEFORE_DEPLOY_RUN=1;
-      sudo -E apt-get -yq update;
-      sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
-      docker version;
-      make build-image;
-      if [ "$TRAVIS_TAG" ]; then
-        make release-packages;
-      fi;
-      curl -sfL https://raw.githubusercontent.com/containous/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
-      structor -o containous -r traefik --dockerfile-url="https://raw.githubusercontent.com/containous/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/containous/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/containous/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug;
-    fi
-
-deploy:
-  - provider: releases
-    api_key: ${GITHUB_TOKEN}
-    file: dist/traefik*
-    skip_cleanup: true
-    file_glob: true
-    on:
-      repo: containous/traefik
-      tags: true
-  - provider: script
-    script: sh script/deploy.sh
-    skip_cleanup: true
-    on:
-      repo: containous/traefik
-      tags: true
-  - provider: pages
-    edge: false
-    github_token: ${GITHUB_TOKEN}
-    local_dir: site
-    skip_cleanup: true
-    on:
-      repo: containous/traefik
-      all_branches: true

CODE_OF_CONDUCT.md

@@ -2,7 +2,7 @@
 
 ## Our Pledge
 
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience,nationality, personal appearance, race, religion, or sexual identity and orientation.
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
 
 ## Our Standards
 
@@ -30,15 +30,19 @@ Project maintainers have the right and responsibility to remove, edit, or reject
 
 ## Scope
 
-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. 
-Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. 
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or our community.
+
+Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
 Representation of a project may be further defined and clarified by project maintainers.
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@containo.us
-All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 
-The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@traefik.io
+
+All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances.
+
+The project team is obligated to maintain confidentiality with regard to the reporter of an incident.
+
 Further details of specific enforcement policies may be posted separately.
 
 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
@@ -48,4 +52,4 @@ Project maintainers who do not follow or enforce the Code of Conduct in good fai
 This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
 
 [homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[version]: http://contributor-covenant.org/version/1/4/

CONTRIBUTING.md

@@ -1,3 +1,11 @@
 # Contributing
 
-See <https://docs.traefik.io/v2.0/contributing/thank-you/>.
+Here are some guidelines that should help to start contributing to the project.
+
+- [Submitting pull Requests](https://doc.traefik.io/traefik/contributing/submitting-pull-requests/)
+- [Submitting issues](https://doc.traefik.io/traefik/contributing/submitting-issues/)
+- [Submitting security issues](https://doc.traefik.io/traefik/contributing/submitting-security-issues/)
+- [Advocating for Traefik](https://doc.traefik.io/traefik/contributing/advocating/)
+- [Triage Process](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md)
+
+If you are willing to become a maintainer of the project, please take a look at the [maintainers guidelines](docs/content/contributing/maintainers-guidelines.md).

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2018 Containous SAS
+Copyright (c) 2016-2020 Containous SAS; 2020-2023 Traefik Labs
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -1,5 +1,3 @@
-.PHONY: all docs docs-serve
-
 SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/')
 
 TAG_NAME := $(shell git tag -l --contains HEAD)
@@ -7,17 +5,16 @@ SHA := $(shell git rev-parse HEAD)
 VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
 VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))
 
-BIND_DIR := "dist"
-
 GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
 
 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
-TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
+TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")
 
-INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
+INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)",-v "/var/run/docker.sock:/var/run/docker.sock")
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
 
+# only used when running in docker
 TRAEFIK_ENVS := \
 	-e OS_ARCH_ARG \
 	-e OS_PLATFORM_ARG \
@@ -27,124 +24,187 @@ TRAEFIK_ENVS := \
 	-e CODENAME \
 	-e TESTDIRS \
 	-e CI \
-	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.
+	-e IN_DOCKER=true		# Indicator for integration tests that we are running inside a container.
 
-TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/containous/traefik/$(BIND_DIR)"
+TRAEFIK_MOUNT := -v "$(CURDIR)/dist:/go/src/github.com/traefik/traefik/dist"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
-DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) -it $(DOCKER_RUN_OPTS)
-DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) -i $(DOCKER_RUN_OPTS)
+DOCKER_NON_INTERACTIVE ?= false
+DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK_TEST := docker run --add-host=host.docker.internal:127.0.0.1 --rm --name=traefik --network traefik-test-network -v $(PWD):$(PWD) -w $(PWD) $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)
 
-PRE_TARGET ?= build-dev-image
+IN_DOCKER ?= true
 
+.PHONY: default
 default: binary
 
-## Build Dev Docker image
-build-dev-image: dist
-	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
-
-## Build Dev Docker image without cache
-build-dev-image-no-cache: dist
-	docker build --no-cache -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
-
 ## Create the "dist" directory
 dist:
-	mkdir dist
+	mkdir -p dist
+
+## Build Dev Docker image
+.PHONY: build-dev-image
+build-dev-image: dist
+ifneq ("$(IN_DOCKER)", "")
+	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" --build-arg HOST_PWD="$(PWD)" -f build.Dockerfile .
+endif
+
+## Build Dev Docker image without cache
+.PHONY: build-dev-image-no-cache
+build-dev-image-no-cache: dist
+ifneq ("$(IN_DOCKER)", "")
+	docker build $(DOCKER_BUILD_ARGS) --no-cache -t "$(TRAEFIK_DEV_IMAGE)" --build-arg HOST_PWD="$(PWD)" -f build.Dockerfile .
+endif
 
 ## Build WebUI Docker image
+.PHONY: build-webui-image
 build-webui-image:
 	docker build -t traefik-webui -f webui/Dockerfile webui
 
+## Clean WebUI static generated assets
+.PHONY: clean-webui
+clean-webui:
+	rm -r webui/static
+	mkdir -p webui/static
+	printf 'For more information see `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md
+
 ## Generate WebUI
-generate-webui: build-webui-image
-	if [ ! -d "static" ]; then \
-		mkdir -p static; \
-		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build:nc; \
-		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ../static; \
-		echo 'For more informations show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
-	fi
+webui/static/index.html:
+	$(MAKE) build-webui-image
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui npm run build:nc
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static
 
-## Build the linux binary
-binary: generate-webui $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
+.PHONY: generate-webui
+generate-webui: webui/static/index.html
 
-## Build the binary for the standard plaforms (linux, darwin, windows)
+## Build the binary
+.PHONY: binary
+binary: generate-webui build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
+
+## Build the linux binary locally
+.PHONY: binary-debug
+binary-debug: generate-webui
+	GOOS=linux ./script/make.sh binary
+
+## Build the binary for the standard platforms (linux, darwin, windows)
+.PHONY: crossbinary-default
 crossbinary-default: generate-webui build-dev-image
 	$(DOCKER_RUN_TRAEFIK_NOTTY) ./script/make.sh generate crossbinary-default
 
-## Build the binary for the standard plaforms (linux, darwin, windows) in parallel
+## Build the binary for the standard platforms (linux, darwin, windows) in parallel
+.PHONY: crossbinary-default-parallel
 crossbinary-default-parallel:
 	$(MAKE) generate-webui
 	$(MAKE) build-dev-image crossbinary-default
 
 ## Run the unit and integration tests
+.PHONY: test
 test: build-dev-image
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-unit binary test-integration
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate test-unit binary test-integration
 
 ## Run the unit tests
-test-unit: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate test-unit
-
-## Pull all images for integration tests
-pull-images:
-	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
+.PHONY: test-unit
+test-unit: build-dev-image
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate test-unit
 
 ## Run the integration tests
-test-integration: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
-	TEST_HOST=1 ./script/make.sh test-integration
+.PHONY: test-integration
+test-integration: build-dev-image
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate binary test-integration
+
+## Pull all images for integration tests
+.PHONY: pull-images
+pull-images:
+	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml \
+		| awk '{print $$2}' \
+		| sort \
+		| uniq \
+		| xargs -P 6 -n 1 docker pull
 
 ## Validate code and docs
-validate-files: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
+.PHONY: validate-files
+validate-files: build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
 	bash $(CURDIR)/script/validate-shell-script.sh
 
 ## Validate code, docs, and vendor
-validate: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
+.PHONY: validate
+validate: build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
 	bash $(CURDIR)/script/validate-shell-script.sh
 
 ## Clean up static directory and build a Docker Traefik image
-build-image: binary
-	rm -rf static
+.PHONY: build-image
+build-image: clean-webui binary
 	docker build -t $(TRAEFIK_IMAGE) .
 
-## Build a Docker Traefik image
+## Build a Docker Traefik image without re-building the webui
+.PHONY: build-image-dirty
 build-image-dirty: binary
 	docker build -t $(TRAEFIK_IMAGE) .
 
+## Locally build traefik for linux, then shove it an alpine image, with basic tools.
+.PHONY: build-image-debug
+build-image-debug: binary-debug
+	docker build -t $(TRAEFIK_IMAGE) -f debug.Dockerfile .
+
 ## Start a shell inside the build env
+.PHONY: shell
 shell: build-dev-image
 	$(DOCKER_RUN_TRAEFIK) /bin/bash
 
 ## Build documentation site
+.PHONY: docs
 docs:
 	make -C ./docs docs
 
-## Serve the documentation site localy
+## Serve the documentation site locally
+.PHONY: docs-serve
 docs-serve:
 	make -C ./docs docs-serve
 
-## Generate CRD clientset
+## Pull image for doc building
+.PHONY: docs-pull-images
+docs-pull-images:
+	make -C ./docs docs-pull-images
+
+## Generate CRD clientset and CRD manifests
+.PHONY: generate-crd
 generate-crd:
-	./script/update-generated-crd-code.sh
+	@$(CURDIR)/script/code-gen.sh
+
+## Generate code from dynamic configuration https://github.com/traefik/genconf
+.PHONY: generate-genconf
+generate-genconf:
+	go run ./cmd/internal/gen/
 
 ## Create packages for the release
+.PHONY: release-packages
 release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(DOCKER_RUN_TRAEFIK_NOTTY) goreleaser release --skip-publish
-	$(DOCKER_RUN_TRAEFIK_NOTTY) tar cfz dist/traefik-${VERSION}.src.tar.gz \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish -p 2 --timeout="90m"
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \
 		--exclude .travis \
 		--exclude .semaphoreci \
 		--exclude .github \
 		--exclude dist .
-	$(DOCKER_RUN_TRAEFIK_NOTTY) chown -R $(shell id -u):$(shell id -g) dist/
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/
 
 ## Format the Code
+.PHONY: fmt
 fmt:
 	gofmt -s -l -w $(SRCS)
 
+.PHONY: run-dev
 run-dev:
 	go generate
 	GO111MODULE=on go build ./cmd/traefik

README.md

@@ -1,17 +1,19 @@
 
 <p align="center">
-<img src="docs/content/assets/img/traefik.logo.png" alt="Traefik" title="Traefik" />
+    <picture>
+      <source media="(prefers-color-scheme: dark)" srcset="docs/content/assets/img/traefik.logo-dark.png">
+      <source media="(prefers-color-scheme: light)" srcset="docs/content/assets/img/traefik.logo.png">
+      <img alt="Traefik" title="Traefik" src="docs/content/assets/img/traefik.logo.png">
+    </picture>
 </p>
 
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
-[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
-[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](http://goreportcard.com/report/containous/traefik)
-[![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
-[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
-[![Join the community support forum at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
+[![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
+[![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
 
-
 Traefik (pronounced _traffic_) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
 Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
 Pointing Traefik at your orchestrator should be the _only_ configuration step you need.
@@ -33,7 +35,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo
 
 ---
 
-:warning: Please be aware that the old configurations for Traefik v1.X are NOT compatible with the v2.X config as of now. If you're testing out v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/v2.0/).
+:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://doc.traefik.io/traefik/).
 
 ## Overview
 
@@ -64,27 +66,19 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - Keeps access logs (JSON, CLF)
 - Fast
 - Exposes a Rest API
-- Packaged as a single binary file (made with :heart: with go) and available as a [tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image
-
+- Packaged as a single binary file (made with :heart: with go) and available as an [official](https://hub.docker.com/r/_/traefik/) docker image
 
 ## Supported Backends
 
-- [Docker](https://docs.traefik.io/configuration/backends/docker) / [Swarm mode](https://docs.traefik.io/configuration/backends/docker#docker-swarm-mode)
-- [Kubernetes](https://docs.traefik.io/configuration/backends/kubernetes)
-- [Mesos](https://docs.traefik.io/configuration/backends/mesos) / [Marathon](https://docs.traefik.io/configuration/backends/marathon)
-- [Rancher](https://docs.traefik.io/configuration/backends/rancher) (API, Metadata)
-- [Azure Service Fabric](https://docs.traefik.io/configuration/backends/servicefabric)
-- [Consul Catalog](https://docs.traefik.io/configuration/backends/consulcatalog)
-- [Consul](https://docs.traefik.io/configuration/backends/consul) / [Etcd](https://docs.traefik.io/configuration/backends/etcd) / [Zookeeper](https://docs.traefik.io/configuration/backends/zookeeper) / [BoltDB](https://docs.traefik.io/configuration/backends/boltdb)
-- [Eureka](https://docs.traefik.io/configuration/backends/eureka)
-- [Amazon ECS](https://docs.traefik.io/configuration/backends/ecs)
-- [Amazon DynamoDB](https://docs.traefik.io/configuration/backends/dynamodb)
-- [File](https://docs.traefik.io/configuration/backends/file)
-- [Rest](https://docs.traefik.io/configuration/backends/rest)
+- [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
+- [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
+- [Marathon](https://doc.traefik.io/traefik/providers/marathon/)
+- [Rancher](https://doc.traefik.io/traefik/providers/rancher/) (Metadata)
+- [File](https://doc.traefik.io/traefik/providers/file/)
 
 ## Quickstart
 
-To get your hands on Traefik, you can use the [5-Minute Quickstart](http://docs.traefik.io/#the-traefik-quickstart-using-docker) in our documentation (you will need Docker).
+To get your hands on Traefik, you can use the [5-Minute Quickstart](https://doc.traefik.io/traefik/getting-started/quick-start/) in our documentation (you will need Docker).
 
 ## Web UI
 
@@ -94,27 +88,27 @@ You can access the simple HTML frontend of Traefik.
 
 ## Documentation
 
-You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
-A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
+You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
 
-:warning: If you're testing out v2, please ensure you are using the [v2 documentation](https://docs.traefik.io/v2.0/).
+A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
 ## Support
 
 To get community support, you can:
-- join the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
 
-If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
+- join the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
+
+If you need commercial support, please contact [Traefik.io](https://traefik.io) by mail: <mailto:support@traefik.io>.
 
 ## Download
 
-- Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/master/traefik.sample.toml):
 
 ```shell
 ./traefik --configFile=traefik.toml
 ```
 
-- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/master/traefik.sample.toml):
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
@@ -123,26 +117,18 @@ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.to
 - Or get the sources:
 
 ```shell
-git clone https://github.com/containous/traefik
+git clone https://github.com/traefik/traefik
 ```
 
 ## Introductory Videos
 
-:warning: Please be aware that these videos are for v1.X. The old configurations for Traefik v1.X are NOT compatible with Traefik v2. If you're testing out v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/v2.0/).
-
-Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at GopherCon 2017.
-You will learn Traefik basics in less than 10 minutes.
-
-[![Traefik GopherCon 2017](https://img.youtube.com/vi/RgudiksfL-k/0.jpg)](https://www.youtube.com/watch?v=RgudiksfL-k)
-
-Here is a talk given by [Ed Robinson](https://github.com/errm) at [ContainerCamp UK](https://container.camp) conference.
-You will learn fundamental Traefik features and see some demos with Kubernetes.
-
-[![Traefik ContainerCamp UK](https://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I)
+You can find high level and deep dive videos on [videos.traefik.io](https://videos.traefik.io).
 
 ## Maintainers
 
-[Information about process and maintainers](docs/content/contributing/maintainers.md)
+We are strongly promoting a philosophy of openness and sharing, and firmly standing against the elitist closed approach. Being part of the core team should be accessible to anyone who is motivated and want to be part of that journey!
+This [document](docs/content/contributing/maintainers-guidelines.md) describes how to be part of the core team as well as various responsibilities and guidelines for Traefik maintainers.
+You can also find more information on our process to review pull requests and manage issues [in this document](docs/content/contributing/maintainers.md).
 
 ## Contributing
 
@@ -153,24 +139,24 @@ By participating in this project, you agree to abide by its terms.
 
 ## Release Cycle
 
-- We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
-- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0)
-- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only)
+- We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
 
-Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out)
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).
 
-We use [Semantic Versioning](http://semver.org/)
+We use [Semantic Versioning](https://semver.org/).
 
-## Mailing lists
+## Mailing Lists
 
-- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news)
+- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news).
 - Security announcements: mail at security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
 
 ## Credits
 
-Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the logo ![logo](docs/content/assets/img/traefik.icon.png).
+Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the gopher's logo!.
 
-Traefik's logo is licensed under the Creative Commons 3.0 Attributions license.
+The gopher's logo of Traefik is licensed under the Creative Commons 3.0 Attributions license.
 
-Traefik's logo was inspired by the gopher stickers made by Takuya Ueda (https://twitter.com/tenntenn).
-The original Go gopher was designed by Renee French (http://reneefrench.blogspot.com/).
+The gopher's logo of Traefik was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
+The original Go gopher was designed by [Renee French](https://reneefrench.blogspot.com/).

SECURITY.md

@@ -0,0 +1,28 @@
+# Security Policy
+
+You can join our security mailing list to be aware of the latest announcements from our security team.
+You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+
+Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
+
+## Supported Versions
+
+- We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
+
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).
+
+We use [Semantic Versioning](https://semver.org/).
+
+| Version   | Supported          |
+| --------- | ------------------ |
+| `2.2.x`   | :white_check_mark: |
+| `< 2.2.x` | :x:                |
+| `1.7.x`   | :white_check_mark: |
+| `< 1.7.x` | :x:                |
+
+## Reporting a Vulnerability
+
+We want to keep Traefik safe for everyone.
+If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).

build.Dockerfile

@@ -1,7 +1,6 @@
-FROM golang:1.13-alpine
+FROM golang:1.20-alpine
 
-RUN apk --update upgrade \
-    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
+RUN apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
     && update-ca-certificates \
     && rm -rf /var/cache/apk/*
 
@@ -13,25 +12,26 @@ RUN mkdir -p /usr/local/bin \
     && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
     | tar -xzC /usr/local/bin --transform 's#^.+/##x'
 
-# Download go-bindata binary to bin folder in $GOPATH
-RUN mkdir -p /usr/local/bin \
-    && curl -fsSL -o /usr/local/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata \
-    && chmod +x /usr/local/bin/go-bindata
-
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.18.0
+RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $GOPATH/bin v1.52.2
 
-# Download golangci-lint and misspell binary to bin folder in $GOPATH
-RUN GO111MODULE=off go get github.com/client9/misspell/cmd/misspell
+# Download misspell binary to bin folder in $GOPATH
+RUN curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.4.0
 
 # Download goreleaser binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh
+RUN curl -sfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | sh
 
-WORKDIR /go/src/github.com/containous/traefik
+WORKDIR /go/src/github.com/traefik/traefik
+
+# Because of CVE-2022-24765 (https://github.blog/2022-04-12-git-security-vulnerability-announced/),
+# we configure git to allow the Traefik codebase path on the Host for docker in docker usages.
+ARG HOST_PWD=""
+
+RUN git config --global --add safe.directory "${HOST_PWD}"
 
 # Download go modules
 COPY go.mod .
 COPY go.sum .
 RUN GO111MODULE=on GOPROXY=https://proxy.golang.org go mod download
 
-COPY . /go/src/github.com/containous/traefik
+COPY . /go/src/github.com/traefik/traefik

cmd/configuration.go

@@ -3,8 +3,8 @@ package cmd
 import (
 	"time"
 
-	"github.com/containous/traefik/v2/pkg/config/static"
-	"github.com/containous/traefik/v2/pkg/types"
+	ptypes "github.com/traefik/paerser/types"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )
 
 // TraefikCmdConfiguration wraps the static configuration and extra parameters.
@@ -23,7 +23,7 @@ func NewTraefikConfiguration() *TraefikCmdConfiguration {
 			},
 			EntryPoints: make(static.EntryPoints),
 			Providers: &static.Providers{
-				ProvidersThrottleDuration: types.Duration(2 * time.Second),
+				ProvidersThrottleDuration: ptypes.Duration(2 * time.Second),
 			},
 			ServersTransport: &static.ServersTransport{
 				MaxIdleConnsPerHost: 200,

cmd/context.go

@@ -1,22 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"syscall"
-)
-
-// ContextWithSignal creates a context canceled when SIGINT or SIGTERM are notified
-func ContextWithSignal(ctx context.Context) context.Context {
-	newCtx, cancel := context.WithCancel(ctx)
-	signals := make(chan os.Signal)
-	signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		select {
-		case <-signals:
-			cancel()
-		}
-	}()
-	return newCtx
-}

cmd/healthcheck/healthcheck.go

@@ -7,15 +7,15 @@ import (
 	"os"
 	"time"
 
-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/config/static"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )
 
 // NewCmd builds a new HealthCheck command.
 func NewCmd(traefikConfiguration *static.Configuration, loaders []cli.ResourceLoader) *cli.Command {
 	return &cli.Command{
 		Name:          "healthcheck",
-		Description:   `Calls Traefik /ping to check the health of Traefik (the API must be enabled).`,
+		Description:   `Calls Traefik /ping endpoint (disabled by default) to check the health of Traefik.`,
 		Configuration: traefikConfiguration,
 		Run:           runCmd(traefikConfiguration),
 		Resources:     loaders,
@@ -45,21 +45,26 @@ func runCmd(traefikConfiguration *static.Configuration) func(_ []string) error {
 	}
 }
 
-// Do try to do a healthcheck
+// Do try to do a healthcheck.
 func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 	if staticConfiguration.Ping == nil {
 		return nil, errors.New("please enable `ping` to use health check")
 	}
 
-	pingEntryPoint, ok := staticConfiguration.EntryPoints["traefik"]
+	ep := staticConfiguration.Ping.EntryPoint
+	if ep == "" {
+		ep = "traefik"
+	}
+
+	pingEntryPoint, ok := staticConfiguration.EntryPoints[ep]
 	if !ok {
-		return nil, errors.New("missing `ping` entrypoint")
+		return nil, fmt.Errorf("ping: missing %s entry point", ep)
 	}
 
 	client := &http.Client{Timeout: 5 * time.Second}
 	protocol := "http"
 
-	// FIXME Handle TLS on ping etc...
+	// TODO Handle TLS on ping etc...
 	// if pingEntryPoint.TLS != nil {
 	// 	protocol = "https"
 	// 	tr := &http.Transport{
@@ -70,5 +75,5 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 
 	path := "/"
 
-	return client.Head(protocol + "://" + pingEntryPoint.Address + path + "ping")
+	return client.Head(protocol + "://" + pingEntryPoint.GetAddress() + path + "ping")
 }

cmd/internal/gen/centrifuge.go

@@ -0,0 +1,341 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"go/format"
+	"go/importer"
+	"go/token"
+	"go/types"
+	"io"
+	"log"
+	"os"
+	"path"
+	"path/filepath"
+	"reflect"
+	"sort"
+	"strings"
+
+	"golang.org/x/tools/imports"
+)
+
+// File a kind of AST element that represents a file.
+type File struct {
+	Package  string
+	Imports  []string
+	Elements []Element
+}
+
+// Element is a simplified version of a symbol.
+type Element struct {
+	Name  string
+	Value string
+}
+
+// Centrifuge a centrifuge.
+// Generate Go Structures from Go structures.
+type Centrifuge struct {
+	IncludedImports []string
+	ExcludedTypes   []string
+	ExcludedFiles   []string
+
+	TypeCleaner    func(types.Type, string) string
+	PackageCleaner func(string) string
+
+	rootPkg string
+	fileSet *token.FileSet
+	pkg     *types.Package
+}
+
+// NewCentrifuge creates a new Centrifuge.
+func NewCentrifuge(rootPkg string) (*Centrifuge, error) {
+	fileSet := token.NewFileSet()
+
+	pkg, err := importer.ForCompiler(fileSet, "source", nil).Import(rootPkg)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Centrifuge{
+		fileSet: fileSet,
+		pkg:     pkg,
+		rootPkg: rootPkg,
+
+		TypeCleaner: func(typ types.Type, _ string) string {
+			return typ.String()
+		},
+		PackageCleaner: func(s string) string {
+			return s
+		},
+	}, nil
+}
+
+// Run runs the code extraction and the code generation.
+func (c Centrifuge) Run(dest string, pkgName string) error {
+	files := c.run(c.pkg.Scope(), c.rootPkg, pkgName)
+
+	err := fileWriter{baseDir: dest}.Write(files)
+	if err != nil {
+		return err
+	}
+
+	for _, p := range c.pkg.Imports() {
+		if contains(c.IncludedImports, p.Path()) {
+			fls := c.run(p.Scope(), p.Path(), p.Name())
+
+			err = fileWriter{baseDir: filepath.Join(dest, p.Name())}.Write(fls)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return err
+}
+
+func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) map[string]*File {
+	files := map[string]*File{}
+
+	for _, name := range sc.Names() {
+		if contains(c.ExcludedTypes, name) {
+			continue
+		}
+
+		o := sc.Lookup(name)
+		if !o.Exported() {
+			continue
+		}
+
+		filename := filepath.Base(c.fileSet.File(o.Pos()).Name())
+		if contains(c.ExcludedFiles, path.Join(rootPkg, filename)) {
+			continue
+		}
+
+		fl, ok := files[filename]
+		if !ok {
+			files[filename] = &File{Package: pkgName}
+			fl = files[filename]
+		}
+
+		elt := Element{
+			Name: name,
+		}
+
+		switch ob := o.(type) {
+		case *types.TypeName:
+
+			switch obj := ob.Type().(*types.Named).Underlying().(type) {
+			case *types.Struct:
+				elt.Value = c.writeStruct(name, obj, rootPkg, fl)
+
+			case *types.Map:
+				elt.Value = fmt.Sprintf("type %s map[%s]%s\n", name, obj.Key().String(), c.TypeCleaner(obj.Elem(), rootPkg))
+
+			case *types.Slice:
+				elt.Value = fmt.Sprintf("type %s []%v\n", name, c.TypeCleaner(obj.Elem(), rootPkg))
+
+			case *types.Basic:
+				elt.Value = fmt.Sprintf("type %s %v\n", name, obj.Name())
+
+			default:
+				log.Printf("OTHER TYPE::: %s %T\n", name, o.Type().(*types.Named).Underlying())
+				continue
+			}
+
+		default:
+			log.Printf("OTHER::: %s %T\n", name, o)
+			continue
+		}
+
+		if len(elt.Value) > 0 {
+			fl.Elements = append(fl.Elements, elt)
+		}
+	}
+
+	return files
+}
+
+func (c Centrifuge) writeStruct(name string, obj *types.Struct, rootPkg string, elt *File) string {
+	b := strings.Builder{}
+	b.WriteString(fmt.Sprintf("type %s struct {\n", name))
+
+	for i := 0; i < obj.NumFields(); i++ {
+		field := obj.Field(i)
+
+		if !field.Exported() {
+			continue
+		}
+
+		fPkg := c.PackageCleaner(extractPackage(field.Type()))
+		if fPkg != "" && fPkg != rootPkg {
+			elt.Imports = append(elt.Imports, fPkg)
+		}
+
+		fType := c.TypeCleaner(field.Type(), rootPkg)
+
+		if field.Embedded() {
+			b.WriteString(fmt.Sprintf("\t%s\n", fType))
+			continue
+		}
+
+		values, ok := lookupTagValue(obj.Tag(i), "json")
+		if len(values) > 0 && values[0] == "-" {
+			continue
+		}
+
+		b.WriteString(fmt.Sprintf("\t%s %s", field.Name(), fType))
+
+		if ok {
+			b.WriteString(fmt.Sprintf(" `json:\"%s\"`", strings.Join(values, ",")))
+		}
+
+		b.WriteString("\n")
+	}
+
+	b.WriteString("}\n")
+
+	return b.String()
+}
+
+func lookupTagValue(raw, key string) ([]string, bool) {
+	value, ok := reflect.StructTag(raw).Lookup(key)
+	if !ok {
+		return nil, ok
+	}
+
+	values := strings.Split(value, ",")
+
+	if len(values) < 1 {
+		return nil, true
+	}
+
+	return values, true
+}
+
+func extractPackage(t types.Type) string {
+	switch tu := t.(type) {
+	case *types.Named:
+		return tu.Obj().Pkg().Path()
+
+	case *types.Slice:
+		if v, ok := tu.Elem().(*types.Named); ok {
+			return v.Obj().Pkg().Path()
+		}
+		return ""
+
+	case *types.Map:
+		if v, ok := tu.Elem().(*types.Named); ok {
+			return v.Obj().Pkg().Path()
+		}
+		return ""
+
+	case *types.Pointer:
+		return extractPackage(tu.Elem())
+
+	default:
+		return ""
+	}
+}
+
+func contains(values []string, value string) bool {
+	for _, val := range values {
+		if val == value {
+			return true
+		}
+	}
+
+	return false
+}
+
+type fileWriter struct {
+	baseDir string
+}
+
+func (f fileWriter) Write(files map[string]*File) error {
+	err := os.MkdirAll(f.baseDir, 0o755)
+	if err != nil {
+		return err
+	}
+
+	for name, file := range files {
+		err = f.writeFile(name, file)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (f fileWriter) writeFile(name string, desc *File) error {
+	if len(desc.Elements) == 0 {
+		return nil
+	}
+
+	filename := filepath.Join(f.baseDir, name)
+
+	file, err := os.Create(filename)
+	if err != nil {
+		return fmt.Errorf("failed to create file: %w", err)
+	}
+
+	defer func() { _ = file.Close() }()
+
+	b := bytes.NewBufferString("package ")
+	b.WriteString(desc.Package)
+	b.WriteString("\n")
+	b.WriteString("// Code generated by centrifuge. DO NOT EDIT.\n")
+
+	b.WriteString("\n")
+	f.writeImports(b, desc.Imports)
+	b.WriteString("\n")
+
+	for _, elt := range desc.Elements {
+		b.WriteString(elt.Value)
+		b.WriteString("\n")
+	}
+
+	// gofmt
+	source, err := format.Source(b.Bytes())
+	if err != nil {
+		log.Println(b.String())
+		return fmt.Errorf("failed to format sources: %w", err)
+	}
+
+	// goimports
+	process, err := imports.Process(filename, source, nil)
+	if err != nil {
+		log.Println(string(source))
+		return fmt.Errorf("failed to format imports: %w", err)
+	}
+
+	_, err = file.Write(process)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (f fileWriter) writeImports(b io.StringWriter, imports []string) {
+	if len(imports) == 0 {
+		return
+	}
+
+	uniq := map[string]struct{}{}
+
+	sort.Strings(imports)
+
+	_, _ = b.WriteString("import (\n")
+	for _, s := range imports {
+		if _, exist := uniq[s]; exist {
+			continue
+		}
+
+		uniq[s] = struct{}{}
+
+		_, _ = b.WriteString(fmt.Sprintf(`	"%s"`+"\n", s))
+	}
+
+	_, _ = b.WriteString(")\n")
+}

cmd/internal/gen/main.go

@@ -0,0 +1,124 @@
+package main
+
+import (
+	"fmt"
+	"go/build"
+	"go/types"
+	"log"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+)
+
+const rootPkg = "github.com/traefik/traefik/v2/pkg/config/dynamic"
+
+const (
+	destModuleName = "github.com/traefik/genconf"
+	destPkg        = "dynamic"
+)
+
+const marsh = `package %s
+
+import "encoding/json"
+
+type JSONPayload struct {
+	*Configuration
+}
+
+func (c JSONPayload) MarshalJSON() ([]byte, error) {
+	if c.Configuration == nil {
+		return nil, nil
+	}
+
+	return json.Marshal(c.Configuration)
+}
+`
+
+// main generate Go Structures from Go structures.
+// Allows to create an external module (destModuleName) used by the plugin's providers
+// that contains Go structs of the dynamic configuration and nothing else.
+// These Go structs do not have any non-exported fields and do not rely on any external dependencies.
+func main() {
+	dest := filepath.Join(path.Join(build.Default.GOPATH, "src"), destModuleName, destPkg)
+
+	log.Println("Output:", dest)
+
+	err := run(dest)
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+func run(dest string) error {
+	centrifuge, err := NewCentrifuge(rootPkg)
+	if err != nil {
+		return err
+	}
+
+	centrifuge.IncludedImports = []string{
+		"github.com/traefik/traefik/v2/pkg/tls",
+		"github.com/traefik/traefik/v2/pkg/types",
+	}
+
+	centrifuge.ExcludedTypes = []string{
+		// tls
+		"CertificateStore", "Manager",
+		// dynamic
+		"Message", "Configurations",
+		// types
+		"HTTPCodeRanges", "HostResolverConfig",
+	}
+
+	centrifuge.ExcludedFiles = []string{
+		"github.com/traefik/traefik/v2/pkg/types/logs.go",
+		"github.com/traefik/traefik/v2/pkg/types/metrics.go",
+	}
+
+	centrifuge.TypeCleaner = cleanType
+	centrifuge.PackageCleaner = cleanPackage
+
+	err = centrifuge.Run(dest, destPkg)
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(filepath.Join(dest, "marshaler.go"), []byte(fmt.Sprintf(marsh, destPkg)), 0o666)
+}
+
+func cleanType(typ types.Type, base string) string {
+	if typ.String() == "github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
+		return "string"
+	}
+
+	if typ.String() == "[]github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
+		return "[]string"
+	}
+
+	if typ.String() == "github.com/traefik/paerser/types.Duration" {
+		return "string"
+	}
+
+	if strings.Contains(typ.String(), base) {
+		return strings.ReplaceAll(typ.String(), base+".", "")
+	}
+
+	if strings.Contains(typ.String(), "github.com/traefik/traefik/v2/pkg/") {
+		return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v2/pkg/", "")
+	}
+
+	return typ.String()
+}
+
+func cleanPackage(src string) string {
+	switch src {
+	case "github.com/traefik/paerser/types":
+		return ""
+	case "github.com/traefik/traefik/v2/pkg/tls":
+		return path.Join(destModuleName, destPkg, "tls")
+	case "github.com/traefik/traefik/v2/pkg/types":
+		return path.Join(destModuleName, destPkg, "types")
+	default:
+		return src
+	}
+}

cmd/traefik/plugins.go

@@ -0,0 +1,83 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/plugins"
+)
+
+const outputDir = "./plugins-storage/"
+
+func createPluginBuilder(staticConfiguration *static.Configuration) (*plugins.Builder, error) {
+	client, plgs, localPlgs, err := initPlugins(staticConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	return plugins.NewBuilder(client, plgs, localPlgs)
+}
+
+func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, map[string]plugins.LocalDescriptor, error) {
+	err := checkUniquePluginNames(staticCfg.Experimental)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	var client *plugins.Client
+	plgs := map[string]plugins.Descriptor{}
+
+	if hasPlugins(staticCfg) {
+		opts := plugins.ClientOptions{
+			Output: outputDir,
+		}
+
+		var err error
+		client, err = plugins.NewClient(opts)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("unable to create plugins client: %w", err)
+		}
+
+		err = plugins.SetupRemotePlugins(client, staticCfg.Experimental.Plugins)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("unable to set up plugins environment: %w", err)
+		}
+
+		plgs = staticCfg.Experimental.Plugins
+	}
+
+	localPlgs := map[string]plugins.LocalDescriptor{}
+
+	if hasLocalPlugins(staticCfg) {
+		err := plugins.SetupLocalPlugins(staticCfg.Experimental.LocalPlugins)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		localPlgs = staticCfg.Experimental.LocalPlugins
+	}
+
+	return client, plgs, localPlgs, nil
+}
+
+func checkUniquePluginNames(e *static.Experimental) error {
+	if e == nil {
+		return nil
+	}
+
+	for s := range e.LocalPlugins {
+		if _, ok := e.Plugins[s]; ok {
+			return fmt.Errorf("the plugin's name %q must be unique", s)
+		}
+	}
+
+	return nil
+}
+
+func hasPlugins(staticCfg *static.Configuration) bool {
+	return staticCfg.Experimental != nil && len(staticCfg.Experimental.Plugins) > 0
+}
+
+func hasLocalPlugins(staticCfg *static.Configuration) bool {
+	return staticCfg.Experimental != nil && len(staticCfg.Experimental.LocalPlugins) > 0
+}

cmd/traefik/traefik.go

@@ -2,42 +2,55 @@ package main
 
 import (
 	"context"
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	stdlog "log"
 	"net/http"
 	"os"
+	"os/signal"
 	"path/filepath"
+	"sort"
 	"strings"
+	"syscall"
 	"time"
 
-	"github.com/containous/traefik/v2/autogen/genstatic"
-	"github.com/containous/traefik/v2/cmd"
-	"github.com/containous/traefik/v2/cmd/healthcheck"
-	cmdVersion "github.com/containous/traefik/v2/cmd/version"
-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/collector"
-	"github.com/containous/traefik/v2/pkg/config/dynamic"
-	"github.com/containous/traefik/v2/pkg/config/static"
-	"github.com/containous/traefik/v2/pkg/log"
-	"github.com/containous/traefik/v2/pkg/provider/acme"
-	"github.com/containous/traefik/v2/pkg/provider/aggregator"
-	"github.com/containous/traefik/v2/pkg/safe"
-	"github.com/containous/traefik/v2/pkg/server"
-	"github.com/containous/traefik/v2/pkg/server/router"
-	traefiktls "github.com/containous/traefik/v2/pkg/tls"
-	"github.com/containous/traefik/v2/pkg/version"
 	"github.com/coreos/go-systemd/daemon"
-	assetfs "github.com/elazarl/go-bindata-assetfs"
+	"github.com/go-acme/lego/v4/challenge"
+	gokitmetrics "github.com/go-kit/kit/metrics"
 	"github.com/sirupsen/logrus"
-	"github.com/vulcand/oxy/roundrobin"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/cmd"
+	"github.com/traefik/traefik/v2/cmd/healthcheck"
+	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
+	tcli "github.com/traefik/traefik/v2/pkg/cli"
+	"github.com/traefik/traefik/v2/pkg/collector"
+	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	"github.com/traefik/traefik/v2/pkg/config/runtime"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/metrics"
+	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
+	"github.com/traefik/traefik/v2/pkg/provider/acme"
+	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
+	"github.com/traefik/traefik/v2/pkg/provider/traefik"
+	"github.com/traefik/traefik/v2/pkg/safe"
+	"github.com/traefik/traefik/v2/pkg/server"
+	"github.com/traefik/traefik/v2/pkg/server/middleware"
+	"github.com/traefik/traefik/v2/pkg/server/service"
+	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/tracing"
+	"github.com/traefik/traefik/v2/pkg/tracing/jaeger"
+	"github.com/traefik/traefik/v2/pkg/types"
+	"github.com/traefik/traefik/v2/pkg/version"
+	"github.com/vulcand/oxy/v2/roundrobin"
 )
 
 func main() {
 	// traefik config inits
 	tConfig := cmd.NewTraefikConfiguration()
 
-	loaders := []cli.ResourceLoader{&cli.FileLoader{}, &cli.FlagLoader{}, &cli.EnvLoader{}}
+	loaders := []cli.ResourceLoader{&tcli.FileLoader{}, &tcli.FlagLoader{}, &tcli.EnvLoader{}}
 
 	cmdTraefik := &cli.Command{
 		Name: "traefik",
@@ -65,10 +78,10 @@ Complete documentation is available at https://traefik.io`,
 	err = cli.Execute(cmdTraefik)
 	if err != nil {
 		stdlog.Println(err)
-		os.Exit(1)
+		logrus.Exit(1)
 	}
 
-	os.Exit(0)
+	logrus.Exit(0)
 }
 
 func runCmd(staticConfiguration *static.Configuration) error {
@@ -77,7 +90,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
 	if err := roundrobin.SetDefaultWeight(0); err != nil {
-		log.WithoutContext().Errorf("Could not set roundrobin default weight: %v", err)
+		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
 	}
 
 	staticConfiguration.SetEffectiveConfiguration()
@@ -95,55 +108,18 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf))
 	}
 
-	if staticConfiguration.API != nil && staticConfiguration.API.Dashboard {
-		staticConfiguration.API.DashboardAssets = &assetfs.AssetFS{Asset: genstatic.Asset, AssetInfo: genstatic.AssetInfo, AssetDir: genstatic.AssetDir, Prefix: "static"}
-	}
-
 	if staticConfiguration.Global.CheckNewVersion {
 		checkNewVersion()
 	}
 
 	stats(staticConfiguration)
 
-	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
-
-	tlsManager := traefiktls.NewManager()
-
-	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
-
-	serverEntryPointsTCP := make(server.TCPEntryPoints)
-	for entryPointName, config := range staticConfiguration.EntryPoints {
-		ctx := log.With(context.Background(), log.Str(log.EntryPointName, entryPointName))
-		serverEntryPointsTCP[entryPointName], err = server.NewTCPEntryPoint(ctx, config)
-		if err != nil {
-			return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
-		}
-		serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProviders)
-
+	svr, err := setupServer(staticConfiguration)
+	if err != nil {
+		return err
 	}
 
-	svr := server.NewServer(*staticConfiguration, providerAggregator, serverEntryPointsTCP, tlsManager)
-
-	resolverNames := map[string]struct{}{}
-
-	for _, p := range acmeProviders {
-		resolverNames[p.ResolverName] = struct{}{}
-		svr.AddListener(p.ListenConfiguration)
-	}
-
-	svr.AddListener(func(config dynamic.Configuration) {
-		for rtName, rt := range config.HTTP.Routers {
-			if rt.TLS == nil || rt.TLS.CertResolver == "" {
-				continue
-			}
-
-			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
-				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
-			}
-		}
-	})
-
-	ctx := cmd.ContextWithSignal(context.Background())
+	ctx, _ := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 
 	if staticConfiguration.Ping != nil {
 		staticConfiguration.Ping.WithContext(ctx)
@@ -169,7 +145,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 			for range tick {
 				resp, errHealthCheck := healthcheck.Do(*staticConfiguration)
 				if resp != nil {
-					resp.Body.Close()
+					_ = resp.Body.Close()
 				}
 
 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
@@ -185,42 +161,384 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	svr.Wait()
 	log.WithoutContext().Info("Shutting down")
-	logrus.Exit(0)
 	return nil
 }
 
-// initACMEProvider creates an acme provider from the ACME part of globalConfiguration
-func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
-	challengeStore := acme.NewLocalChallengeStore()
+func setupServer(staticConfiguration *static.Configuration) (*server.Server, error) {
+	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
+
+	ctx := context.Background()
+	routinesPool := safe.NewPool(ctx)
+
+	// adds internal provider
+	err := providerAggregator.AddProvider(traefik.New(*staticConfiguration))
+	if err != nil {
+		return nil, err
+	}
+
+	// ACME
+
+	tlsManager := traefiktls.NewManager()
+	httpChallengeProvider := acme.NewChallengeHTTP()
+
+	tlsChallengeProvider := acme.NewChallengeTLSALPN()
+	err = providerAggregator.AddProvider(tlsChallengeProvider)
+	if err != nil {
+		return nil, err
+	}
+
+	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)
+
+	// Entrypoints
+
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
+	if err != nil {
+		return nil, err
+	}
+
+	serverEntryPointsUDP, err := server.NewUDPEntryPoints(staticConfiguration.EntryPoints)
+	if err != nil {
+		return nil, err
+	}
+
+	if staticConfiguration.Pilot != nil {
+		log.WithoutContext().Warn("Traefik Pilot has been removed.")
+	}
+
+	// Plugins
+
+	pluginBuilder, err := createPluginBuilder(staticConfiguration)
+	if err != nil {
+		log.WithoutContext().WithError(err).Error("Plugins are disabled because an error has occurred.")
+	}
+
+	// Providers plugins
+
+	for name, conf := range staticConfiguration.Providers.Plugin {
+		if pluginBuilder == nil {
+			break
+		}
+
+		p, err := pluginBuilder.BuildProvider(name, conf)
+		if err != nil {
+			return nil, fmt.Errorf("plugin: failed to build provider: %w", err)
+		}
+
+		err = providerAggregator.AddProvider(p)
+		if err != nil {
+			return nil, fmt.Errorf("plugin: failed to add provider: %w", err)
+		}
+	}
+
+	// Metrics
+
+	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
+	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
+
+	// Service manager factory
+
+	roundTripperManager := service.NewRoundTripperManager()
+	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)
+
+	// Router factory
+
+	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	tracer := setupTracing(staticConfiguration.Tracing)
+
+	chainBuilder := middleware.NewChainBuilder(metricsRegistry, accessLog, tracer)
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry)
+
+	// Watcher
+
+	watcher := server.NewConfigurationWatcher(
+		routinesPool,
+		providerAggregator,
+		getDefaultsEntrypoints(staticConfiguration),
+		"internal",
+	)
+
+	// TLS
+	watcher.AddListener(func(conf dynamic.Configuration) {
+		ctx := context.Background()
+		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
+
+		gauge := metricsRegistry.TLSCertsNotAfterTimestampGauge()
+		for _, certificate := range tlsManager.GetServerCertificates() {
+			appendCertMetric(gauge, certificate)
+		}
+	})
+
+	// Metrics
+	watcher.AddListener(func(_ dynamic.Configuration) {
+		metricsRegistry.ConfigReloadsCounter().Add(1)
+		metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
+	})
+
+	// Server Transports
+	watcher.AddListener(func(conf dynamic.Configuration) {
+		roundTripperManager.Update(conf.HTTP.ServersTransports)
+	})
+
+	// Switch router
+	watcher.AddListener(switchRouter(routerFactory, serverEntryPointsTCP, serverEntryPointsUDP))
+
+	// Metrics
+	if metricsRegistry.IsEpEnabled() || metricsRegistry.IsRouterEnabled() || metricsRegistry.IsSvcEnabled() {
+		var eps []string
+		for key := range serverEntryPointsTCP {
+			eps = append(eps, key)
+		}
+		watcher.AddListener(func(conf dynamic.Configuration) {
+			metrics.OnConfigurationUpdate(conf, eps)
+		})
+	}
+
+	// TLS challenge
+	watcher.AddListener(tlsChallengeProvider.ListenConfiguration)
+
+	// ACME
+	resolverNames := map[string]struct{}{}
+	for _, p := range acmeProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		watcher.AddListener(p.ListenConfiguration)
+	}
+
+	// Certificate resolver logs
+	watcher.AddListener(func(config dynamic.Configuration) {
+		for rtName, rt := range config.HTTP.Routers {
+			if rt.TLS == nil || rt.TLS.CertResolver == "" {
+				continue
+			}
+
+			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
+				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+			}
+		}
+	})
+
+	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog), nil
+}
+
+func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvider http.Handler) http.Handler {
+	var acmeHTTPHandler http.Handler
+	for _, p := range acmeProviders {
+		if p != nil && p.HTTPChallenge != nil {
+			acmeHTTPHandler = httpChallengeProvider
+			break
+		}
+	}
+	return acmeHTTPHandler
+}
+
+func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
+	var defaultEntryPoints []string
+	for name, cfg := range staticConfiguration.EntryPoints {
+		protocol, err := cfg.GetProtocol()
+		if err != nil {
+			// Should never happen because Traefik should not start if protocol is invalid.
+			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+		}
+
+		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
+			defaultEntryPoints = append(defaultEntryPoints, name)
+		}
+	}
+
+	sort.Strings(defaultEntryPoints)
+	return defaultEntryPoints
+}
+
+func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints) func(conf dynamic.Configuration) {
+	return func(conf dynamic.Configuration) {
+		rtConf := runtime.NewConfig(conf)
+
+		routers, udpRouters := routerFactory.CreateRouters(rtConf)
+
+		serverEntryPointsTCP.Switch(routers)
+		serverEntryPointsUDP.Switch(udpRouters)
+	}
+}
+
+// initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
+func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}
 
 	var resolvers []*acme.Provider
 	for name, resolver := range c.CertificatesResolvers {
-		if resolver.ACME != nil {
-			if localStores[resolver.ACME.Storage] == nil {
-				localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
-			}
+		if resolver.ACME == nil {
+			continue
+		}
 
-			p := &acme.Provider{
-				Configuration:  resolver.ACME,
-				Store:          localStores[resolver.ACME.Storage],
-				ChallengeStore: challengeStore,
-				ResolverName:   name,
-			}
+		if localStores[resolver.ACME.Storage] == nil {
+			localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
+		}
 
-			if err := providerAggregator.AddProvider(p); err != nil {
-				log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
-				continue
-			}
-			p.SetTLSManager(tlsManager)
-			if p.TLSChallenge != nil {
-				tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
-			}
-			p.SetConfigListenerChan(make(chan dynamic.Configuration))
-			resolvers = append(resolvers, p)
+		p := &acme.Provider{
+			Configuration:         resolver.ACME,
+			Store:                 localStores[resolver.ACME.Storage],
+			ResolverName:          name,
+			HTTPChallengeProvider: httpChallengeProvider,
+			TLSChallengeProvider:  tlsChallengeProvider,
+		}
+
+		if err := providerAggregator.AddProvider(p); err != nil {
+			log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
+			continue
+		}
+
+		p.SetTLSManager(tlsManager)
+
+		p.SetConfigListenerChan(make(chan dynamic.Configuration))
+
+		resolvers = append(resolvers, p)
+	}
+
+	return resolvers
+}
+
+func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
+	if metricsConfig == nil {
+		return nil
+	}
+
+	var registries []metrics.Registry
+
+	if metricsConfig.Prometheus != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
+		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
+		if prometheusRegister != nil {
+			registries = append(registries, prometheusRegister)
+			log.FromContext(ctx).Debug("Configured Prometheus metrics")
 		}
 	}
-	return resolvers
+
+	if metricsConfig.Datadog != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
+		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
+		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
+			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
+	}
+
+	if metricsConfig.StatsD != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
+		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
+		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
+			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
+	}
+
+	if metricsConfig.InfluxDB != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
+		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
+		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
+			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
+	}
+
+	if metricsConfig.InfluxDB2 != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb2"))
+		influxDB2Register := metrics.RegisterInfluxDB2(ctx, metricsConfig.InfluxDB2)
+		if influxDB2Register != nil {
+			registries = append(registries, influxDB2Register)
+			log.FromContext(ctx).Debugf("Configured InfluxDB v2 metrics: pushing to %s (%s org/%s bucket) once every %s",
+				metricsConfig.InfluxDB2.Address, metricsConfig.InfluxDB2.Org, metricsConfig.InfluxDB2.Bucket, metricsConfig.InfluxDB2.PushInterval)
+		}
+	}
+
+	return registries
+}
+
+func appendCertMetric(gauge gokitmetrics.Gauge, certificate *x509.Certificate) {
+	sort.Strings(certificate.DNSNames)
+
+	labels := []string{
+		"cn", certificate.Subject.CommonName,
+		"serial", certificate.SerialNumber.String(),
+		"sans", strings.Join(certificate.DNSNames, ","),
+	}
+
+	notAfter := float64(certificate.NotAfter.Unix())
+
+	gauge.With(labels...).Set(notAfter)
+}
+
+func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
+	if conf == nil {
+		return nil
+	}
+
+	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
+	if err != nil {
+		log.WithoutContext().Warnf("Unable to create access logger: %v", err)
+		return nil
+	}
+
+	return accessLoggerMiddleware
+}
+
+func setupTracing(conf *static.Tracing) *tracing.Tracing {
+	if conf == nil {
+		return nil
+	}
+
+	var backend tracing.Backend
+
+	if conf.Jaeger != nil {
+		backend = conf.Jaeger
+	}
+
+	if conf.Zipkin != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Zipkin backend.")
+		} else {
+			backend = conf.Zipkin
+		}
+	}
+
+	if conf.Datadog != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Datadog backend.")
+		} else {
+			backend = conf.Datadog
+		}
+	}
+
+	if conf.Instana != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Instana backend.")
+		} else {
+			backend = conf.Instana
+		}
+	}
+
+	if conf.Haystack != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Haystack backend.")
+		} else {
+			backend = conf.Haystack
+		}
+	}
+
+	if conf.Elastic != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Elastic backend.")
+		} else {
+			backend = conf.Elastic
+		}
+	}
+
+	if backend == nil {
+		log.WithoutContext().Debug("Could not initialize tracing, using Jaeger by default")
+		defaultBackend := &jaeger.Config{}
+		defaultBackend.SetDefaults()
+		backend = defaultBackend
+	}
+
+	tracer, err := tracing.NewTracing(conf.ServiceName, conf.SpanNameLimit, backend)
+	if err != nil {
+		log.WithoutContext().Warnf("Unable to create tracer: %v", err)
+		return nil
+	}
+	return tracer
 }
 
 func configureLogging(staticConfiguration *static.Configuration) {
@@ -260,7 +578,7 @@ func configureLogging(staticConfiguration *static.Configuration) {
 	if len(logFile) > 0 {
 		dir := filepath.Dir(logFile)
 
-		if err := os.MkdirAll(dir, 0755); err != nil {
+		if err := os.MkdirAll(dir, 0o755); err != nil {
 			log.WithoutContext().Errorf("Failed to create log path %s: %s", dir, err)
 		}
 
@@ -292,13 +610,13 @@ func stats(staticConfiguration *static.Configuration) {
 		logger.Info(`Stats collection is enabled.`)
 		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
 		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://docs.traefik.io/v2.0/contributing/data-collection/`)
+		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
 		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://docs.traefik.io/v2.0/contributing/data-collection/
+More details on: https://doc.traefik.io/traefik/contributing/data-collection/
 `)
 	}
 }

cmd/traefik/traefik_test.go

@@ -0,0 +1,116 @@
+package main
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"strings"
+	"testing"
+
+	"github.com/go-kit/kit/metrics"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// FooCert is a PEM-encoded TLS cert.
+// generated from src/crypto/tls:
+// go run generate_cert.go  --rsa-bits 1024 --host foo.org,foo.com  --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
+const fooCert = `-----BEGIN CERTIFICATE-----
+MIICHzCCAYigAwIBAgIQXQFLeYRwc5X21t457t2xADANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQDCjn67GSs/khuGC4GNN+tVo1S+/eSHwr/hWzhfMqO7nYiXkFzmxi+u14CU
+Pda6WOeps7T2/oQEFMxKKg7zYOqkLSbjbE0ZfosopaTvEsZm/AZHAAvoOrAsIJOn
+SEiwy8h0tLA4z1SNR6rmIVQWyqBZEPAhBTQM1z7tFp48FakCFwIDAQABo3QwcjAO
+BgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUw
+AwEB/zAdBgNVHQ4EFgQUDHG3ASzeUezElup9zbPpBn/vjogwGwYDVR0RBBQwEoIH
+Zm9vLm9yZ4IHZm9vLmNvbTANBgkqhkiG9w0BAQsFAAOBgQBT+VLMbB9u27tBX8Aw
+ZrGY3rbNdBGhXVTksrjiF+6ZtDpD3iI56GH9zLxnqvXkgn3u0+Ard5TqF/xmdwVw
+NY0V/aWYfcL2G2auBCQrPvM03ozRnVUwVfP23eUzX2ORNHCYhd2ObQx4krrhs7cJ
+SWxtKwFlstoXY3K2g9oRD9UxdQ==
+-----END CERTIFICATE-----`
+
+// BarCert is a PEM-encoded TLS cert.
+// generated from src/crypto/tls:
+// go run generate_cert.go  --rsa-bits 1024 --host bar.org,bar.com  --ca --start-date "Jan 1 00:00:00 1970" --duration=10000h
+const barCert = `-----BEGIN CERTIFICATE-----
+MIICHTCCAYagAwIBAgIQcuIcNEXzBHPoxna5S6wG4jANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMB4XDTcwMDEwMTAwMDAwMFoXDTcxMDIyMTE2MDAw
+MFowEjEQMA4GA1UEChMHQWNtZSBDbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAqtcrP+KA7D6NjyztGNIPMup9KiBMJ8QL+preog/YHR7SQLO3kGFhpS3WKMab
+SzMypC3ZX1PZjBP5ZzwaV3PFbuwlCkPlyxR2lOWmullgI7mjY0TBeYLDIclIzGRp
+mpSDDSpkW1ay2iJDSpXjlhmwZr84hrCU7BRTQJo91fdsRTsCAwEAAaN0MHIwDgYD
+VR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFK8jnzFQvBAgWtfzOyXY4VSkwrTXMBsGA1UdEQQUMBKCB2Jh
+ci5vcmeCB2Jhci5jb20wDQYJKoZIhvcNAQELBQADgYEAJz0ifAExisC/ZSRhWuHz
+7qs1i6Nd4+YgEVR8dR71MChP+AMxucY1/ajVjb9xlLys3GPE90TWSdVppabEVjZY
+Oq11nPKc50ItTt8dMku6t0JHBmzoGdkN0V4zJCBqdQJxhop8JpYJ0S9CW0eT93h3
+ipYQSsmIINGtMXJ8VkP/MlM=
+-----END CERTIFICATE-----`
+
+type gaugeMock struct {
+	metrics map[string]float64
+	labels  string
+}
+
+func (g gaugeMock) With(labelValues ...string) metrics.Gauge {
+	g.labels = strings.Join(labelValues, ",")
+	return g
+}
+
+func (g gaugeMock) Set(value float64) {
+	g.metrics[g.labels] = value
+}
+
+func (g gaugeMock) Add(delta float64) {
+	panic("implement me")
+}
+
+func TestAppendCertMetric(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		certs    []string
+		expected map[string]float64
+	}{
+		{
+			desc:     "No certs",
+			certs:    []string{},
+			expected: map[string]float64{},
+		},
+		{
+			desc:  "One cert",
+			certs: []string{fooCert},
+			expected: map[string]float64{
+				"cn,,serial,123624926713171615935660664614975025408,sans,foo.com,foo.org": 3.6e+09,
+			},
+		},
+		{
+			desc:  "Two certs",
+			certs: []string{fooCert, barCert},
+			expected: map[string]float64{
+				"cn,,serial,123624926713171615935660664614975025408,sans,foo.com,foo.org": 3.6e+09,
+				"cn,,serial,152706022658490889223053211416725817058,sans,bar.com,bar.org": 3.6e+07,
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			gauge := &gaugeMock{
+				metrics: map[string]float64{},
+			}
+
+			for _, cert := range test.certs {
+				block, _ := pem.Decode([]byte(cert))
+				parsedCert, err := x509.ParseCertificate(block.Bytes)
+				require.NoError(t, err)
+
+				appendCertMetric(gauge, parsedCert)
+			}
+
+			assert.Equal(t, test.expected, gauge.metrics)
+		})
+	}
+}

cmd/version/version.go

@@ -7,8 +7,8 @@ import (
 	"runtime"
 	"text/template"
 
-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/version"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/pkg/version"
 )
 
 var versionTemplate = `Version:      {{.Version}}
@@ -17,7 +17,7 @@ Go version:   {{.GoVersion}}
 Built:        {{.BuildTime}}
 OS/Arch:      {{.Os}}/{{.Arch}}`
 
-// NewCmd builds a new Version command
+// NewCmd builds a new Version command.
 func NewCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "version",
@@ -33,7 +33,7 @@ func NewCmd() *cli.Command {
 	}
 }
 
-// GetPrint write Printable version
+// GetPrint write Printable version.
 func GetPrint(wr io.Writer) error {
 	tmpl, err := template.New("").Parse(versionTemplate)
 	if err != nil {

contrib/grafana/traefik-kubernetes.json

@@ -130,7 +130,7 @@
       "tableColumn": "",
       "targets": [
         {
-          "expr": "count(kube_pod_status_ready{namespace=\"$namespace\",condition=\"true\",pod=~\"traefik.*\"})",
+          "expr": "count(kube_pod_status_ready{condition=\"true\",pod=~\"traefik.*\"})",
           "format": "time_series",
           "intervalFactor": 1,
           "refId": "A"
@@ -150,10 +150,7 @@
       "valueName": "current"
     },
     {
-      "aliasColors": {
-        "Latency over 1 min": "rgb(9, 116, 190)",
-        "Latency over 5 min": "#bf1b00"
-      },
+      "aliasColors": {},
       "bars": false,
       "dashLength": 10,
       "dashes": false,
@@ -183,22 +180,17 @@
       "pointradius": 5,
       "points": false,
       "renderer": "flot",
-      "seriesOverrides": [
-        {
-          "alias": "Latency over 5 min",
-          "yaxis": 1
-        }
-      ],
+      "seriesOverrides": [],
       "spaceLength": 10,
       "stack": false,
       "steppedLine": false,
       "targets": [
         {
-          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\", code=\"200\",method=\"GET\"}[5m])) by (le))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (le))",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 1,
-          "legendFormat": "Latency over 1 min",
+          "legendFormat": "Latency over 5 min",
           "refId": "A"
         }
       ],
@@ -281,7 +273,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "histogram_quantile(0.$percentiles, rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\",code=\"200\",method=\"GET\"}[5m]))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (instance, le))",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "{{ instance }}",
@@ -343,7 +335,7 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 7,
           "gridPos": {
             "h": 7,
@@ -379,7 +371,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(traefik_entrypoint_open_connections{namespace=\"$namespace\"}) by (method)",
+              "expr": "sum(traefik_entrypoint_open_connections) by (method)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "{{ method }}",
@@ -431,7 +423,7 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 7,
@@ -465,7 +457,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\",le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_entrypoint_request_duration_seconds_count{namespace=\"$namespace\",code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Code 200",
@@ -511,9 +503,97 @@
             "align": false,
             "alignLevel": null
           }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 23
+          },
+          "id": 3,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_entrypoint_requests_total[1m])) by (entrypoint)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ entrypoint }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per entrypoint",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
         }
       ],
-      "title": "Frontends (entrypoints)",
+      "title": "Entrypoints",
       "type": "row"
     },
     {
@@ -522,7 +602,7 @@
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 16
+        "y": 33
       },
       "id": 24,
       "panels": [
@@ -531,13 +611,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 7,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 0,
-            "y": 17
+            "y": 34
           },
           "id": 25,
           "legend": {
@@ -567,7 +647,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(traefik_backend_open_connections{namespace=\"$namespace\"}) by (method)",
+              "expr": "sum(traefik_service_open_connections) by (method)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "{{ method }}",
@@ -619,13 +699,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 12,
-            "y": 17
+            "y": 34
           },
           "id": 26,
           "legend": {
@@ -653,7 +733,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_request_duration_seconds_bucket{namespace=\"$namespace\",le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_backend_request_duration_seconds_count{namespace=\"$namespace\",code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_service_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Code 200",
@@ -699,9 +779,97 @@
             "align": false,
             "alignLevel": null
           }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 41
+          },
+          "id": 4,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_service_requests_total[1m])) by (service)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ service }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per service",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
         }
       ],
-      "title": "Backends",
+      "title": "Services",
       "type": "row"
     },
     {
@@ -710,7 +878,7 @@
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 17
+        "y": 51
       },
       "id": 15,
       "panels": [
@@ -725,7 +893,7 @@
             "h": 9,
             "w": 12,
             "x": 0,
-            "y": 18
+            "y": 52
           },
           "id": 5,
           "legend": {
@@ -755,7 +923,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code=~\"2..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"2..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{method}} : {{code}}",
@@ -813,7 +981,7 @@
             "h": 9,
             "w": 12,
             "x": 12,
-            "y": 18
+            "y": 52
           },
           "id": 27,
           "legend": {
@@ -841,7 +1009,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code=~\"5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"5..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{method}} : {{code}}",
@@ -899,95 +1067,7 @@
             "h": 9,
             "w": 12,
             "x": 0,
-            "y": 27
-          },
-          "id": 3,
-          "legend": {
-            "alignAsTable": true,
-            "avg": true,
-            "current": true,
-            "max": true,
-            "min": false,
-            "rightSide": true,
-            "show": true,
-            "sort": "avg",
-            "sortDesc": true,
-            "total": false,
-            "values": true
-          },
-          "lines": false,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\"}[1m])) by (backend)",
-              "format": "time_series",
-              "intervalFactor": 2,
-              "legendFormat": "{{ backend }}",
-              "refId": "A"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeShift": null,
-          "title": "Backend total requests over 1min per backend",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
-        },
-        {
-          "aliasColors": {},
-          "bars": true,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "${DS_PROMETHEUS}",
-          "fill": 1,
-          "gridPos": {
-            "h": 9,
-            "w": 12,
-            "x": 12,
-            "y": 27
+            "y": 61
           },
           "id": 6,
           "legend": {
@@ -1016,7 +1096,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code!~\"2..|5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{ method }} : {{code}}",
@@ -1026,7 +1106,7 @@
           "thresholds": [],
           "timeFrom": null,
           "timeShift": null,
-          "title": "Others status code over 5min",
+          "title": "Others statuses code over 5min",
           "tooltip": {
             "shared": true,
             "sort": 0,
@@ -1064,7 +1144,7 @@
           }
         }
       ],
-      "title": "HTTP Codes  stats",
+      "title": "HTTP Codes stats",
       "type": "row"
     },
     {
@@ -1073,7 +1153,7 @@
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 18
+        "y": 70
       },
       "id": 35,
       "panels": [
@@ -1082,13 +1162,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 9,
             "w": 12,
             "x": 0,
-            "y": 19
+            "y": 71
           },
           "id": 31,
           "legend": {
@@ -1116,21 +1196,21 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "max(container_memory_usage_bytes{namespace=\"$namespace\", container_name=\"traefik\"})",
+              "expr": "sum(container_memory_usage_bytes{container=\"traefik\"})",
               "format": "time_series",
               "intervalFactor": 1,
-              "legendFormat": "Max memory used",
+              "legendFormat": "Memory used",
               "refId": "A"
             },
             {
-              "expr": "avg(kube_pod_container_resource_requests_memory_bytes{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_requests_memory_bytes{container=\"traefik\"})",
               "format": "time_series",
               "intervalFactor": 1,
-              "legendFormat": "Requested memory usage",
+              "legendFormat": "Requested memory",
               "refId": "B"
             },
             {
-              "expr": "avg(kube_pod_container_resource_limits_memory_bytes{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_limits_memory_bytes{container=\"traefik\"})",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Limit memory usage",
@@ -1140,7 +1220,7 @@
           "thresholds": [],
           "timeFrom": null,
           "timeShift": null,
-          "title": "Traefik max memory usage",
+          "title": "Traefik memory usage",
           "tooltip": {
             "shared": true,
             "sort": 0,
@@ -1182,13 +1262,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 9,
             "w": 12,
             "x": 12,
-            "y": 19
+            "y": 71
           },
           "id": 33,
           "legend": {
@@ -1215,21 +1295,21 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "max(rate(container_cpu_usage_seconds_total{namespace=\"$namespace\", container_name=\"traefik\"}[1m]))",
+              "expr": "sum(rate(container_cpu_usage_seconds_total{container=\"traefik\"}[2m]))",
               "format": "time_series",
               "intervalFactor": 1,
-              "legendFormat": "Max cpu used",
+              "legendFormat": "Cpu used",
               "refId": "A"
             },
             {
-              "expr": "avg(kube_pod_container_resource_requests_cpu_cores{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_requests_cpu_cores{container=\"traefik\"})",
               "format": "time_series",
               "intervalFactor": 1,
-              "legendFormat": "Requested cpu usage",
+              "legendFormat": "Requested cpu",
               "refId": "B"
             },
             {
-              "expr": "avg(kube_pod_container_resource_limits_cpu_cores{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_limits_cpu_cores{container=\"traefik\"})",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Limit cpu usage",
@@ -1239,7 +1319,7 @@
           "thresholds": [],
           "timeFrom": null,
           "timeShift": null,
-          "title": "Traefik max CPU usage",
+          "title": "Traefik CPU usage",
           "tooltip": {
             "shared": true,
             "sort": 0,
@@ -1277,7 +1357,7 @@
           }
         }
       ],
-      "title": "Pods ressources",
+      "title": "Pods resources",
       "type": "row"
     }
   ],
@@ -1288,26 +1368,6 @@
   ],
   "templating": {
     "list": [
-      {
-        "allValue": null,
-        "current": {},
-        "datasource": "${DS_PROMETHEUS}",
-        "hide": 0,
-        "includeAll": false,
-        "label": null,
-        "multi": false,
-        "name": "namespace",
-        "options": [],
-        "query": "label_values(traefik_config_reloads_total, namespace)",
-        "refresh": 1,
-        "regex": "",
-        "sort": 0,
-        "tagValuesQuery": "",
-        "tags": [],
-        "tagsQuery": "",
-        "type": "query",
-        "useTags": false
-      },
       {
         "allValue": null,
         "current": {
@@ -1370,5 +1430,5 @@
   "timezone": "",
   "title": "Traefik",
   "uid": "traefik-kubernetes",
-  "version": 1
+  "version": 2
 }

contrib/grafana/traefik.json

@@ -64,10 +64,7 @@
       "type": "row"
     },
     {
-      "aliasColors": {
-        "Latency over 1 min": "rgb(9, 116, 190)",
-        "Latency over 5 min": "#bf1b00"
-      },
+      "aliasColors": {},
       "bars": false,
       "dashLength": 10,
       "dashes": false,
@@ -97,22 +94,17 @@
       "pointradius": 5,
       "points": false,
       "renderer": "flot",
-      "seriesOverrides": [
-        {
-          "alias": "Latency over 5 min",
-          "yaxis": 1
-        }
-      ],
+      "seriesOverrides": [],
       "spaceLength": 10,
       "stack": false,
       "steppedLine": false,
       "targets": [
         {
-          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=\"200\",method=\"GET\"}[5m])) by (le))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (le))",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 1,
-          "legendFormat": "Latency over 1 min",
+          "legendFormat": "Latency over 5 min",
           "refId": "A"
         }
       ],
@@ -195,7 +187,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "histogram_quantile(0.$percentiles, rate(traefik_entrypoint_request_duration_seconds_bucket{code=\"200\",method=\"GET\"}[5m]))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (instance, le))",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "{{ instance }}",
@@ -257,13 +249,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 7,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 0,
-            "y": 2
+            "y": 16
           },
           "id": 19,
           "legend": {
@@ -345,13 +337,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 12,
-            "y": 2
+            "y": 16
           },
           "id": 22,
           "legend": {
@@ -379,7 +371,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Code 200",
@@ -425,9 +417,97 @@
             "align": false,
             "alignLevel": null
           }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 23
+          },
+          "id": 3,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_entrypoint_requests_total[1m])) by (entrypoint)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ entrypoint }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per entrypoint",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
         }
       ],
-      "title": "Frontends (entrypoints)",
+      "title": "Entrypoints",
       "type": "row"
     },
     {
@@ -436,7 +516,7 @@
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 16
+        "y": 33
       },
       "id": 24,
       "panels": [
@@ -445,13 +525,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 7,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 0,
-            "y": 3
+            "y": 34
           },
           "id": 25,
           "legend": {
@@ -481,7 +561,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(traefik_backend_open_connections) by (method)",
+              "expr": "sum(traefik_service_open_connections) by (method)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "{{ method }}",
@@ -533,13 +613,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 12,
-            "y": 3
+            "y": 34
           },
           "id": 26,
           "legend": {
@@ -567,7 +647,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_backend_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_service_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Code 200",
@@ -613,9 +693,97 @@
             "align": false,
             "alignLevel": null
           }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 41
+          },
+          "id": 4,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_service_requests_total[1m])) by (service)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ service }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per service",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
         }
       ],
-      "title": "Backends",
+      "title": "Services",
       "type": "row"
     },
     {
@@ -624,7 +792,7 @@
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 17
+        "y": 51
       },
       "id": 15,
       "panels": [
@@ -639,7 +807,7 @@
             "h": 9,
             "w": 12,
             "x": 0,
-            "y": 4
+            "y": 52
           },
           "id": 5,
           "legend": {
@@ -669,7 +837,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{code=~\"2..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"2..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{method}} : {{code}}",
@@ -727,7 +895,7 @@
             "h": 9,
             "w": 12,
             "x": 12,
-            "y": 4
+            "y": 52
           },
           "id": 27,
           "legend": {
@@ -755,7 +923,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{code=~\"5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"5..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{method}} : {{code}}",
@@ -813,95 +981,7 @@
             "h": 9,
             "w": 12,
             "x": 0,
-            "y": 13
-          },
-          "id": 3,
-          "legend": {
-            "alignAsTable": true,
-            "avg": true,
-            "current": true,
-            "max": true,
-            "min": false,
-            "rightSide": true,
-            "show": true,
-            "sort": "avg",
-            "sortDesc": true,
-            "total": false,
-            "values": true
-          },
-          "lines": false,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "sum(rate(traefik_backend_requests_total[1m])) by (backend)",
-              "format": "time_series",
-              "intervalFactor": 2,
-              "legendFormat": "{{ backend }}",
-              "refId": "A"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeShift": null,
-          "title": "Backend total requests over 1min per backend",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
-        },
-        {
-          "aliasColors": {},
-          "bars": true,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "${DS_PROMETHEUS}",
-          "fill": 1,
-          "gridPos": {
-            "h": 9,
-            "w": 12,
-            "x": 12,
-            "y": 13
+            "y": 61
           },
           "id": 6,
           "legend": {
@@ -930,7 +1010,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{ method }} : {{code}}",
@@ -940,7 +1020,7 @@
           "thresholds": [],
           "timeFrom": null,
           "timeShift": null,
-          "title": "Others status code over 5min",
+          "title": "Others statuses code over 5min",
           "tooltip": {
             "shared": true,
             "sort": 0,
@@ -978,7 +1058,7 @@
           }
         }
       ],
-      "title": "HTTP Codes  stats",
+      "title": "HTTP Codes stats",
       "type": "row"
     }
   ],
@@ -1051,5 +1131,5 @@
   "timezone": "",
   "title": "Traefik",
   "uid": "traefik",
-  "version": 1
+  "version": 2
 }

contrib/systemd/traefik.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Traefik
-Documentation=https://docs.traefik.io
+Documentation=https://doc.traefik.io/traefik/
 #After=network-online.target
 #AssertFileIsExecutable=/usr/bin/traefik
 #AssertPathExists=/etc/traefik/traefik.toml

debug.Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine:3.14
+# Feel free to add below any helpful dependency for debugging.
+# iproute2 is for ss.
+RUN apk --no-cache --no-progress add bash curl ca-certificates tzdata lsof iproute2 \
+    && update-ca-certificates \
+    && rm -rf /var/cache/apk/*
+COPY dist/traefik /
+EXPOSE 80
+VOLUME ["/tmp"]
+ENTRYPOINT ["/traefik"]

docs/.markdownlint.json

@@ -4,8 +4,10 @@
     "MD009": false,
     "MD013": false,
     "MD024": false,
+    "MD025": false,
     "MD026": false,
     "MD033": false,
     "MD034": false,
-    "MD036": false
+    "MD036": false,
+    "MD046": false
 }

docs/CNAME

@@ -1 +0,0 @@
-docs.traefik.io

docs/Makefile

@@ -1,4 +1,3 @@
-
 #######
 # This Makefile contains all targets related to the documentation
 #######
@@ -12,41 +11,55 @@ TRAEFIK_DOCS_CHECK_IMAGE ?= $(TRAEFIK_DOCS_BUILD_IMAGE)-check
 SITE_DIR := $(CURDIR)/site
 
 DOCKER_RUN_DOC_PORT := 8000
-DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs 
+DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs
 DOCKER_RUN_DOC_OPTS := --rm $(DOCKER_RUN_DOC_MOUNTS) -p $(DOCKER_RUN_DOC_PORT):8000
 
 # Default: generates the documentation into $(SITE_DIR)
+.PHONY: docs
 docs: docs-clean docs-image docs-lint docs-build docs-verify
 
 # Writer Mode: build and serve docs on http://localhost:8000 with livereload
+.PHONY: docs-serve
 docs-serve: docs-image
 	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) mkdocs serve
 
+## Pull image for doc building
+.PHONY: docs-pull-images
+docs-pull-images:
+	grep --no-filename -E '^FROM' ./*.Dockerfile \
+		| awk '{print $$2}' \
+		| sort \
+		| uniq \
+		| xargs -P 6 -n 1 docker pull
+
 # Utilities Targets for each step
+.PHONY: docs-image
 docs-image:
 	docker build -t $(TRAEFIK_DOCS_BUILD_IMAGE) -f docs.Dockerfile ./
 
+.PHONY: docs-build
 docs-build: docs-image
 	docker run $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) sh -c "mkdocs build \
 		&& chown -R $(shell id -u):$(shell id -g) ./site"
 
+.PHONY: docs-verify
 docs-verify: docs-build
-	@if [ "$(DOCS_VERIFY_SKIP)" != "true" ]; then \
-		docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./; \
-		docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /verify.sh; \
-	else \
-		echo "DOCS_VERIFY_SKIP is true: no verification done."; \
-	fi
+ifneq ("$(DOCS_VERIFY_SKIP)", "true")
+	docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./
+	docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /verify.sh
+else
+	echo "DOCS_VERIFY_SKIP is true: no verification done."
+endif
 
+.PHONY: docs-lint
 docs-lint:
-	@if [ "$(DOCS_LINT_SKIP)" != "true" ]; then \
-		docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./ && \
-		docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /lint.sh; \
-	else \
-		echo "DOCS_LINT_SKIP is true: no linting done."; \
-	fi
+ifneq ("$(DOCS_LINT_SKIP)", "true")
+	docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./
+	docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /lint.sh
+else
+	echo "DOCS_LINT_SKIP is true: no linting done."
+endif
 
+.PHONY: docs-clean
 docs-clean:
 	rm -rf $(SITE_DIR)
-
-.PHONY: all docs-verify docs docs-clean docs-build docs-lint

docs/check.Dockerfile

@@ -1,31 +1,33 @@
+FROM alpine:3.14 as alpine
 
-FROM alpine:3.9 as alpine
-
-# The "build-dependencies" virtual package provides build tools for html-proofer installation.
-# It compile ruby-nokogiri, because alpine native version is always out of date
-# This virtual package is cleaned at the end.
 RUN apk --no-cache --no-progress add \
-    libcurl \
-    ruby \
-    ruby-bigdecimal \
-    ruby-etc \
-    ruby-ffi \
-    ruby-json \
-  && apk add --no-cache --virtual build-dependencies \
     build-base \
     libcurl \
     libxml2-dev \
     libxslt-dev \
+    ruby \
+    ruby-bigdecimal \
     ruby-dev \
-  && gem install --no-document html-proofer -v 3.10.2 \
-  && apk del build-dependencies
+    ruby-etc \
+    ruby-ffi \
+    ruby-json \
+    zlib-dev
+
+RUN gem install nokogiri --version 1.13.3 --no-document -- --use-system-libraries
+RUN gem install html-proofer --version 3.19.3 --no-document -- --use-system-libraries
 
 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \
     git \
     nodejs \
-    npm \
-  && npm install markdownlint@0.12.0 markdownlint-cli@0.13.0 --global
+    npm
+
+# To handle 'not get uid/gid'
+RUN npm config set unsafe-perm true
+
+RUN npm install --global \
+    markdownlint@0.22.0 \
+    markdownlint-cli@0.26.0
 
 # Finally the shell tools we need for later
 # tini helps to terminate properly all the parallelized tasks when sending CTRL-C

docs/content/assets/styles/atom-one-light.css

@@ -1,96 +0,0 @@
-/*
-
-Atom One Light by Daniel Gamage
-Original One Light Syntax theme from https://github.com/atom/one-light-syntax
-
-base:    #fafafa
-mono-1:  #383a42
-mono-2:  #686b77
-mono-3:  #a0a1a7
-hue-1:   #0184bb
-hue-2:   #4078f2
-hue-3:   #a626a4
-hue-4:   #50a14f
-hue-5:   #e45649
-hue-5-2: #c91243
-hue-6:   #986801
-hue-6-2: #c18401
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  color: #383a42;
-  background: #fafafa;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #a0a1a7;
-  font-style: italic;
-}
-
-.hljs-doctag,
-.hljs-keyword,
-.hljs-formula {
-  color: #a626a4;
-}
-
-.hljs-section,
-.hljs-name,
-.hljs-selector-tag,
-.hljs-deletion,
-.hljs-subst {
-  color: #e45649;
-}
-
-.hljs-literal {
-  color: #0184bb;
-}
-
-.hljs-string,
-.hljs-regexp,
-.hljs-addition,
-.hljs-attribute,
-.hljs-meta-string {
-  color: #50a14f;
-}
-
-.hljs-built_in,
-.hljs-class .hljs-title {
-  color: #c18401;
-}
-
-.hljs-attr,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-type,
-.hljs-selector-class,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-number {
-  color: #986801;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-link,
-.hljs-meta,
-.hljs-selector-id,
-.hljs-title {
-  color: #4078f2;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-link {
-  text-decoration: underline;
-}

docs/content/assets/styles/extra.css

@@ -1,63 +0,0 @@
-@import url('https://fonts.googleapis.com/css?family=Noto+Sans|Noto+Serif');
-
-.md-logo img {
-    background-color: white;
-    border-radius: 50%;
-    width: 30px;
-    height: 30px;
-}
-
-/* Fix for Chrome */
-.md-typeset__table td code {
-    word-break: unset;
-}
-
-.md-typeset__table tr :nth-child(1) {
-    word-wrap: break-word;
-    max-width: 30em;
-}
-
-body {
-    font-family: 'Noto Sans', sans-serif;
-}
-
-h1 {
-    font-weight: bold !important;
-    color: rgba(0,0,0,.9) !important;
-}
-
-h2 {
-    font-weight: bold !important;
-}
-
-h3 {
-    font-weight: bold !important;
-}
-
-.md-typeset h5 {
-    text-transform: none;
-}
-
-figcaption {
-    text-align: center;
-    font-size: 0.8em;
-    font-style: italic;
-    color: #8D909F;
-}
-
-p.subtitle {
-    color: rgba(0,0,0,.54);
-    padding-top: 0;
-    margin-top: -2em;
-    font-weight: bold;
-    font-size: 1.25em;
-}
-
-.markdown-body .task-list-item {
-    list-style-type: none !important;
-}
-
-.markdown-body .task-list-item input[type="checkbox"] {
-    margin: 0 4px 0.25em -20px;
-    vertical-align: middle;
-}

docs/content/contributing/advocating.md

@@ -1,10 +1,31 @@
+---
+title: "Traefik Advocation Documentation"
+description: "There are many ways to contribute to Traefik Proxy. If you're talking about Traefik, let us know and we'll promote your enthusiasm!"
+---
+
 # Advocating
 
 Spread the Love & Tell Us about It
 {: .subtitle }
 
-There are many ways to contribute to the project, and there is one that always spark joy: when we see/read about users talking about how Traefik helps them solve their problems.
+Traefik Proxy was started by the community for the community.
+You can contribute to the Traefik community in three main ways:
 
-If you're talking about Traefik, [let us know](https://blog.containo.us/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
+**Spread the word!** Guides, videos, blog posts, how-to articles, and showing off your network design all help spread the word about Traefik Proxy
+and teach others in the community how to best implement it.
+It always sparks joy when users share how Traefik Proxy helps them solve their problems.
+If you are talking about Traefik Proxy, [let us know](https://traefik.io/submit-my-contribution/) and we will promote your work and reward your enthusiasm!
+If you are giving a talk that includes or is about Traefik Proxy, [let us know](https://traefik.io/submit-my-contribution/) and we will send you swag and stickers for your time at the conference.
+If you have written about Traefik or shared useful information you would like to promote, feel free to add links to the [dedicated wiki page on GitHub](https://github.com/traefik/traefik/wiki/Awesome-Traefik).
 
-Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/containous/traefik/wiki/Awesome-Traefik).
+**Help community members!** Everyone needs a place to share their cool innovations or get help with that pesky bug that only a different pair of eyes seems to be able to see.
+Join our [Community Forum](https://community.traefik.io/) where you can ask questions, help out other users, and share your neat configuration examples or snippets.
+Top contributors will be asked to join the Ambassador program and get unique swag to celebrate!
+
+**Build cool solutions!** Traefik Proxy would be so much better if only it had…
+We love all the wonderful ideas that our users come up with, but we can only build so much.
+Luckily, as an open source community, our users can help by [building awesome features](https://github.com/orgs/traefik/projects/9/views/7), enhancements, or bug fixes.
+We are a big community, so we do need to prioritize a bit.
+That is why we use the tag `contributor/wanted` to let you know which pull requests will make it to the front of the queue for design support and review.
+Feel free to grab one of these and run with it.
+Top contributors get unique swag to celebrate.

docs/content/contributing/building-testing.md

@@ -1,21 +1,33 @@
+---
+title: "Traefik Building & Testing Documentation"
+description: "Compile and test your own Traefik Proxy! Learn how to build your own Traefik binary from the sources, and read the technical documentation."
+---
+
 # Building and Testing
 
 Compile and Test Your Own Traefik!
 {: .subtitle }
 
-So you want to build your own Traefik binary from the sources?
+You want to build your own Traefik binary from the sources?
 Let's see how.
 
 ## Building
 
-You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build Traefik.
+You need either [Docker](https://github.com/docker/docker "Link to website of Docker") and `make` (Method 1), or [Go](https://go.dev/ "Link to website of Go") (Method 2) in order to build Traefik.
 For changes to its dependencies, the `dep` dependency management tool is required.
 
 ### Method 1: Using `Docker` and `Makefile`
 
 Run make with the `binary` target.
+
+```bash
+make binary
+```
+
 This will create binaries for the Linux platform in the `dist` folder.
 
+In case when you run build on CI, you may probably want to run docker in non-interactive mode. To achieve that define `DOCKER_NON_INTERACTIVE=true` environment variable.
+
 ```bash
 $ make binary
 docker build -t traefik-webui -f webui/Dockerfile webui
@@ -28,12 +40,12 @@ Successfully tagged traefik-webui:latest
 [...]
 docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
 Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.13-alpine
+Step 1/10 : FROM golang:1.16-alpine
  ---> f4bfb3d22bda
 [...]
 Successfully built 5c3c1a911277
 Successfully tagged traefik-dev:4475--feature-documentation
-docker run  -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER		 -v "/home/ldez/sources/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
+docker run  -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER		 -v "/home/ldez/sources/go/src/github.com/traefik/traefik/"dist":/go/src/github.com/traefik/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
 ---> Making bundle: generate (in .)
 removed 'autogen/genstatic/gen.go'
 
@@ -43,7 +55,7 @@ $ ls dist/
 traefik*
 ```
 
-The following targets can be executed outside Docker by setting the variable `PRE_TARGET` to an empty string (we don't recommend that):
+The following targets can be executed outside Docker by setting the variable `IN_DOCKER` to an empty string (although be aware that some of the tests might fail in that context):
 
 - `test-unit`
 - `test-integration`
@@ -53,19 +65,19 @@ The following targets can be executed outside Docker by setting the variable `PR
 ex:
 
 ```bash
-PRE_TARGET= make test-unit
+IN_DOCKER= make test-unit
 ```
 
 ### Method 2: Using `go`
 
 Requirements:
 
-- `go` v1.13+
+- `go` v1.16+
 - environment variable `GO111MODULE=on`
 
 !!! tip "Source Directory"
 
-    It is recommended that you clone Traefik into the `~/go/src/github.com/containous/traefik` directory.
+    It is recommended that you clone Traefik into the `~/go/src/github.com/traefik/traefik` directory.
     This is the official golang workspace hierarchy that will allow dependencies to be properly resolved.
 
 !!! note "Environment"
@@ -97,29 +109,22 @@ Requirements:
 #### Build Traefik
 
 Once you've set up your go environment and cloned the source repository, you can build Traefik.
-Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process).
 
 ```bash
-cd ~/go/src/github.com/containous/traefik
+# Generate UI static files
+make clean-webui generate-webui
 
-# Get go-bindata. (Important: the ellipses are required.)
-GO111MODULE=off go get github.com/containous/go-bindata/...
-
-# Let's build
-
-# generate
-# (required to merge non-code components into the final binary, such as the web dashboard and the provider's templates)
+# required to merge non-code components into the final binary,
+# such as the web dashboard/UI
 go generate
+```
 
+```bash
 # Standard go build
 go build ./cmd/traefik
 ```
 
-You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
-
-### Updating the templates
-
-If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.
+You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/traefik/traefik` directory.
 
 ## Testing
 
@@ -133,13 +138,13 @@ Run all tests (unit and integration) using the `test` target.
 $ make test-unit
 docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
 # […]
-docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
+docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/traefik/traefik/dist:/go/src/github.com/traefik/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
 ---> Making bundle: generate (in .)
 removed 'gen.go'
 
 ---> Making bundle: test-unit (in .)
 + go test -cover -coverprofile=cover.out .
-ok      github.com/containous/traefik   0.005s  coverage: 4.1% of statements
+ok      github.com/traefik/traefik   0.005s  coverage: 4.1% of statements
 
 Test success
 ```
@@ -160,14 +165,14 @@ TESTFLAGS="-check.f MyTestSuite.My" make test-integration
 TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
 ```
 
-More: https://labix.org/gocheck
+Check [gocheck](https://labix.org/gocheck "Link to website of gocheck") for more information.
 
 ### Method 2: `go`
 
 Unit tests can be run from the cloned directory using `$ go test ./...` which should return `ok`, similar to:
 
 ```test
-ok      _/home/user/go/src/github/containous/traefik    0.004s
+ok      _/home/user/go/src/github/traefik/traefik    0.004s
 ```
 
 Integration tests must be run from the `integration/` directory and require the `-integration` switch: `$ cd integration && go test -integration ./...`.

docs/content/contributing/data-collection.md

@@ -1,3 +1,8 @@
+---
+title: "Traefik Data Collection Documentation"
+description: "To learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances. Read the technical documentation."
+---
+
 # Data Collection
 
 Understanding How Traefik is Being Used
@@ -5,23 +10,23 @@ Understanding How Traefik is Being Used
 
 ## Configuration Example
 
-Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.  
-For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us so we can benefit from your experience and use cases.
+Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.
+For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us, so we can benefit from your experience and use cases.
 
 !!! example "Enabling Data Collection"
-    
-    ```toml tab="File (TOML)"
-    [global]
-      # Send anonymous usage data
-      sendAnonymousUsage = true
-    ```
-    
+
     ```yaml tab="File (YAML)"
     global:
       # Send anonymous usage data
       sendAnonymousUsage: true
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [global]
+      # Send anonymous usage data
+      sendAnonymousUsage = true
+    ```
+
     ```bash tab="CLI"
     # Send anonymous usage data
     --global.sendAnonymousUsage
@@ -29,7 +34,7 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to
 
 ## Collected Data
 
-This feature comes from the public proposal [here](https://github.com/containous/traefik/issues/2369).
+This feature comes from this [public proposal](https://github.com/traefik/traefik/issues/2369).
 
 In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
 Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
@@ -40,59 +45,58 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
 
 - the Traefik version number
 - a hash of the configuration
-- an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).
+- an **anonymized version** of the static configuration (token, username, password, URL, IP, domain, email, etc., are removed).
 
-!!! note
-    We do not collect the dynamic configuration information (routers & services).
-    We do not collect these data to run advertising programs.
-    We do not sell these data to third-parties.
+!!! info
+
+    - We do not collect the dynamic configuration information (routers & services).
+    - We do not collect this data to run advertising programs.
+    - We do not sell this data to third-parties.
 
 ### Example of Collected Data
 
-??? example "Original configuration"
+```yaml tab="Original configuration"
+entryPoints:
+  web:
+  address: ":80"
 
-    ```toml
-    [entryPoints]
-      [entryPoints.web]
-         address = ":80"
-    
-    [api]
-    
-    [providers.docker]
-      endpoint = "tcp://10.10.10.10:2375"
-      exposedByDefault = true
-      swarmMode = true
-    
-      [providers.docker.TLS]
-        ca = "dockerCA"
-        cert = "dockerCert"
-        key = "dockerKey"
-        insecureSkipVerify = true
-    ```
+api: {}
 
-??? example "Resulting Obfuscated Configuration"
+providers:
+  docker:
+    endpoint: "tcp://10.10.10.10:2375"
+    exposedByDefault: true
+    swarmMode: true
 
-    ```toml
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-    
-    [api]
-    
-    [providers.docker]
-      endpoint = "xxxx"
-      exposedByDefault = true
-      swarmMode = true
-    
-      [providers.docker.TLS]
-        ca = "xxxx"
-        cert = "xxxx"
-        key = "xxxx"
-        insecureSkipVerify = false
-    ```
+    tls:
+      ca: dockerCA
+      cert: dockerCert
+      key: dockerKey
+      insecureSkipVerify: true
+```
+
+```yaml tab="Resulting Obfuscated Configuration"
+entryPoints:
+  web:
+  address: ":80"
+
+api: {}
+
+providers:
+  docker:
+    endpoint: "xxxx"
+    exposedByDefault: true
+    swarmMode: true
+
+    tls:
+      ca: xxxx
+      cert: xxxx
+      key: xxxx
+      insecureSkipVerify: true
+```
 
 ## The Code for Data Collection
 
-If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/pkg/collector/collector.go)
+If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)
 
-By default we anonymize all configuration fields, except fields tagged with `export=true`.
+By default, we anonymize all configuration fields, except fields tagged with `export=true`.

docs/content/contributing/documentation.md

@@ -1,3 +1,8 @@
+---
+title: "Traefik Contribution Documentation"
+description: "Found something unclear in the Traefik Proxy documentation and want to give a try at explaining it better? Read the guide to building documentation."
+---
+
 # Documentation
 
 Features Are Better When You Know How to Use Them
@@ -10,17 +15,21 @@ Let's see how.
 
 ### General
 
-This [documentation](https://docs.traefik.io/) is built with [mkdocs](https://mkdocs.org/).
+This [documentation](https://doc.traefik.io/traefik/ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to website of MkDocs").
 
 ### Method 1: `Docker` and `make`
 
-You can build the documentation and test it locally (with live reloading), using the `docs` target:
+Please make sure you have the following requirements installed:
+
+- [Docker](https://www.docker.com/ "Link to website of Docker")
+
+You can build the documentation and test it locally (with live reloading), using the `docs-serve` target:
 
 ```bash
-$ make docs
+$ make docs-serve
 docker build -t traefik-docs -f docs.Dockerfile .
 # […]
-docker run  --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
+docker run  --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
 # […]
 [I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000
 [I 170828 20:47:48 handlers:60] Start watching changes
@@ -29,7 +38,7 @@ docker run  --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000
 
 !!! tip "Default URL"
 
-    Your local documentation server will run by default on [http://127.0.0.1:8000](http://127.0.0.1:8000).
+    Your local documentation server will run by default on <http://127.0.0.1:8000>.
 
 If you only want to build the documentation without serving it locally, you can use the following command:
 
@@ -38,9 +47,12 @@ $ make docs-build
 ...
 ```
 
-### Method 2: `mkdocs`
+### Method 2: `MkDocs`
 
-First, make sure you have `python` and `pip` installed.
+Please make sure you have the following requirements installed:
+
+- [Python](https://www.python.org/ "Link to website of Python")
+- [pip](https://pypi.org/project/pip/ "Link to the website of pip on PyPI")
 
 ```bash
 $ python --version
@@ -49,7 +61,7 @@ $ pip --version
 pip 1.5.2
 ```
 
-Then, install mkdocs with `pip`.
+Then, install MkDocs with `pip`.
 
 ```bash
 pip install --user -r requirements.txt
@@ -75,24 +87,26 @@ To check that the documentation meets standard expectations (no dead links, html
 $ make docs-verify
 docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image
 ...
-docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
+docker run --rm -v /home/travis/build/traefik/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
 === Checking HTML content...
 Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html...
 ```
 
 !!! note "Clean & Verify"
 
-    If you've made changes to the documentation, it's safter to clean it before verifying it. 
+    If you've made changes to the documentation, it's safer to clean it before verifying it.
 
     ```bash
-    $ make docs-clean docs-verify
+    $ make docs
     ...
     ```
 
+    Will perform all necessary steps for you.
+
 !!! note "Disabling Documentation Verification"
 
     Verification can be disabled by setting the environment variable `DOCS_VERIFY_SKIP` to `true`:
-    
+
     ```shell
     DOCS_VERIFY_SKIP=true make docs-verify
     ...

docs/content/contributing/maintainers-guidelines.md

@@ -0,0 +1,134 @@
+---
+title: "Traefik Maintainer's Guidelines Documentation"
+description: "Interested in contributing more to the community and becoming a Traefik Proxy maintainer? Read the guide to becoming a part of the core team."
+---
+
+# Maintainer's Guidelines
+
+![Maintainer's Guidelines](../assets/img/maintainers-guidelines.png)
+
+Note: the document is a work in progress.
+
+Welcome to the Traefik Community.
+This document describes how to be part of the core team
+together with various responsibilities
+and guidelines for Traefik maintainers.
+We are strongly promoting a philosophy of openness and sharing,
+and firmly standing against the elitist closed approach.
+Being part of the core team should be accessible to anyone motivated
+and wants to be part of that journey!
+
+## Onboarding Process
+
+If you consider joining our community, please drop us a line using Twitter or leave a note in the issue.
+We will schedule a quick call to meet you and learn more about your motivation.
+During the call, the team will discuss the process of becoming a maintainer.
+We will be happy to answer any questions and explain all your doubts.
+
+## Maintainer's Requirements
+
+Note: you do not have to meet all the listed requirements,
+but must have achieved several.
+
+- Enabled [2FA](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) on your GitHub account
+- The contributor has opened and successfully run medium to large PR’s in the past 6 months.
+- The contributor has participated in multiple code reviews of other PR’s,
+  including those of other maintainers and contributors.
+- The contributor showed a consistent pattern of helpful, non-threatening, and friendly behavior towards other community members in the past.
+- The contributor is active on Traefik Community forums
+  or other technical forums/boards such as K8S slack, Reddit, StackOverflow, hacker news.
+- Have read and accepted the contributor guidelines.
+
+## Maintainer's Responsibilities and Privileges
+
+There are lots of areas where you can contribute to the project,
+but we can suggest you start with activities such as:
+
+- PR reviewing.
+    - According to our guidelines we require you have at least 3 reviewers,
+      thus you can review a PR and leave the relevant comment if it is necessary.
+- Participating in a daily [issue triage](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md).
+    - The process helps to understand and prioritize the reported issue according to its importance and severity.
+      This is crucial to learn how our users implement Traefik.
+      Each of the issues that are labeled as bug/possible bug/confirmed requires a reproducible use case. 
+      You can help in creating a reproducible use case if it has not been added to the issue
+      or use the sample code provided by the reporter.
+      Typically, a simple Docker Compose should be enough to reproduce the issue.
+- Code contribution.
+- Documentation contribution.
+    - Technical documentation is one of the most important components of the product.
+      The ability to set up a testing environment in a few minutes,
+      using the official documentation,
+      is a game changer.
+- You will be listed on our Maintainers GitHub page
+  and on our website in the section [maintainers](maintainers.md).
+- We will be promoting you on social channels (mostly on Twitter).
+
+## Governance
+
+- Roadmap meetings on a regular basis where all maintainers are welcome.
+
+## Communicating
+
+- All of our maintainers are added to Slack #traefik-maintainers channel that belongs to Traefik labs workspace.
+  Having the team in one place helps us to communicate effectively.
+  You can reach Traefik core developers directly,
+  which offers the possibility to discuss issues, pull requests, enhancements more efficiently
+  and get the feedback almost immediately.
+  Fewer blockers mean more fun and engaging work.
+
+- On a daily basis, we publish a report that includes all the activities performed during the day.
+  You are updated in regard to the workload that has been processed including:
+  working on the new features and enhancements,
+  activities related to the reported issues and PR’s,
+  other important project-related announcements.
+
+- At 5:00 PM CET every day we review all the created issues that have been reported,
+  assign them the appropriate *[labels](maintainers.md#labels)*
+  and prioritize them based on the severity of the problem.
+  The process is called *[issue triaging](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md)*.
+  Each of the maintainers is welcome to join the meeting.
+  For that purpose, we use a dedicated Discord server
+  where you are invited once you have become the official maintainer.
+
+## Maintainers Activity
+
+In order to keep the core team efficient and dynamic,
+maintainers' activity and involvement will be reviewed on a regular basis.
+
+- Has the maintainer engaged with the team and the community by meeting two or more of these benchmarks in the past six months?
+    - Has the maintainer participated in at least two or three maintainer meetings?
+    - Substantial review of at least one or two PRs from either contributors or maintainers.
+    - Opened at least one or two bug fixes or feature request PRs
+      that were eventually merged (or on a trajectory for merge).
+    - Substantial participation in the Help Wanted program (answered questions, helped identify issues, applied guidelines from the Help Wanted guide to open issues).
+    - Substantial participation with the community in general.
+
+- Has the maintainer shown a consistent pattern of helpful,
+  non-threatening,
+  and friendly behavior towards other people on the maintainer team and with our community?
+
+## Additional Comments for (not only) Maintainers
+
+- Be able to put yourself in users’ shoes.
+- Be open-minded and respectful with other maintainers and other community members.
+- Keep the communication public -
+  if anyone tries to communicate with you directly,
+  ask politely to move the conversation to a public communication channel.
+- Stay away from defensive comments.
+- Please try to express your thoughts clearly enough
+  and note that some of us are not native English speakers.
+  Try to rephrase your sentences, avoiding mental shortcuts;
+  none of us is able to predict your thoughts.
+- There are a lot of use cases of using Traefik
+  and even more issues that are difficult to reproduce.
+  If the issue can’t be replicated due to a lack of reproducible case (a simple Docker Compose should be enough) -
+  set your time limits while working on the issue
+  and express clearly that you were not able to replicate it.
+  You can come back later to that case.
+- Be proactive.
+- Emoji are fine,
+  but if you express yourself clearly enough they are not necessary.
+  They will not replace good communication.
+- Embrace mentorship.
+- Keep in mind that we all have the same intent to improve the project.

docs/content/contributing/maintainers.md

@@ -1,6 +1,11 @@
+---
+title: "Traefik Maintainers Documentation"
+description: "Traefik Proxy is an open source software with a thriving community of contributors and maintainers. Read the list of maintainers on this page."
+---
+
 # Maintainers
 
-## The team
+## The Team
 
 * Emile Vauge [@emilevauge](https://github.com/emilevauge)
 * Vincent Demeester [@vdemeester](https://github.com/vdemeester)
@@ -11,75 +16,27 @@
 * Ludovic Fernandez [@ldez](https://github.com/ldez)
 * Julien Salleyron [@juliens](https://github.com/juliens)
 * Nicolas Mengin [@nmengin](https://github.com/nmengin)
-* Marco Jantke [@marco-jantke](https://github.com/marco-jantke)
+* Marco Jantke [@mjantke](https://github.com/mjeri)
 * Michaël Matur [@mmatur](https://github.com/mmatur)
 * Gérald Croës [@geraldcroes](https://github.com/geraldcroes)
 * Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou)
-* Damien Duportal [@dduportal](https://github.com/dduportal)
 * Mathieu Lonjaret [@mpl](https://github.com/mpl)
+* Romain Tribotté [@rtribotte](https://github.com/rtribotte)
+* Kevin Pollet [@kevinpollet](https://github.com/kevinpollet)
+* Harold Ozouf [@jspdown](https://github.com/jspdown)
+* Tom Moulard [@tommoulard](https://github.com/tommoulard)
 
-## Contributions Daily Meeting
+## Maintainer's Guidelines
 
-* 3 Maintainers should attend to a Contributions Daily Meeting where we sort and label new issues ([is:issue label:status/0-needs-triage](https://github.com/containous/traefik/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Astatus%2F0-needs-triage+)), and review every Pull Requests
-* Every pull request should be checked during the Contributions Daily Meeting
-    * Even if it’s already assigned
-    * Even PR labelled with `contributor/waiting-for-corrections` or `contributor/waiting-for-feedback`
-* Issues labeled with `priority/P0` and `priority/P1` should be assigned.
-* Modifying an issue or a pull request (labels, assignees, milestone) is only possible:
-    * During the Contributions Daily Meeting
-    * By an assigned maintainer
-    * In case of emergency, if a change proposal is approved by 2 other maintainers (on Slack, Discord, Discourse, etc)
+Please read the [maintainer's guidelines](maintainers-guidelines.md)
 
-## PR review process:
+## Issue Triage
 
-* The status `needs-design-review` is only used in complex/heavy/tricky PRs.
-* From `1` to `2`: 1 comment that says “design LGTM” (by a senior maintainer).
-* From `2` to `3`: 3 LGTM approvals by any maintainer.
-* If needed, a specific maintainer familiar with a particular domain can be requested for the review.
-* If a PR has been implemented in pair programming, one peer's LGTM goes into the review for free
-* Amending someone else's pull request is authorized only in emergency, if a rebase is needed, or if the initial contributor is silent
+Issues and PRs are triaged daily and the process for triaging may be found under [triaging issues](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in our [contributors guide repository](https://github.com/traefik/contributors-guide).
 
-We use [PRM](https://github.com/ldez/prm) to manage locally pull requests.
+## PR Review Process
 
-## Bots
-
-### [Myrmica Lobicornis](https://github.com/containous/lobicornis/)
-
-Update and Merge Pull Request.
-
-The maintainer giving the final LGTM must add the `status/3-needs-merge` label to trigger the merge bot.
-
-By default, a squash-rebase merge will be carried out.
-To preserve commits, add `bot/merge-method-rebase` before `status/3-needs-merge`.
-
-The status `status/4-merge-in-progress` is only used by the bot.
-
-If the bot is not able to perform the merge, the label `bot/need-human-merge` is added.  
-In such a situation, solve the conflicts/CI/... and then remove the label `bot/need-human-merge`.
-
-To prevent the bot from automatically merging a PR, add the label `bot/no-merge`.
-
-The label `bot/light-review` decreases the number of required LGTM from 3 to 1.
-
-This label is used when:
-
-* Updating the vendors from previously reviewed PRs
-* Merging branches into the master
-* Preparing the release
-
-### [Myrmica Bibikoffi](https://github.com/containous/bibikoffi/)
-
-* closes stale issues [cron]
-    * use some criterion as number of days between creation, last update, labels, ...
-
-### [Myrmica Aloba](https://github.com/containous/aloba)
-
-Manage GitHub labels.
-
-* Add labels on new PR [GitHub WebHook]
-* Add milestone to a new PR based on a branch version (1.4, 1.3, ...) [GitHub WebHook]
-* Add and remove `contributor/waiting-for-corrections` label when a review request changes [GitHub WebHook]
-* Weekly report of PR status on Slack (CaptainPR) [cron]
+The process for reviewing PRs may be found under [review guidelines](https://github.com/traefik/contributors-guide/blob/master/review_guidelines.md) in our contributors guide repository.
 
 ## Labels
 
@@ -167,7 +124,7 @@ The `status/*` labels represent the desired state in the workflow.
 * `priority/P2`: need to be fixed in the future.
 * `priority/P3`: maybe.
 
-### PR size
+### PR Size
 
 Automatically set by a bot.
 

docs/content/contributing/submitting-issues.md

@@ -1,44 +1,63 @@
+---
+title: "Traefik Submitting Issues Documentation"
+description: "Help us help you! Learn how to submit an issue, following the guidelines, so the Traefik Proxy team can help. Read the technical documentation."
+---
+
 # Submitting Issues
 
 Help Us Help You!
 {: .subtitle }
 
-We use the [GitHub issue tracker](https://github.com/containous/traefik/issues) to keep track of issues in Traefik. 
+Issues are perfect for requesting a feature/enhancement or reporting a suspected bug.
+We use the [GitHub issue tracker](https://github.com/traefik/traefik/issues) to keep track of issues in Traefik.
 
 The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting).
-To save us some time and get quicker feedback, be sure to follow the guide lines below.
+To help us (and other community members) quickly and effortlessly understand what you need,
+be sure to follow the guidelines below.
 
 !!! important "Getting Help Vs Reporting an Issue"
 
     The issue tracker is not a general support forum, but a place to report bugs and asks for new features.
 
-    For end-user related support questions, try using first:
-
-    - the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+    For end-user related support questions, try using the [Traefik Community Forum](https://community.traefik.io/)
+   [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Traefik%20Community%20Forum)](https://community.traefik.io/)
 
 ## Issue Title
 
 The title must be short and descriptive. (~60 characters)
 
-## Description
+Examples:
 
-Follow the [issue template](https://github.com/containous/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible.
-
-Explain us in which conditions you encountered the issue, what is your context.
-
-Remain as clear and concise as possible
-
-Take time to polish the format of your message so we'll enjoy reading it and working on it. 
-Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
+* Bug: Duplicate requests in access logs
+* Feature: Support TCP
 
 ## Feature Request
 
-Traefik is an open-source project and aims to be the best edge router possible.
+Traefik is an open source project and aims to be the best edge router possible.
 
 Remember when asking for new features that these must be useful to the majority (and not only useful in edge case scenarios, or hack-like setups).
+Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE/feature-request.yml) as much as possible.
 
-Do you best to explain what you're looking for, and why it would improve Traefik for everyone. 
+Do your best to explain what you're looking for, and why it would improve Traefik for everyone.
+Be detailed and share the use-case(s) to allow us to see the value of your feature request as quickly as possible.
+
+Features with a lot of positive interaction (claps, +1s, conversation about how this would impact them) indicate higher community interest and help us to prioritize.
+
+If you are interested in creating a PR for your feature request, let us know in the issue, so we can work with you.
+It can take a lot of work to make sure a PR can integrate with our existing code and planning with the team ahead of time can make sure that your PR can be accepted and merged quickly.
+
+## Issues or Possible Bug Reports
+
+Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE/bug_report.yml) as much as possible.
+
+Explain the conditions in which you encountered the issue; what is your context?
+Share any logs you may have, and make sure to share the steps it takes to reproduce your issue or bug.
+
+Remain as clear and concise as possible.
+
+Take time to polish the format of your message, so we'll enjoy reading it and working on it.
+Help your readers focus on what matters and help them understand the structure of your message (see the [GitHub Markdown Syntax](https://docs.github.com/en/get-started/writing-on-github)).
 
 ## International English
 
-Every maintainer / Traefik user is not a native English speaker, so if you feel sometimes that some messages sound rude, remember that it probably is a language barrier problem from someone willing to help you.
+Every maintainer / Traefik user is not a native English speaker, so if you sometimes feel that some messages sound rude, remember that it probably is a language barrier problem from someone willing to help you.

docs/content/contributing/submitting-pull-requests.md

@@ -1,45 +1,231 @@
-# Submitting Pull Requests
+---
+title: "Traefik Pull Requests Documentation"
+description: "Looking to contribute to Traefik Proxy? This guide will show you the guidelines for submitting a PR in our contributors guide repository."
+---
 
-A Quick Guide for Efficient Contributions
-{: .subtitle }
+# Before You Submit a Pull Request
 
-So you've decide to improve Traefik? 
-Thank You! 
-Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.
+This guide is for contributors who already have a pull request to submit.
+If you are looking for information on setting up your developer environment
+and creating code to contribute to Traefik Proxy or related projects,
+see the [development guide](https://docs.traefik.io/contributing/building-testing/).
 
-Let's go though the classic pitfalls to make sure everything is right. 
+Looking for a way to contribute to Traefik Proxy?
+Check out this list of [Priority Issues](https://github.com/traefik/traefik/labels/contributor%2Fwanted),
+the [Good First Issue](https://github.com/traefik/traefik/labels/contributor%2Fgood-first-issue) list,
+or the list of [confirmed bugs](https://github.com/traefik/traefik/labels/kind%2Fbug%2Fconfirmed) waiting to be remedied.
 
-## Title
+## How We Prioritize
 
-The title must be short and descriptive. (~60 characters)
+We wish we could review every pull request right away.
+Unfortunately, our team has to prioritize pull requests (PRs) for review
+(but we are welcoming new [maintainers](https://github.com/traefik/traefik/blob/master/docs/content/contributing/maintainers-guidelines.md) to speed this up,
+if you are interested, check it out and apply).
 
-## Description
+The PRs we are able to handle fastest are:
 
-Follow the [pull request template](https://github.com/containous/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible.
+* Documentation updates.
+* Bug fixes.
+* Enhancements and Features with a `contributor/wanted` tag.
 
-Explain the conditions which led you to write this PR: give us context.
-The context should lead to something, an idea or a problem that you’re facing.
+PRs that take more time to address include:
 
-Remain clear and concise.
+* Enhancements or Features without the `contributor/wanted` tag.
 
-Take time to polish the format of your message so we'll enjoy reading it and working on it.
-Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
+If you have an idea for an enhancement or feature that you would like to build,
+[create an issue](https://github.com/traefik/traefik/issues/new/choose) for it first
+and tell us you are interested in writing the PR.
+If an issue already exists, definitely comment on it to tell us you are interested in creating a PR.
 
-## PR Content
+This will allow us to communicate directly and let you know if it is something we would accept.
 
-- Make it small.
-- One feature per Pull Request.
-- Write useful descriptions and titles.
-- Avoid re-formatting code that is not on the path of your PR.
-- Make sure the [code builds](building-testing.md).
-- Make sure [all tests pass](building-testing.md).
-- Add tests.
-- Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
+It also allows us to make sure you have all the information you need during the design phase
+so that it can be reviewed and merged quickly.
 
-!!! note "third-party dependencies"
+Read more about the [Triage process](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in the docs.
 
-    If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
+## The Pull Request Submit Process
 
-!!! tip "10 Tips for Better Pull Requests"
+Merging a PR requires the following steps to be completed before it is merged automatically.
 
-    We enjoyed this article, maybe you will too! [10 tips for better pull requests](https://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).
+* Make sure your pull request adheres to our best practices. These include:
+    * [Following project conventions](https://github.com/traefik/traefik/blob/master/docs/content/contributing/maintainers-guidelines.md); including using the PR Template.
+    * Make small pull requests.
+    * Solve only one problem at a time.
+    * Comment thoroughly.
+    * Do not open the PR from an organization repository.
+    * Keep "allows edit from maintainer" checked.
+    * Use semantic line breaks for documentation.
+    * Ensure your PR is not a draft. We do not review drafts, but do answer questions and confer with developers on them as needed.
+* Pass the validation check.
+* Pass all tests.
+* Receive 3 approving reviews maintainers.
+
+## Pull Request Review Cycle
+
+Learn about our [Triage Process](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md),
+in short, it looks like this:
+
+* We triage every new PR or comment before entering it into the review process.
+    * We ensure that all prerequisites for review have been met.
+    * We check to make sure the use case meets our needs.
+    * We assign reviewers.
+* Design Review.
+    * This takes longer than other parts of the process.
+    * We review that there are no obvious conflicts with our codebase.
+* Code Review.
+    * We review the code in-depth and run tests.
+    * We may ask for changes here.
+    * During code review, we ask that you be reasonably responsive,
+      if a PR languishes in code review it is at risk of rejection,
+      or we may take ownership of the PR and the contributor will become a co-author.
+* Merge.
+    * Success!
+
+!!! note
+
+    Occasionally, we may freeze our codebase when working towards a specific feature or goal that could impact other development.
+    During this time, your pull request could remain unmerged while the release work is completed.
+
+## Run Local Verifications
+
+You must run these local verifications before you submit your pull request to predict the pass or failure of continuous integration.
+Your PR will not be reviewed until these are green on the CI.
+
+* `make validate`
+* `make pull-images`
+* `make test`
+
+## The Testing and Merge Workflow
+
+Pull Requests are managed by the bot [Myrmica Lobicornis](https://github.com/traefik/lobicornis).
+This bot is responsible for verifying GitHub Checks (CI, Tests, etc), mergability, and minimum reviews.
+In addition, it rebases or merges with the base PR branch if needed.
+It performs several other housekeeping items
+and you can read more about those on the [README](https://github.com/traefik/lobicornis) for Lobicornis.
+
+The maintainer giving the final LGTM must add the `status/3-needs-merge` label to trigger the merge bot.
+
+By default, a squash-rebase merge will be carried out.
+
+The status `status/4-merge-in-progress` is only used by the bot.
+
+If the bot is not able to perform the merge, the label `bot/need-human-merge` is added.
+In such a situation, solve the conflicts/CI/... and then remove the label `bot/need-human-merge`.
+
+To prevent the bot from automatically merging a PR, add the label `bot/no-merge`.
+
+The label `bot/light-review` decreases the number of required LGTM from 3 to 1.
+
+This label can be used when:
+
+* Updating a dependency.
+* Merging branches back into the next version branch.
+* Submitting minor documentation changes.
+* Submitting changelog PRs.
+
+## Why Was My Pull Request Closed?
+
+Traefik Proxy is made by the community for the community,
+as such the goal is to engage the community to make Traefik the best reverse proxy available.
+Part of this goal is maintaining a lean codebase and ensuring code velocity.
+unfortunately, this means that sometimes we will not be able to merge a pull request.
+
+Because we respect the work you did, you will always be told why we are closing your pull request.
+If you do not agree with our decision, do not worry; closed pull requests are effortless to recreate,
+and little work is lost by closing a pull request that subsequently needs to be reopened.
+
+Your pull request might be closed if:
+
+* Your PR's design conflicts with our existing codebase in such a way that merging is not an option
+  and the work needed to make your pull request usable is too high.
+    * To prevent this, make sure you created an issue first
+      and think about including Traefik Proxy maintainers in your design phase to minimize conflicts.
+* Your PR is for an enhancement or feature that we will not use.
+    * Please remember to create an issue for any pull request **before** you create a PR
+      to ensure that your goal is something we can merge and that you have any design insight you might need from the team.
+* Your PR has been waiting for feedback from the contributor for over 90 days.
+
+## Why is My Pull Request Not Getting Reviewed
+
+A few factors affect how long your pull request might wait for review.
+
+We must prioritize which PRs we focus on.
+Our first priority is PRs we have identified as having high community engagement and broad applicability.
+We put our top priorities on our roadmap, and you can identify them by the `contributor/wanted` tag.
+These PRs will enter our review process the fastest.
+
+Our second priority is bug fixes.
+Especially for bugs that have already been tagged with `bug/confirmed`.
+These reviews enter the process quickly.
+
+If your PR does not meet the criteria above,
+it will take longer for us to review, as any PRs that do meet the criteria above will be prioritized.
+
+Additionally, during the last few weeks of a milestone, we stop reviewing PRs to reduce churn and stabilize.
+We will resume after the release.
+
+The second major reason that we deprioritize your PR is that you are not following best practices.
+
+The most common failures to follow best practices are:
+
+* You did not create an issue for the PR you wish to make.
+  If you do not create an issue before submitting your PR,
+  we will not be able to answer any design questions and let you know how likely your PR is to be merged.
+* You created pull requests that are too large to review.
+    * Break your pull requests up.
+      If you can extract whole ideas from your pull request and send those as pull requests of their own,
+      you should do that instead.
+      It is better to have many pull requests addressing one thing than one pull request addressing many things.
+    * Traefik Proxy is a fast-moving codebase — lock in your changes ASAP with your small pull request,
+      and make merges be someone else's problem.
+      We want every pull request to be useful on its own,
+      so use your best judgment on what should be a pull request vs. a commit.
+* You did not comment well.
+    * Comment everything.
+
+Please remember that we are working internationally, cross-culturally, and with different use-cases.
+Your reviewer will not intuitively understand the problem the same way you do or solve it the same way you would.
+This is why every change you make must be explained, and your strategy for coding must also be explained.
+
+* Your tests were inadequate or absent.
+    * If you do not know how to test your PR, please ask!
+      We will be happy to help you or suggest appropriate test cases.
+
+If you have already followed the best practices and your PR still has not received a response,
+here are some things you can do to move the process along:
+
+* If you have fixed all the issues from a review,
+  remember to re-request a review (using the designated button) to let your reviewer know that you are ready.
+  You can choose to comment with the changes you made.
+* Ping `@tfny` if you have not been assigned to a reviewer.
+
+For more information on best practices, try these links:
+
+* [How to Write a Git Commit Message - Chris Beams](https://chris.beams.io/posts/git-commit/)
+* [Distributed Git - Contributing to a Project (Commit Guidelines)](https://git-scm.com/book/en/v2/Distributed-Git-Contributing-to-a-Project)
+* [What’s with the 50/72 rule? - Preslav Rachev](https://preslav.me/2015/02/21/what-s-with-the-50-72-rule/)
+* [A Note About Git Commit Messages - Tim Pope](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)
+
+## It's OK to Push Back
+
+Sometimes reviewers make mistakes.
+It is OK to push back on changes your reviewer requested.
+If you have a good reason for doing something a certain way, you are absolutely allowed to debate the merits of a requested change.
+Both the reviewer and reviewee should strive to discuss these issues in a polite and respectful manner.
+
+You might be overruled, but you might also prevail.
+We are pretty reasonable people.
+
+Another phenomenon of open-source projects (where anyone can comment on any issue) is the dog-pile -
+your pull request gets so many comments from so many people it becomes hard to follow.
+In this situation, you can ask the primary reviewer (assignee) whether they want you to fork a new pull request
+to clear out all the comments.
+You do not have to fix every issue raised by every person who feels like commenting,
+but you should answer reasonable comments with an explanation.
+
+## Common Sense and Courtesy
+
+No document can take the place of common sense and good taste.
+Use your best judgment, while you put a bit of thought into how your work can be made easier to review.
+If you do these things, your pull requests will get merged with less friction.

docs/content/contributing/submitting-security-issues.md

@@ -0,0 +1,21 @@
+---
+title: "Traefik Security Documentation"
+description: "Security is a key part of Traefik Proxy. Read the technical documentation to learn about security advisories, CVE, and how to report a vulnerability."
+---
+
+# Security
+
+## Security Advisories
+
+We strongly advise you to join our mailing list to be aware of the latest announcements from our security team.
+You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+
+## CVE
+
+Reported vulnerabilities can be found on
+[cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
+
+## Report a Vulnerability
+
+We want to keep Traefik safe for everyone.
+If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).

docs/content/contributing/thank-you.md

@@ -1,13 +1,18 @@
+---
+title: "Traefik Contribution Documentation"
+description: "Thank you to all those who have contributed! Traefik Proxy is an open-source project that thrives with the support of our passionate community."
+---
+
 # Thank You!
 
 _You_ Made It
 {: .subtitle}
 
-Traefik truly is an [open-source project](https://github.com/containous/traefik/),
-and wouldn't have become what it is today without the help of our [many contributors](https://github.com/containous/traefik/graphs/contributors) (at the time of writing this),
-not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.
+Traefik Proxy truly is an [open-source project](https://github.com/traefik/traefik/),
+and wouldn't have become what it is today without the help of our [many contributors](https://github.com/traefik/traefik/graphs/contributors) (at the time of writing this),
+not accounting for people having helped with issues, tests, comments, articles, ... or just enjoy using Traefik Proxy and share with others.
 
-So once again, thank you for your invaluable help on making Traefik such a good product.
+So once again, thank you for your invaluable help in making Traefik such a good product!
 
 !!! question "Where to Go Next?"
     If you want to:

docs/content/deprecation/features.md

@@ -0,0 +1,44 @@
+# Feature Deprecation Notices
+
+This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.
+
+| Feature                                                                                             | Deprecated | End of Support | Removal |
+|-----------------------------------------------------------------------------------------------------|------------|----------------|---------|
+| [Pilot](#pilot)                                                                                     | 2.7        | 2.8            | 2.9     |
+| [Consul Enterprise Namespace](#consul-enterprise-namespace)                                         | 2.8        | N/A            | 3.0     |
+| [TLS 1.0 and 1.1 Support](#tls-10-and-11)                                                           | N/A        | 2.8            | N/A     |
+| [Nomad Namespace](#nomad-namespace)                                                                 | 2.10       | N/A            | 3.0     |
+| [Kubernetes CRDs API Group `traefik.containo.us`](#kubernetes-crds-api-group-traefikcontainous)     | 2.10       | N/A            | 3.0     |
+| [Kubernetes CRDs API Version `traefik.io/v1alpha1`](#kubernetes-crds-api-version-traefikiov1alpha1) | N/A        | N/A            | 3.0     |
+
+## Impact
+
+### Pilot
+
+Metrics will continue to function normally up to 2.8, when they will be disabled.  
+In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
+
+Starting on 2.7 the pilot token will not be a requirement anymore for plugins.  
+Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from Pilot.
+
+### Consul Enterprise Namespace
+
+Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
+please use the `namespaces` options instead.  
+
+### TLS 1.0 and 1.1
+
+Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.  
+
+### Nomad Namespace
+
+Starting on 2.10 the `namespace` option of the Nomad provider is deprecated,
+please use the `namespaces` options instead.
+
+### Kubernetes CRDs API Group `traefik.containo.us`
+
+In v2.10, the Kubernetes CRDs API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
+
+### Kubernetes CRDs API Version `traefik.io/v1alpha1`
+
+The newly introduced Kubernetes CRD API Version `traefik.io/v1alpha1` will subsequently be removed in Traefik v3. The following version will be `traefik.io/v1`.

docs/content/deprecation/releases.md

@@ -0,0 +1,40 @@
+# Releases
+
+## Versions
+
+Below is a non-exhaustive list of versions and their maintenance status:
+
+| Version | Release Date | Active Support     | Security Support | 
+|---------|--------------|--------------------|------------------|
+| 2.9     | Oct 03, 2022 | Yes                | Yes              |
+| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No               |
+| 2.7     | May 24, 2022 | Ended Jun 29, 2022 | No               |
+| 2.6     | Jan 24, 2022 | Ended May 24, 2022 | No               |
+| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 | No               |
+| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 | No               |
+| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 | No               |
+| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 | No               |
+| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 | No               |
+| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 | No               |
+| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 | Contact Support  |
+
+??? example "Active Support / Security Support"
+
+    **Active support**: receives any bug fixes.
+    **Security support**: receives only critical bug and security fixes.
+
+This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.
+
+Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v1 to v2 migration guide](../migration/v1-to-v2.md).
+
+!!! important "All target dates for end of support or feature removal announcements may be subject to change."
+
+## Versioning Scheme
+
+The Traefik Proxy project follows the [semantic versioning](https://semver.org/) scheme and maintains a separate branch for each minor version. The main branch always represents the next upcoming minor or major version.
+
+And these are our guiding rules for version support:
+
+- **Only the latest `minor`** will be on active support at any given time
+- **The last `minor` after releasing a new `major`** will be supported for 1 year following the `major` release
+- **Previous rules are subject to change** and in such cases an announcement will be made publicly, [here](https://traefik.io/blog/traefik-2-1-in-the-wild/) is an example extending v1.x branch support.

docs/content/getting-started/concepts.md

@@ -1,14 +1,34 @@
+---
+title: Concepts
+description: Traefik - base concepts and main features
+---
+
 # Concepts
 
-Everything You Need to Know
-{: .subtitle }
+This page explains the base concepts of Traefik.
+
+---
+
+## Introduction
+
+Traefik is based on the concept of EntryPoints, Routers, Middlewares and Services.
+
+The main features include dynamic configuration, automatic service discovery, and support for multiple backends and protocols.
+
+1. [EntryPoints](../routing/entrypoints.md "Link to docs about EntryPoints"): EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for TCP or UDP.
+
+2. [Routers](../routing/routers/index.md "Link to docs about routers"): A router is in charge of connecting incoming requests to the services that can handle them.
+
+3. [Middlewares](../middlewares/overview.md "Link to docs about middlewares"): Attached to the routers, middlewares can modify the requests or responses before they are sent to your service
+
+4. [Services](../routing/services/index.md "Link to docs about services"): Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
 
 ## Edge Router
 
-Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request:
-it knows all the logic and every rule that determine which services handle which requests (based on the [path](../routing/routers/index.md#rule), the [host](../routing/routers/index.md#rule), [headers](../routing/routers/index.md#rule), [and so on](../routing/routers/index.md#rule) ...).
+Traefik is an *Edge Router*, it means that it's the door to your platform, and that it intercepts and routes every incoming request:
+it knows all the logic and every [rule](../routing/routers/index.md#rule "Link to docs about routing rules") that determine which services handle which requests (based on the *path*, the *host*, *headers*, etc.).
 
-![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png)
+![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png "Picture explaining the infrastructure")
 
 ## Auto Service Discovery
 
@@ -16,21 +36,25 @@ Where traditionally edge routers (or reverse proxies) need a configuration file
 
 Deploying your services, you attach information that tells Traefik the characteristics of the requests the services can handle.
 
-![Decentralized Configuration](../assets/img/traefik-concepts-2.png)
+![Decentralized Configuration](../assets/img/traefik-concepts-2.png "Picture about Decentralized Configuration")
 
 It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
-The opposite is true: when you remove a service from your infrastructure, the route will disappear accordingly.
+Similarly, when a service is removed from the infrastructure, the corresponding route is deleted accordingly.
 
 You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.
 
-!!! note "Many different rules"
+!!! info "Many different rules"
 
-    In the example above, we used the request [path](../routing/routers/index.md#rule) to determine which service was in charge, but of course you can use many other different [rules](../routing/routers/index.md#rule).
+    In the example above, we used the request [path rule](../routing/routers/index.md#rule "Link to docs about routing rules") to determine which service was in charge.
+    Certainly, you can use many other different [rules](../routing/routers/index.md#rule "Link to docs about routing rules").
 
-!!! note "Updating the requests"
+!!! info "Updating the requests"
 
-    In the [middleware](../middlewares/overview.md) section, you can learn about how to update the requests before forwarding them to the services.
+    In the [middleware](../middlewares/overview.md "Link to middleware documentation") section, you can learn about how to update the requests before forwarding them to the services.
 
 !!! question "How does Traefik discover the services?"
 
-    Traefik is able to use your cluster API to discover the services and read the attached information. In Traefik, these connectors are called [providers](../providers/overview.md) because they _provide_ the configuration to Traefik. To learn more about them, read the [provider overview](../providers/overview.md) section.
+    Traefik is able to use your cluster API to discover the services and read the attached information.
+    In Traefik, these connectors are called [providers](../providers/overview.md "Link to overview about Traefik providers") because they *provide* the configuration to Traefik.
+
+{!traefik-for-business-applications.md!}

docs/content/getting-started/configuration-overview.md

@@ -1,3 +1,8 @@
+---
+title: "Traefik Configuration Documentation"
+description: "Get started with Traefik Proxy. This page will introduce you to the dynamic routing and startup configurations. Read the technical documentation."
+---
+
 # Configuration Introduction
 
 How the Magic Happens
@@ -13,43 +18,45 @@ Configuration in Traefik can refer to two different things:
 Elements in the _static configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).
 
 The _dynamic configuration_ contains everything that defines how the requests are handled by your system.
-This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.    
+This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.
 
 !!! warning "Incompatible Configuration"
-    Please be aware that the old configurations for Traefik v1.X are NOT compatible with the v2.X config as of now.
-    If you're testing out v2, please ensure you are using a v2 configuration.
+    Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now.
+    If you are running v2, please ensure you are using a v2 configuration.
 
-## The Dynamic Configuration 
+## The Dynamic Configuration
 
-Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).
+Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file.
 
-!!! Note 
+Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../routing/overview.md).
+
+!!! info ""
 
     In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
-    
-!!! Note
-    
-    HTTPS Certificates also belong to the dynamic configuration. You can add / update / remove them without restarting your Traefik instance. 
- 
+
+!!! info "HTTPS Certificates also belong to the dynamic configuration."
+
+    You can add / update / remove them without restarting your Traefik instance.
+
 ## The Static Configuration
 
-There are three different, mutually exclusive, ways to define static configuration options in Traefik:
+There are three different, **mutually exclusive** (i.e. you can use only one at the same time), ways to define static configuration options in Traefik:
 
-- In a configuration file
-- In the command-line arguments
-- As environment variables
+1. In a configuration file
+1. In the command-line arguments
+1. As environment variables
 
 These ways are evaluated in the order listed above.
 
 If no value was provided for a given option, a default value applies.
 Moreover, if an option has sub-options, and any of these sub-options is not specified, a default value will apply as well.
-    
+
 For example, the `--providers.docker` option is enough by itself to enable the docker provider, even though sub-options like `--providers.docker.endpoint` exist.
 Once positioned, this option sets (and resets) all the default values of the sub-options of `--providers.docker`.
-    
+
 ### Configuration File
 
-At startup, Traefik searches for a file named `traefik.toml` (or `traefik.yml` or `traefik.yaml`) in:
+At startup, Traefik searches for static configuration in a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:
 
 - `/etc/traefik/`
 - `$XDG_CONFIG_HOME/`
@@ -59,7 +66,7 @@ At startup, Traefik searches for a file named `traefik.toml` (or `traefik.yml` o
 You can override this using the `configFile` argument.
 
 ```bash
-traefik --configFile=foo/bar/myconfigfile.toml
+traefik --configFile=foo/bar/myconfigfile.yml
 ```
 
 ### Arguments
@@ -72,7 +79,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:2.0 --help
+# ex: docker run traefik:v2.10 --help
 ```
 
 All available arguments can also be found [here](../reference/static-configuration/cli.md).
@@ -86,3 +93,5 @@ All available environment variables can be found [here](../reference/static-conf
 All the configuration options are documented in their related section.
 
 You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.
+
+{!traefik-for-business-applications.md!}

docs/content/getting-started/faq.md

@@ -0,0 +1,253 @@
+---
+title: "Traefik Getting Started FAQ"
+description: "Check out our FAQ page for answers to commonly asked questions on getting started with Traefik Proxy. Read the technical documentation."
+---
+
+# FAQ
+
+## Why is Traefik Answering `XXX` HTTP Response Status Code?
+
+Traefik is a dynamic reverse proxy,
+and while the documentation often demonstrates configuration options through file examples,
+the core feature of Traefik is its dynamic configurability,
+directly reacting to changes from providers over time.
+
+Notably, a part of the configuration is [static](../configuration-overview/#the-static-configuration),
+and can be provided by a file on startup, whereas various providers,
+such as the file provider,
+contribute dynamically all along the traefik instance lifetime to its [dynamic configuration](../configuration-overview/#the-dynamic-configuration) changes.
+
+In addition, the configuration englobes concepts such as the EntryPoint which can be seen as a listener on the Transport Layer (TCP),
+as apposed to the Router which is more about the Presentation (TLS) and Application layers (HTTP).
+And there can be as many routers as one wishes for a given EntryPoint.
+
+In other words, for a given Entrypoint,
+at any given time the traffic seen is not bound to be just about one protocol.
+It could be HTTP, or otherwise. Over TLS, or not.
+Not to mention that dynamic configuration changes potentially make that kind of traffic vary over time.
+
+Therefore, in this dynamic context,
+the static configuration of an `entryPoint` does not give any hint whatsoever about how the traffic going through that `entryPoint` is going to be routed.
+Or whether it's even going to be routed at all,
+i.e. whether there is a Router matching the kind of traffic going through it.
+
+### `404 Not found`
+
+Traefik returns a `404` response code in the following situations:
+
+- A request reaching an EntryPoint that has no Routers
+- An HTTP request reaching an EntryPoint that has no HTTP Router
+- An HTTPS request reaching an EntryPoint that has no HTTPS Router
+- A request reaching an EntryPoint that has HTTP/HTTPS Routers that cannot be matched
+
+From Traefik's point of view,
+every time a request cannot be matched with a router the correct response code is a `404 Not found`.
+
+In this situation, the response code is not a `503 Service Unavailable`
+because Traefik is not able to confirm that the lack of a matching router for a request is only temporary.
+Traefik's routing configuration is dynamic and aggregated from different providers,
+hence it's not possible to assume at any moment that a specific route should be handled or not.
+
+??? info "This behavior is consistent with rfc7231"
+
+    ```txt
+    The server is currently unable to handle the request due to a
+    temporary overloading or maintenance of the server. The implication
+    is that this is a temporary condition which will be alleviated after
+    some delay. If known, the length of the delay MAY be indicated in a
+    Retry-After header. If no Retry-After is given, the client SHOULD
+    handle the response as it would for a 500 response.
+
+        Note: The existence of the 503 status code does not imply that a
+        server must use it when becoming overloaded. Some servers may wish
+        to simply refuse the connection.
+    ```
+
+    Extract from [rfc7231#section-6.6.4](https://datatracker.ietf.org/doc/html/rfc7231#section-6.6.4).
+
+### `502 Bad Gateway`
+
+Traefik returns a `502` response code when an error happens while contacting the upstream service.
+
+### `503 Service Unavailable`
+
+Traefik returns a `503` response code when a Router has been matched
+but there are no servers ready to handle the request.
+
+This situation is encountered when a service has been explicitly configured without servers,
+or when a service has healthcheck enabled and all servers are unhealthy.
+
+### `XXX` Instead of `404`
+
+Sometimes, the `404` response code doesn't play well with other parties or services (such as CDNs).
+
+In these situations, you may want Traefik to always reply with a `503` response code,
+instead of a `404` response code.
+
+To achieve this behavior, a simple catchall router,
+with the lowest possible priority and routing to a service without servers,
+can handle all the requests when no other router has been matched.
+
+The example below is a file provider only version (`yaml`) of what this configuration could look like:
+
+```yaml tab="Static configuration"
+# traefik.yml
+
+entrypoints:
+  web:
+    address: :80
+
+providers:
+  file:
+    filename: dynamic.yaml
+```
+
+```yaml tab="Dynamic configuration"
+# dynamic.yaml
+
+http:
+  routers:
+    catchall:
+      # attached only to web entryPoint
+      entryPoints:
+        - "web"
+      # catchall rule
+      rule: "PathPrefix(`/`)"
+      service: unavailable
+      # lowest possible priority
+      # evaluated when no other router is matched
+      priority: 1
+
+  services:
+    # Service that will always answer a 503 Service Unavailable response
+    unavailable:
+      loadBalancer:
+        servers: {}
+```
+
+!!! info "Dedicated service"
+    If there is a need for a response code other than a `503` and/or a custom message,
+    the principle of the above example above (a catchall router) still stands,
+    but the `unavailable` service should be adapted to fit such a need.
+
+## Why Is My TLS Certificate Not Reloaded When Its Contents Change? 
+
+With the file provider,
+a configuration update is only triggered when one of the [watched](../providers/file.md#provider-configuration) configuration files is modified.
+
+Which is why, when a certificate is defined by path,
+and the actual contents of this certificate change,
+a configuration update is _not_ triggered.
+
+To take into account the new certificate contents, the update of the dynamic configuration must be forced.
+One way to achieve that, is to trigger a file notification,
+for example, by using the `touch` command on the configuration file.
+
+## What Are the Forwarded Headers When Proxying HTTP Requests?
+
+By default, the following headers are automatically added when proxying requests:
+
+| Property                  | HTTP Header                |
+|---------------------------|----------------------------|
+| Client's IP               | X-Forwarded-For, X-Real-Ip |
+| Host                      | X-Forwarded-Host           |
+| Port                      | X-Forwarded-Port           |
+| Protocol                  | X-Forwarded-Proto          |
+| Proxy Server's Hostname   | X-Forwarded-Server         |
+
+For more details,
+please check out the [forwarded header](../routing/entrypoints.md#forwarded-headers) documentation.
+
+## How Traefik is Storing and Serving TLS Certificates?
+
+### Storing TLS Certificates
+
+[TLS](../https/tls.md "Link to Traefik TLS docs") certificates are either provided directly by the [dynamic configuration](./configuration-overview.md#the-dynamic-configuration "Link to dynamic configuration overview") from [providers](../https/tls.md#user-defined "Link to the TLS configuration"),
+or by [ACME resolvers](../https/acme.md#providers "Link to ACME resolvers"), which act themselves as providers internally.
+
+For each TLS certificate, Traefik produces an identifier used as a key to store it.
+This identifier is constructed as the alphabetically ordered concatenation of the SANs `DNSNames` and `IPAddresses` of the TLScertificate.
+
+#### Examples:
+
+| X509v3 Subject Alternative Name         | TLS Certificate Identifier  |
+|-----------------------------------------|-----------------------------|
+| `DNS:example.com, IP Address:127.0.0.1` | `127.0.0.1,example.com`     |
+| `DNS:example.com, DNS:*.example.com`    | `*.example.com,example.com` |
+
+The identifier is used to store TLS certificates in order to be later used to handle TLS connections.
+This operation happens each time there are configuration changes.
+
+If multiple TLS certificates are provided with the same SANs definition (same identifier), only the one processed first is kept.
+Because the dynamic configuration is aggregated from all providers,
+when processing it to gather TLS certificates,
+there is no guarantee of the order in which they would be processed.
+This means that along with configurations applied, it is possible that the TLS certificate retained for a given identifier differs.
+
+### Serving TLS Certificates
+
+For each incoming connection, Traefik is serving the "best" matching TLS certificate for the provided server name.
+
+The TLS certificate selection process narrows down the list of TLS certificates matching the server name,
+and then selects the last TLS certificate in this list after having ordered it by the identifier alphabetically.
+
+#### Examples:
+
+| Selected TLS Certificates Identifiers               | Sorted TLS Certificates Identifiers                 | Served Certificate Identifier |
+|-----------------------------------------------------|-----------------------------------------------------|-------------------------------|
+| `127.0.0.1,example.com`,`*.example.com,example.com` | `*.example.com,example.com`,`127.0.0.1,example.com` | `127.0.0.1,example.com`       |
+| `*.example.com,example.com`,`example.com`           | `*.example.com,example.com`,`example.com`           | `example.com`                 |
+
+### Caching TLS Certificates
+
+While Traefik is serving the best matching TLS certificate for each incoming connection,
+the selection process cost for each incoming connection is avoided thanks to a cache mechanism.
+
+Once a TLS certificate has been selected as the "best" TLS certificate for a server name,
+it is cached for an hour, avoiding the selection process for further connections.
+
+Nonetheless, when a new configuration is applied, the cache is reset.
+
+## What does the "field not found" error mean?
+
+```shell
+error: field not found, node: -badField-
+```
+
+The "field not found" error occurs, when an unknown property is encountered in the dynamic or static configuration.
+
+One easy way to check whether a configuration file is well-formed, is to validate it with:
+
+- [JSON Schema of the static configuration](https://json.schemastore.org/traefik-v2.json)
+- [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json)
+
+## Why are some resources (routers, middlewares, services...) not created/applied?
+
+As a common tip, if a resource is dropped/not created by Traefik after the dynamic configuration was evaluated,
+one should look for an error in the logs.
+
+If found, the error obviously confirms that something went wrong while creating the resource,
+and the message should help in figuring out the mistake(s) in the configuration, and how to fix it.
+
+When using the file provider,
+one easy way to check if the dynamic configuration is well-formed is to validate it with the [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json).
+
+## Why does Let's Encrypt wildcard certificate renewal/generation with DNS challenge fail?
+
+If you're trying to renew wildcard certificates, with DNS challenge,
+and you're getting errors such as:
+
+```txt
+msg="Error renewing certificate from LE: {example.com [*.example.com]}"
+providerName=letsencrypt.acme error="error: one or more domains had a problem:
+[example.com] acme: error presenting token: gandiv5: unexpected authZone example.com. for fqdn example.com."
+```
+
+then it could be due to `CNAME` support.
+
+In which case, you should make sure your infrastructure is properly set up for a
+`DNS` challenge that does not rely on `CNAME`, and you should try disabling `CNAME` support with:
+
+```bash
+LEGO_DISABLE_CNAME_SUPPORT=true
+```

docs/content/getting-started/install-traefik.md

@@ -1,18 +1,27 @@
+---
+title: "Traefik Installation Documentation"
+description: "There are several flavors to choose from when installing Traefik Proxy. Get started with Traefik Proxy, and read the technical documentation."
+---
+
 # Install Traefik
 
 You can install Traefik with the following flavors:
 
 * [Use the official Docker image](./#use-the-official-docker-image)
+* [Use the Helm Chart](./#use-the-helm-chart)
 * [Use the binary distribution](./#use-the-binary-distribution)
 * [Compile your binary from the sources](./#compile-your-binary-from-the-sources)
 
 ## Use the Official Docker Image
 
-Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.0/traefik.sample.toml):
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
 
-```shell
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.10/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.10/traefik.sample.toml)
+
+```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.0
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.10
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -20,15 +29,118 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.0.0`
-    * Docker images comes in 2 flavors: scratch based or alpine based.
-    * All the orchestrator using docker images could fetch the official Traefik docker image.
+    ex: `traefik:v2.10`
+    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
+    * Any orchestrator using docker images can fetch the official Traefik docker image.
+
+## Use the Helm Chart
+
+!!! warning
+
+    The Traefik Chart from
+    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://doc.traefik.io/traefik/v1.7).
+
+Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/traefik/traefik-helm-chart>.
+
+Ensure that the following requirements are met:
+
+* Kubernetes 1.16+
+* Helm version 3.9+ is [installed](https://helm.sh/docs/intro/install/)
+
+Add Traefik Labs chart repository to Helm:
+
+```bash
+helm repo add traefik https://traefik.github.io/charts
+```
+
+You can update the chart repository by running:
+
+```bash
+helm repo update
+```
+
+And install it with the `helm` command line:
+
+```bash
+helm install traefik traefik/traefik
+```
+
+!!! tip "Helm Features"
+
+    All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
+
+    Examples are provided [here](https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md). 
+
+    For instance, installing the chart in a dedicated namespace:
+
+    ```bash tab="Install in a Dedicated Namespace"
+    kubectl create ns traefik-v2
+    # Install in the namespace "traefik-v2"
+    helm install --namespace=traefik-v2 \
+        traefik traefik/traefik
+    ```
+
+??? example "Installing with Custom Values"
+
+    You can customize the installation by specifying custom values,
+    as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
+    {: #helm-custom-values }
+
+    All parameters are documented in the default [`values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml).
+
+    You can also set Traefik command line flags using `additionalArguments`.
+    Example of installation with logging set to `DEBUG`:
+
+    ```bash tab="Using Helm CLI"
+    helm install --namespace=traefik-v2 \
+        --set="additionalArguments={--log.level=DEBUG}" \
+        traefik traefik/traefik
+    ```
+
+    ```yml tab="With a custom values file"
+    # File custom-values.yml
+    ## Install with "helm install --values=./custom-values.yml traefik traefik/traefik
+    additionalArguments:
+      - "--log.level=DEBUG"
+    ```
+
+### Exposing the Traefik dashboard
+
+This HelmChart does not expose the Traefik dashboard by default, for security concerns.
+Thus, there are multiple ways to expose the dashboard.
+For instance, the dashboard access could be achieved through a port-forward:
+
+```shell
+kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
+```
+
+It can then be reached at: `http://127.0.0.1:9000/dashboard/`
+
+Another way would be to apply your own configuration, for instance,
+by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):
+
+```yaml
+# dashboard.yaml
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: dashboard
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+```
 
 ## Use the Binary Distribution
 
-Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page.
+Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page.
 
-??? tip "Check the integrity of the downloaded file"
+??? info "Check the integrity of the downloaded file"
 
     ```bash tab="Linux"
     # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
@@ -45,7 +157,7 @@ Grab the latest binary from the [releases](https://github.com/containous/traefik
     Get-FileHash ./traefik_${traefik_version}_windows_${arch}.zip -Algorithm SHA256
     ```
 
-??? tip "Extract the downloaded archive"
+??? info "Extract the downloaded archive"
 
     ```bash tab="Linux"
     tar -zxvf traefik_${traefik_version}_linux_${arch}.tar.gz
@@ -68,3 +180,5 @@ And run it:
 ## Compile your Binary from the Sources
 
 All the details are available in the [Contributing Guide](../contributing/building-testing.md)
+
+{!traefik-for-business-applications.md!}

docs/content/getting-started/quick-start-with-kubernetes.md

@@ -0,0 +1,320 @@
+---
+title: "Traefik Getting Started With Kubernetes"
+description: "Looking to get started with Traefik Proxy? Read the technical documentation to learn a simple use case that leverages Kubernetes."
+---
+
+# Quick Start
+
+A Simple Use Case of Traefik Proxy and Kubernetes
+{: .subtitle }
+
+This guide is an introduction to using Traefik Proxy in a Kubernetes environment.
+The objective is to learn how to run an application behind a Traefik reverse proxy in Kubernetes.
+It presents and explains the basic blocks required to start with Traefik such as Ingress Controller, Ingresses, Deployments, static, and dynamic configuration.
+
+## Permissions and Accesses
+
+Traefik uses the Kubernetes API to discover running services.
+
+In order to use the Kubernetes API, Traefik needs some permissions.
+This [permission mechanism](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) is based on roles defined by the cluster administrator.
+The role is then bound to an account used by an application, in this case, Traefik Proxy.
+
+The first step is to create the role.
+The [`ClusterRole`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole) resource enumerates the resources and actions available for the role.
+In a file called `00-role.yml`, put the following `ClusterRole`:
+
+```yaml tab="00-role.yml"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-role
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+```
+
+!!! info "You can find the reference for this file [there](../../reference/dynamic-configuration/kubernetes-crd/#rbac)."
+
+The next step is to create a dedicated service account for Traefik.
+In a file called `00-account.yml`, put the following [`ServiceAccount`](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/service-account-v1/#ServiceAccount) resource:
+
+```yaml tab="00-account.yml"
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik-account
+```
+
+And then, bind the role on the account to apply the permissions and rules on the latter. In a file called `01-role-binding.yml`, put the
+following [`ClusterRoleBinding`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/#ClusterRoleBinding) resource:
+
+```yaml tab="01-role-binding.yml"
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-role-binding
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-role
+subjects:
+  - kind: ServiceAccount
+    name: traefik-account
+    namespace: default # Using "default" because we did not specify a namespace when creating the ClusterAccount.
+```
+
+!!! info "`roleRef` is the Kubernetes reference to the role created in `00-role.yml`."
+
+!!! info "`subjects` is the list of accounts reference."
+
+    In this guide, it only contains the account created in `00-account.yml`
+
+## Deployment and Exposition
+
+!!! info "This section can be managed with the help of the [Traefik Helm chart](../install-traefik/#use-the-helm-chart)."
+
+The [ingress controller](https://traefik.io/glossary/kubernetes-ingress-and-ingress-controller-101/#what-is-a-kubernetes-ingress-controller)
+is a software that runs in the same way as any other application on a cluster.
+To start Traefik on the Kubernetes cluster,
+a [`Deployment`](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/) resource must exist to describe how to configure
+and scale containers horizontally to support larger workloads.
+
+Start by creating a file called `02-traefik.yml` and paste the following `Deployment` resource:
+
+```yaml tab="02-traefik.yml"
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: traefik-deployment
+  labels:
+    app: traefik
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik
+  template:
+    metadata:
+      labels:
+        app: traefik
+    spec:
+      serviceAccountName: traefik-account
+      containers:
+        - name: traefik
+          image: traefik:v2.10
+          args:
+            - --api.insecure
+            - --providers.kubernetesingress
+          ports:
+            - name: web
+              containerPort: 80
+            - name: dashboard
+              containerPort: 8080
+```
+
+The deployment contains an important attribute for customizing Traefik: `args`.
+These arguments are the static configuration for Traefik.
+From here, it is possible to enable the dashboard,
+configure entry points,
+select dynamic configuration providers,
+and [more](../reference/static-configuration/cli.md)...
+
+In this deployment,
+the static configuration enables the Traefik dashboard,
+and uses Kubernetes native Ingress resources as router definitions to route incoming requests.
+
+!!! info "When there is no entry point in the static configuration"
+
+    Traefik creates a default one called `web` using the port `80` routing HTTP requests.
+
+!!! info "When enabling the [`api.insecure`](../../operations/api/#insecure) mode, Traefik exposes the dashboard on the port `8080`."
+
+A deployment manages scaling and then can create lots of containers, called [Pods](https://kubernetes.io/docs/concepts/workloads/pods/).
+Each Pod is configured following the `spec` field in the deployment.
+Given that, a Deployment can run multiple Traefik Proxy Pods,
+a piece is required to forward the traffic to any of the instance:
+namely a [`Service`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#Service).
+Create a file called `02-traefik-services.yml` and insert the two `Service` resources:
+
+```yaml tab="02-traefik-services.yml"
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-dashboard-service
+
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 8080
+      targetPort: dashboard
+  selector:
+    app: traefik
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-web-service
+
+spec:
+  type: LoadBalancer
+  ports:
+    - targetPort: web
+      port: 80
+  selector:
+    app: traefik
+```
+
+!!! warning "It is possible to expose a service in different ways."
+
+    Depending on your working environment and use case, the `spec.type` might change.
+    It is strongly recommended to understand the available [service types](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) before proceeding to the next step.
+
+It is now time to apply those files on your cluster to start Traefik.
+
+```shell
+kubectl apply -f 00-role.yml \
+              -f 00-account.yml \
+              -f 01-role-binding.yml \
+              -f 02-traefik.yml \
+              -f 02-traefik-services.yml
+```
+
+## Proxying applications
+
+The only part still missing is the business application behind the reverse proxy.
+For this guide, we use the example application [traefik/whoami](https://github.com/traefik/whoami),
+but the principles are applicable to any other application.
+
+The `whoami` application is a simple HTTP server running on port 80 which answers host-related information to the incoming requests.
+As usual, start by creating a file called `03-whoami.yml` and paste the following `Deployment` resource:
+
+```yaml tab="03-whoami.yml"
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+        - name: whoami
+          image: traefik/whoami
+          ports:
+            - name: web
+              containerPort: 80
+```
+
+And continue by creating the following `Service` resource in a file called `03-whoami-services.yml`:
+
+```yaml tab="03-whoami-services.yml"
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+
+spec:
+  ports:
+    - name: web
+      port: 80
+      targetPort: web
+      
+  selector:
+    app: whoami
+```
+
+Thanks to the Kubernetes API,
+Traefik is notified when an Ingress resource is created, updated, or deleted.
+This makes the process dynamic.
+The ingresses are, in a way, the [dynamic configuration](../../providers/kubernetes-ingress/) for Traefik.
+
+!!! tip
+
+    Find more information on [ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/),
+    and [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the official Kubernetes documentation.
+
+Create a file called `04-whoami-ingress.yml` and insert the `Ingress` resource:
+
+```yaml tab="04-whoami-ingress.yml"
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: whoami-ingress
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: whoami
+            port:
+              name: web
+```
+
+This `Ingress` configures Traefik to redirect any incoming requests starting with `/` to the `whoami:80` service.
+
+At this point, all the configurations are ready.
+It is time to apply those new files:
+
+```shell
+kubectl apply -f 03-whoami.yml \
+              -f 03-whoami-services.yml \
+              -f 04-whoami-ingress.yml
+```
+
+Now you should be able to access the `whoami` application and the Traefik dashboard.
+Load the dashboard on a web browser: [`http://localhost:8080`](http://localhost:8080).
+
+And now access the `whoami` application:
+
+```shell
+curl -v http://localhost/
+```
+
+!!! question "Going further"
+
+    - [Filter the ingresses](../providers/kubernetes-ingress.md#ingressclass) to use with [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)
+    - Use [IngressRoute CRD](../providers/kubernetes-crd.md)
+    - Protect [ingresses with TLS](../routing/providers/kubernetes-ingress.md#enabling-tls-via-annotations)
+    
+{!traefik-api-management-kubernetes.md!}

docs/content/getting-started/quick-start.md

@@ -1,3 +1,8 @@
+---
+title: "Traefik Getting Started Quickly"
+description: "Looking to get started with Traefik Proxy quickly? Read the technical documentation to learn a simple use case that leverages Docker."
+---
+
 # Quick Start
 
 A Simple Use Case Using Docker
@@ -14,8 +19,8 @@ version: '3'
 
 services:
   reverse-proxy:
-    # The official v2.0 Traefik docker image
-    image: traefik:v2.0
+    # The official v2 Traefik docker image
+    image: traefik:v2.10
     # Enables the web UI and tells Traefik to listen to docker
     command: --api.insecure=true --providers.docker
     ports:
@@ -36,7 +41,7 @@ Start your `reverse-proxy` with the following command:
 docker-compose up -d reverse-proxy
 ```
 
-You can open a browser and go to [http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata) to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).
+You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).
 
 ## Traefik Detects New Services and Creates the Route for You
 
@@ -45,10 +50,15 @@ Now that we have a Traefik instance up and running, we will deploy new services.
 Edit your `docker-compose.yml` file and add the following at the end of your file.
 
 ```yaml
-# ...
+version: '3'
+
+services:
+
+  ...
+
   whoami:
     # A container that exposes an API to show its IP address
-    image: containous/whoami
+    image: traefik/whoami
     labels:
       - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
 ```
@@ -61,7 +71,7 @@ Start the `whoami` service with the following command:
 docker-compose up -d whoami
 ```
 
-Go back to your browser ([http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata)) and see that Traefik has automatically detected the new container and updated its own configuration.
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new container and updated its own configuration.
 
 When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_  (Here, we're using curl)
 
@@ -85,7 +95,7 @@ Run more instances of your `whoami` service with the following command:
 docker-compose up -d --scale whoami=2
 ```
 
-Go back to your browser ([http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata)) and see that Traefik has automatically detected the new instance of the container.
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new instance of the container.
 
 Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:
 
@@ -108,4 +118,7 @@ IP: 172.27.0.4
 ```
 
 !!! question "Where to Go Next?"
+
     Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/) and let Traefik work for you!
+
+{!traefik-for-business-applications.md!}

docs/content/glossary.md

@@ -1,22 +0,0 @@
-# TODO -- Glossary
-
-Where Every Technical Word finds its Definition`
-{: .subtitle}
-
-- [ ] Provider
-    - [ ] Types of providers (KV, annotation based, label based, configuration based)
-- [ ] Entrypoint
-- [ ] Routers
-- [ ] Middleware
-- [ ] Service
-- [ ] [Static configuration](getting-started/configuration-overview.md#the-static-configuration)
-- [ ] [Dynamic configuration](getting-started/configuration-overview.md#the-dynamic-configuration)
-- [ ] ACME
-- [ ] TraefikEE
-- [ ] Tracing
-- [ ] Metrics
-- [ ] Orchestrator
-- [ ] Key Value Store
-- [ ] Logs
-- [ ] Traefiker
-- [ ] Traefik (How to pronounce)

docs/content/https/.markdownlint.json

@@ -0,0 +1,4 @@
+{
+    "extends": "../../.markdownlint.json",
+    "MD041": false
+}

docs/content/https/acme.md

@@ -1,3 +1,8 @@
+---
+title: "Traefik Let's Encrypt Documentation"
+description: "Learn how to configure Traefik Proxy to use an ACME provider like Let's Encrypt for automatic certificate generation. Read the technical documentation."
+---
+
 # Let's Encrypt
 
 Automatic HTTPS
@@ -6,84 +11,168 @@ Automatic HTTPS
 You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.
 
 !!! warning "Let's Encrypt and Rate Limiting"
-    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
+    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to __one week__, and can not be overridden.
+    
+    When running Traefik in a container this file should be persisted across restarts. 
+    If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
+    To configure where certificates are stored, please take a look at the [storage](#storage) configuration.
+
+    Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
+    when experimenting to avoid hitting this limit too fast.
+
+## Certificate Resolvers
+
+Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration),
+which are responsible for retrieving certificates from an ACME server.
+
+Then, each ["router"](../routing/routers/index.md) is configured to enable TLS,
+and is associated to a certificate resolver through the [`tls.certresolver` configuration option](../routing/routers/index.md#certresolver).
+
+Certificates are requested for domain names retrieved from the router's [dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration).
+
+You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).
+
+!!! warning "Defining an [ACME challenge type](#the-different-acme-challenges) is a requirement for a certificate resolver to be functional."
+
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
+??? note "Configuration Reference"
+
+    There are many available options for ACME.
+    For a quick glance at what's possible, browse the configuration reference:
+
+    ```yaml tab="File (YAML)"
+    --8<-- "content/https/ref-acme.yaml"
+    ```
+
+    ```toml tab="File (TOML)"
+    --8<-- "content/https/ref-acme.toml"
+    ```
+
+    ```bash tab="CLI"
+    --8<-- "content/https/ref-acme.txt"
+    ```
+
+## Domain Definition
+
+Certificate resolvers request certificates for a set of the domain names
+inferred from routers, with the following logic:
+
+- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
+  then the certificate resolver uses the `main` (and optionally `sans`) option of `tls.domains` to know the domain names for this router.
+
+- If no [`tls.domains`](../routing/routers/index.md#domains) option is set,
+  then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule),
+  by checking the `Host()` matchers.
+  Please note that [multiple `Host()` matchers can be used](../routing/routers/index.md#certresolver)) for specifying multiple domain names for this router.
+
+Please note that:
+
+- When multiple domain names are inferred from a given router,
+  only **one** certificate is requested with the first domain name as the main domain,
+  and the other domains as ["SANs" (Subject Alternative Name)](https://en.wikipedia.org/wiki/Subject_Alternative_Name).
+
+- As [ACME V2 supports "wildcard domains"](#wildcard-domains),
+  any router can provide a [wildcard domain](https://en.wikipedia.org/wiki/Wildcard_certificate) name, as "main" domain or as "SAN" domain.
+
+Please check the [configuration examples below](#configuration-examples) for more details.
 
 ## Configuration Examples
 
 ??? example "Enabling ACME"
-    
-    ```toml tab="File (TOML)"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-    
-      [entryPoints.web-secure]
-        address = ":443"
-    
-    [certificatesResolvers.sample.acme]
-      email = "your-email@your-domain.org"
-      storage = "acme.json"
-      [acme.httpChallenge]
-        # used during the challenge
-        entryPoint = "web"
-    ```
-    
+
     ```yaml tab="File (YAML)"
     entryPoints:
       web:
         address: ":80"
-    
-      web-secure:
+
+      websecure:
         address: ":443"
-    
+
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
-          email: your-email@your-domain.org
+          email: your-email@example.com
           storage: acme.json
           httpChallenge:
             # used during the challenge
             entryPoint: web
     ```
-    
-    ```bash tab="CLI"
-    --entryPoints.web.address=":80"
-    --entryPoints.websecure.address=":443"
-    # ...
-    --certificatesResolvers.sample.acme.email="your-email@your-domain.org"
-    --certificatesResolvers.sample.acme.storage="acme.json"
-    # used during the challenge
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+
+    [certificatesResolvers.myresolver.acme]
+      email = "your-email@example.com"
+      storage = "acme.json"
+      [certificatesResolvers.myresolver.acme.httpChallenge]
+        # used during the challenge
+        entryPoint = "web"
     ```
 
-??? note "Configuration Reference"
-    
-    There are many available options for ACME.
-    For a quick glance at what's possible, browse the configuration reference:
-    
-    ```toml tab="File (TOML)"
-    --8<-- "content/https/ref-acme.toml"
-    ```
-    
-    ```yaml tab="File (YAML)"
-    --8<-- "content/https/ref-acme.yaml"
-    ```
-    
     ```bash tab="CLI"
-    --8<-- "content/https/ref-acme.txt"
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
+    # ...
+    --certificatesresolvers.myresolver.acme.email=your-email@example.com
+    --certificatesresolvers.myresolver.acme.storage=acme.json
+    # used during the challenge
+    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
     ```
 
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
+??? example "Single Domain from Router's Rule Example"
+
+    * A certificate for the domain `example.com` is requested:
+
+    --8<-- "content/https/include-acme-single-domain-example.md"
+
+??? example "Multiple Domains from Router's Rule Example"
+
+    * A certificate for the domains `example.com` (main) and `blog.example.org`
+      is requested:
+
+    --8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
+
+??? example "Multiple Domains from Router's `tls.domain` Example"
+
+    * A certificate for the domains `example.com` (main) and `*.example.org` (SAN)
+      is requested:
+
+    --8<-- "content/https/include-acme-multiple-domains-example.md"
+
 ## Automatic Renewals
 
 Traefik automatically tracks the expiry date of ACME certificates it generates.
 
-If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.
+By default, Traefik manages 90 days certificates,
+and starts to renew certificates 30 days before their expiry.
 
-!!! note
+When using a certificate resolver that issues certificates with custom durations,
+one can configure the certificates' duration with the [`certificatesDuration`](#certificatesduration) option.
+
+!!! info ""
     Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
 
+## Using LetsEncrypt with Kubernetes
+
+When using LetsEncrypt with kubernetes, there are some known caveats with both the [ingress](../providers/kubernetes-ingress.md) and [crd](../providers/kubernetes-crd.md) providers.
+
+!!! info ""
+    If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.
+
 ## The Different ACME Challenges
 
+!!! warning "Defining one ACME challenge is a requirement for a certificate resolver to be functional."
+
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
 ### `tlsChallenge`
 
 Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
@@ -93,23 +182,23 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 
 ??? example "Configuring the `tlsChallenge`"
 
-    ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
-      # ...
-      [certificatesResolvers.sample.acme.tlsChallenge]
-    ```
-
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           tlsChallenge: {}
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.tlsChallenge]
+    ```
+
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.tlsChallenge=true
+    --certificatesresolvers.myresolver.acme.tlschallenge=true
     ```
 
 ### `httpChallenge`
@@ -117,48 +206,48 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
 
 As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
+when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpchallenge.entrypoint` must be reachable by Let's Encrypt through port 80.
 
-??? example "Using an EntryPoint Called http for the `httpChallenge`"
-
-    ```toml tab="File (TOML)"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-      
-      [entryPoints.web-secure]
-        address = ":443"
-    
-    [certificatesResolvers.sample.acme]
-      # ...
-      [certificatesResolvers.sample.acme.httpChallenge]
-        entryPoint = "web"
-    ```
+??? example "Using an EntryPoint Called web for the `httpChallenge`"
 
     ```yaml tab="File (YAML)"
     entryPoints:
       web:
         address: ":80"
-    
-      web-secure:
+
+      websecure:
         address: ":443"
-    
+
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           httpChallenge:
             entryPoint: web
     ```
-    
-    ```bash tab="CLI"
-    --entryPoints.web.address=":80"
-    --entryPoints.websecure.address=":443"
-    # ...
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.httpChallenge]
+        entryPoint = "web"
     ```
 
-!!! note
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
+    # ...
+    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
+    ```
+
+!!! info ""
     Redirection is fully compatible with the `HTTP-01` challenge.
 
 ### `dnsChallenge`
@@ -167,18 +256,9 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 
 ??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
 
-    ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
-      # ...
-      [certificatesResolvers.sample.acme.dnsChallenge]
-        provider = "digitalocean"
-        delayBeforeCheck = 0
-    # ...
-    ```
-    
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           dnsChallenge:
@@ -186,95 +266,178 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
             delayBeforeCheck: 0
         # ...
     ```
-    
-    ```bash tab="CLI"
-    # ...
-    --certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
-    --certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.dnsChallenge]
+        provider = "digitalocean"
+        delayBeforeCheck = 0
     # ...
     ```
 
-    !!! important
-        A `provider` is mandatory.
+    ```bash tab="CLI"
+    # ...
+    --certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
+    --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
+    # ...
+    ```
+
+!!! warning "`CNAME` support"
+
+    `CNAME` are supported (and sometimes even [encouraged](https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname)),
+    but there are a few cases where they can be [problematic](../../getting-started/faq/#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).
+
+    If needed, `CNAME` support can be disabled with the following environment variable:
+
+    ```bash
+    LEGO_DISABLE_CNAME_SUPPORT=true
+    ```
+
+!!! important
+    A `provider` is mandatory.
 
 #### `providers`
- 
+
 Here is a list of supported `providers`, that can automate the DNS verification,
 along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
 Do not hesitate to complete it.
 
-Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
+Many lego environment variables can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
 For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
 
-| Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       |                                                                             |
-|-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
-| [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
-| [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
-| [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
-| [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
-| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
-| [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
-| [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
-| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key`                                               | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
-| [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
-| [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
-| [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
-| [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
-| [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
-| [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)       |
-| [Domain Offensive (do.de)](https://www.do.de/)              | `dode`         | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)         |
-| [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)    |
-| [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)      |
-| [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)          |
-| [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)      |
-| External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
-| [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)     |
-| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/fastdns)      |
-| [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)        |
-| [Gandi v5](http://doc.livedns.gandi.net)                    | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)      |
-| [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)       |
-| [GoDaddy](https://godaddy.com/)                             | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)      |
-| [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)       |
-| [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
-| HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
-| [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
-| [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
-| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
-| [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
-| [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
-| [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4)     |
-| manual                                                      | -              | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
-| [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
-| [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
-| [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
-| [Namesilo](https://www.namesilo.com/)                       | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)     |
-| [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
-| [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
-| [Ns1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
-| [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
-| [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
-| [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)    |
-| [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)  |
-| [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)         |
-| [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)    |
-| [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)      |
-| [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
-| [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)  |
-| [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
-| [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
-| [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
-| [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
-| [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
-| [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)       |
-| [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)        |
-| [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
+For complete details, refer to your provider's _Additional configuration_ link.
 
-[^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
-[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application)
+| Provider Name                                                          | Provider Code      | Environment Variables                                                                                                                       |                                                                                 |
+|------------------------------------------------------------------------|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
+| [ACME DNS](https://github.com/joohoi/acme-dns)                         | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
+| [Alibaba Cloud](https://www.alibabacloud.com)                          | `alidns`           | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)           |
+| [all-inkl](https://all-inkl.com)                                       | `allinkl`          | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)          |
+| [ArvanCloud](https://www.arvancloud.com/en)                            | `arvancloud`       | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)       |
+| [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
+| [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
+| [Azure](https://azure.microsoft.com/services/dns/)                     | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)             | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
+| [Blue Cat](https://www.bluecatnetworks.com/)                           | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
+| [Brandit](https://www.brandit.com)                                     | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
+| [Bunny](https://bunny.net)                                             | `bunny`            | `BUNNY_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/bunny)            |
+| [Checkdomain](https://www.checkdomain.de/)                             | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
+| [Civo](https://www.civo.com/)                                          | `civo`             | `CIVO_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
+| [CloudDNS](https://vshosting.eu/)                                      | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
+| [Cloudflare](https://www.cloudflare.com)                               | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
+| [ClouDNS](https://www.cloudns.net/)                                    | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
+| [CloudXNS](https://www.cloudxns.net)                                   | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [ConoHa](https://www.conoha.jp)                                        | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
+| [Constellix](https://constellix.com)                                   | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
+| [Derak Cloud](https://derak.cloud/)                                    | `derak`            | `DERAK_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/derak)            |
+| [deSEC](https://desec.io)                                              | `desec`            | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)            |
+| [DigitalOcean](https://www.digitalocean.com)                           | `digitalocean`     | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean)     |
+| [DNS Made Easy](https://dnsmadeeasy.com)                               | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
+| [dnsHome.de](https://www.dnshome.de)                                   | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
+| [DNSimple](https://dnsimple.com)                                       | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
+| [DNSPod](https://www.dnspod.com/)                                      | `dnspod`           | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
+| [Domain Offensive (do.de)](https://www.do.de/)                         | `dode`             | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
+| [Domeneshop](https://domene.shop)                                      | `domeneshop`       | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)       |
+| [DreamHost](https://www.dreamhost.com/)                                | `dreamhost`        | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)        |
+| [Duck DNS](https://www.duckdns.org/)                                   | `duckdns`          | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)          |
+| [Dyn](https://dyn.com)                                                 | `dyn`              | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)              |
+| [Dynu](https://www.dynu.com)                                           | `dynu`             | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)             |
+| [EasyDNS](https://easydns.com/)                                        | `easydns`          | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)          |
+| [EdgeDNS](https://www.akamai.com/)                                     | `edgedns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
+| [Epik](https://www.epik.com)                                           | `epik`             | `EPIK_SIGNATURE`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/epik)             |
+| [Exoscale](https://www.exoscale.com)                                   | `exoscale`         | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)         |
+| [Fast DNS](https://www.akamai.com/)                                    | `fastdns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
+| [Freemyip.com](https://freemyip.com)                                   | `freemyip`         | `FREEMYIP_TOKEN`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip)         |
+| [G-Core Lab](https://gcorelabs.com/dns/)                               | `gcore`            | `GCORE_PERMANENT_API_TOKEN`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/gcore)            |
+| [Gandi v5](https://doc.livedns.gandi.net)                              | `gandiv5`          | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)          |
+| [Gandi](https://www.gandi.net)                                         | `gandi`            | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)            |
+| [Glesys](https://glesys.com/)                                          | `glesys`           | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)           |
+| [GoDaddy](https://www.godaddy.com)                                     | `godaddy`          | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)          |
+| [Google Domains](https://domains.google)                               | `googledomains`    | `GOOGLE_DOMAINS_ACCESS_TOKEN`                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
+| [Google Cloud DNS](https://cloud.google.com/dns/docs/)                 | `gcloud`           | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)           |
+| [Hetzner](https://hetzner.com)                                         | `hetzner`          | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
+| [hosting.de](https://www.hosting.de)                                   | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
+| [Hosttech](https://www.hosttech.eu)                                    | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
+| [Hurricane Electric](https://dns.he.net)                               | `hurricane`        | `HURRICANE_TOKENS` [^6]                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)        |
+| [HyperOne](https://www.hyperone.com)                                   | `hyperone`         | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)         |
+| [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)                    | `ibmcloud`         | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)         |
+| [IIJ DNS Platform Service](https://www.iij.ad.jp)                      | `iijdpf`           | `IIJ_DPF_API_TOKEN` , `IIJ_DPF_DPM_SERVICE_CODE`                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/iijdpf)           |
+| [IIJ](https://www.iij.ad.jp/)                                          | `iij`              | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)              |
+| [Infoblox](https://www.infoblox.com/)                                  | `infoblox`         | `INFOBLOX_USERNAME`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)         |
+| [Infomaniak](https://www.infomaniak.com)                               | `infomaniak`       | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)       |
+| [Internet.bs](https://internetbs.net)                                  | `internetbs`       | `INTERNET_BS_API_KEY`, `INTERNET_BS_PASSWORD`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/internetbs)       |
+| [INWX](https://www.inwx.de/en)                                         | `inwx`             | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)             |
+| [ionos](https://ionos.com/)                                            | `ionos`            | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)            |
+| [iwantmyname](https://iwantmyname.com)                                 | `iwantmyname`      | `IWANTMYNAME_USERNAME` , `IWANTMYNAME_PASSWORD`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/iwantmyname)      |
+| [Joker.com](https://joker.com)                                         | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
+| [Liara](https://liara.ir)                                              | `liara`            | `LIARA_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liara)            |
+| [Lightsail](https://aws.amazon.com/lightsail/)                         | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
+| [Linode v4](https://www.linode.com)                                    | `linode`           | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)           |
+| [Liquid Web](https://www.liquidweb.com/)                               | `liquidweb`        | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)        |
+| [Loopia](https://loopia.com/)                                          | `loopia`           | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)           |
+| [LuaDNS](https://luadns.com)                                           | `luadns`           | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)           |
+| [MyDNS.jp](https://www.mydns.jp/)                                      | `mydnsjp`          | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)          |
+| [Mythic Beasts](https://www.mythic-beasts.com)                         | `mythicbeasts`     | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts)     |
+| [name.com](https://www.name.com/)                                      | `namedotcom`       | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)       |
+| [Namecheap](https://www.namecheap.com)                                 | `namecheap`        | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)        |
+| [Namesilo](https://www.namesilo.com/)                                  | `namesilo`         | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)         |
+| [NearlyFreeSpeech.NET](https://www.nearlyfreespeech.net/)              | `nearlyfreespeech` | `NEARLYFREESPEECH_API_KEY`, `NEARLYFREESPEECH_LOGIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/nearlyfreespeech) |
+| [Netcup](https://www.netcup.eu/)                                       | `netcup`           | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)           |
+| [Netlify](https://www.netlify.com)                                     | `netlify`          | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)          |
+| [Nicmanager](https://www.nicmanager.com)                               | `nicmanager`       | `NICMANAGER_API_EMAIL`, `NICMANAGER_API_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/nicmanager)       |
+| [NIFCloud](https://cloud.nifty.com/service/dns.htm)                    | `nifcloud`         | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)         |
+| [Njalla](https://njal.la)                                              | `njalla`           | `NJALLA_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)           |
+| [Nodion](https://www.nodion.com)                                       | `nodion`           | `NODION_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/nodion)           |
+| [NS1](https://ns1.com/)                                                | `ns1`              | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)              |
+| [Open Telekom Cloud](https://cloud.telekom.de)                         | `otc`              | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)              |
+| [Openstack Designate](https://docs.openstack.org/designate)            | `designate`        | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)        |
+| [Oracle Cloud](https://cloud.oracle.com/home)                          | `oraclecloud`      | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)      |
+| [OVH](https://www.ovh.com)                                             | `ovh`              | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)              |
+| [Plesk](https://www.plesk.com)                                         | `plesk`            | `PLESK_SERVER_BASE_URL`, `PLESK_USERNAME`, `PLESK_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/plesk)            |
+| [Porkbun](https://porkbun.com/)                                        | `porkbun`          | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)          |
+| [PowerDNS](https://www.powerdns.com)                                   | `pdns`             | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)             |
+| [Rackspace](https://www.rackspace.com/cloud/dns)                       | `rackspace`        | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)        |
+| [reg.ru](https://www.reg.ru)                                           | `regru`            | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)            |
+| [RFC2136](https://tools.ietf.org/html/rfc2136)                         | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
+| [RimuHosting](https://rimuhosting.com)                                 | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
+| [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
+| [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
+| [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
+| [Selectel](https://selectel.ru/en/)                                    | `selectel`         | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)         |
+| [Servercow](https://servercow.de)                                      | `servercow`        | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)        |
+| [Simply.com](https://www.simply.com/en/domains/)                       | `simply`           | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/simply)           |
+| [Sonic](https://www.sonic.com/)                                        | `sonic`            | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)            |
+| [Stackpath](https://www.stackpath.com/)                                | `stackpath`        | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)        |
+| [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)             | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
+| [TransIP](https://www.transip.nl/)                                     | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
+| [UKFast SafeDNS](https://docs.ukfast.co.uk/domains/safedns/index.html) | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
+| [Ultradns](https://neustarsecurityservices.com/dns-services)           | `ultradns`         | `ULTRADNS_USERNAME`, `ULTRADNS_PASSWORD`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/ultradns)         |
+| [Variomedia](https://www.variomedia.de/)                               | `variomedia`       | `VARIOMEDIA_API_TOKEN`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/variomedia)       |
+| [VegaDNS](https://github.com/shupp/VegaDNS-API)                        | `vegadns`          | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)          |
+| [Vercel](https://vercel.com)                                           | `vercel`           | `VERCEL_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vercel)           |
+| [Versio](https://www.versio.nl/domeinnamen)                            | `versio`           | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)           |
+| [VinylDNS](https://www.vinyldns.io)                                    | `vinyldns`         | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)         |
+| [VK Cloud](https://mcs.mail.ru/)                                       | `vkcloud`          | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud)          |
+| [Vscale](https://vscale.io/)                                           | `vscale`           | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)           |
+| [VULTR](https://www.vultr.com)                                         | `vultr`            | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)            |
+| [Websupport](https://websupport.sk)                                    | `websupport`       | `WEBSUPPORT_API_KEY`, `WEBSUPPORT_SECRET`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/websupport)       |
+| [WEDOS](https://www.wedos.com)                                         | `wedos`            | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)            |
+| [Yandex Cloud](https://cloud.yandex.com/en/)                           | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
+| [Yandex](https://yandex.com)                                           | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
+| [Zone.ee](https://www.zone.ee)                                         | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
+| [Zonomi](https://zonomi.com)                                           | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
+| External Program                                                       | `exec`             | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)             |
+| HTTP request                                                           | `httpreq`          | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)          |
+| manual                                                                 | `manual`           | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                                 |
+
+[^1]: More information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/).
+[^2]: [Providing credentials to your application](https://cloud.google.com/docs/authentication/production).
 [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
 [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
+[^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
+[^6]: As explained in the [LEGO hurricane configuration](https://go-acme.github.io/lego/dns/hurricane/#credentials), each domain or wildcard (record name) needs a token. So each update of record name must be followed by an update of the `HURRICANE_TOKENS` variable, and a restart of Traefik.
 
-!!! note "`delayBeforeCheck`"
+!!! info "`delayBeforeCheck`"
     By default, the `provider` verifies the TXT record _before_ letting ACME verify.
     You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
     This option is useful when internal networks block external DNS queries.
@@ -283,29 +446,29 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 
 Use custom DNS servers to resolve the FQDN authority.
 
-```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
-  # ...
-  [certificatesResolvers.sample.acme.dnsChallenge]
-    # ...
-    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
-```
-
 ```yaml tab="File (YAML)"
 certificatesResolvers:
-  sample:
+  myresolver:
     acme:
       # ...
       dnsChallenge:
         # ...
         resolvers:
-        - "1.1.1.1:53"
-        - "8.8.8.8:53"
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
 ```
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.dnsChallenge.resolvers:="1.1.1.1:53,8.8.8.8:53"
+--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```
 
 #### Wildcard Domains
@@ -313,70 +476,104 @@ certificatesResolvers:
 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
 As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
 
-## `caServer`
+## External Account Binding
+
+- `kid`: Key identifier from External CA
+- `hmacEncoded`: HMAC key from External CA, should be in Base64 URL Encoding without padding format
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      eab:
+        kid: abc-keyID-xyz
+        hmacEncoded: abc-hmac-xyz
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.eab]
+    kid = "abc-keyID-xyz"
+    hmacEncoded = "abc-hmac-xyz"
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.eab.kid=abc-keyID-xyz
+--certificatesresolvers.myresolver.acme.eab.hmacencoded=abc-hmac-xyz
+```
+
+## More Configuration
+
+### `caServer`
+
+_Required, Default="https://acme-v02.api.letsencrypt.org/directory"_
+
+The CA server to use:
+
+- Let's Encrypt production server: https://acme-v02.api.letsencrypt.org/directory
+- Let's Encrypt staging server: https://acme-staging-v02.api.letsencrypt.org/directory
 
 ??? example "Using the Let's Encrypt staging server"
 
-    ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
-      # ...
-      caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
-      # ...
-    ```
-    
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           caServer: https://acme-staging-v02.api.letsencrypt.org/directory
           # ...
     ```
 
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
+      # ...
+    ```
+
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+    --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
     # ...
     ```
 
-## `storage`
+### `storage`
+
+_Required, Default="acme.json"_
 
 The `storage` option sets the location where your ACME certificates are saved to.
 
-```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
-  # ...
-  storage = "acme.json"
-  # ...
-```
-
 ```yaml tab="File (YAML)"
 certificatesResolvers:
-  sample:
+  myresolver:
     acme:
       # ...
       storage: acme.json
       # ...
 ```
 
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  storage = "acme.json"
+  # ...
+```
+
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.storage=acme.json
+--certificatesresolvers.myresolver.acme.storage=acme.json
 # ...
 ```
 
-The value can refer to some kinds of storage:
-
-- a JSON file
-
-### In a File
-
-ACME certificates can be stored in a JSON file that needs to have a `600` file mode .
+ACME certificates are stored in a JSON file that needs to have a `600` file mode.
 
 In Docker you can mount either the JSON file, or the folder containing it:
 
 ```bash
-docker run -v "/my/host/acme.json:acme.json" traefik
+docker run -v "/my/host/acme.json:/acme.json" traefik
 ```
 
 ```bash
@@ -384,15 +581,120 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 ```
 
 !!! warning
-    For concurrency reason, this file cannot be shared across multiple instances of Traefik. Use a key value store entry instead.
+    For concurrency reasons, this file cannot be shared across multiple instances of Traefik.
+
+### `certificatesDuration`
+
+_Optional, Default=2160_
+
+The `certificatesDuration` option defines the certificates' duration in hours.
+It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.
+
+!!! warning "Traefik cannot manage certificates with a duration lower than 1 hour."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      certificatesDuration: 72
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  certificatesDuration=72
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.certificatesduration=72
+# ...
+```
+
+`certificatesDuration` is used to calculate two durations:
+
+- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
+- `Renew Interval`: the interval between renew attempts.
+
+| Certificate Duration | Renew Period      | Renew Interval          |
+|----------------------|-------------------|-------------------------|
+| >= 1 year            | 4 months          | 1 week                  |
+| >= 90 days           | 30 days           | 1 day                   |
+| >= 7 days            | 1 day             | 1 hour                  |
+| >= 24 hours          | 6 hours           | 10 min                  |
+| < 24 hours           | 20 min            | 1 min                   |
+
+### `preferredChain`
+
+_Optional, Default=""_
+
+Preferred chain to use.
+
+If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+If no match, the default offered chain will be used.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      preferredChain: 'ISRG Root X1'
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  preferredChain = "ISRG Root X1"
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.preferredChain=ISRG Root X1
+# ...
+```
+
+### `keyType`
+
+_Optional, Default="RSA4096"_
+
+KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      keyType: 'RSA4096'
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  keyType = "RSA4096"
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.keyType=RSA4096
+# ...
+```
 
 ## Fallback
 
 If Let's Encrypt is not reachable, the following certificates will apply:
 
   1. Previously generated ACME certificates (before downtime)
-  1. Expired ACME certificates
-  1. Provided certificates
+  2. Expired ACME certificates
+  3. Provided certificates
 
-!!! note
+!!! important
     For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
+
+{!traefik-for-business-applications.md!}

docs/content/https/include-acme-multiple-domains-example.md

@@ -0,0 +1,91 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.routers.blog.tls.domains[0].main=example.org
+    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`example.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certResolver: myresolver
+    domains:
+    - main: example.org
+      sans:
+      - '*.example.org'
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
+  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`example.com`) && Path(`/blog`)"
+      tls:
+        certResolver: myresolver
+        domains:
+          - main: "example.org"
+            sans:
+              - "*.example.org"
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "Host(`example.com`) && Path(`/blog`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver" # From static configuration
+      [[http.routers.blog.tls.domains]]
+        main = "example.org"
+        sans = ["*.example.org"]
+```

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: (Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certResolver: myresolver
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
+      tls:
+        certResolver: myresolver
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver"
+```

docs/content/https/include-acme-single-domain-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`example.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certResolver: myresolver
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`example.com`) && Path(`/blog`)"
+      tls:
+        certResolver: myresolver
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+  rule = "Host(`example.com`) && Path(`/blog`)"
+  [http.routers.blog.tls]
+    certResolver = "myresolver"
+```

docs/content/https/overview.md

@@ -1,3 +1,8 @@
+---
+title: "Traefik Proxy  HTTPS & TLS Overview |Traefik Docs"
+description: "Traefik supports HTTPS & TLS, which concerns roughly two parts of the configuration: routers, and the TLS connection. Read the documentation to learn more."
+---
+
 # HTTPS & TLS
 
 Overview
@@ -14,3 +19,5 @@ The next sections of this documentation explain how to configure the TLS connect
 That is to say, how to obtain [TLS certificates](./tls.md#certificates-definition):
 either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
 And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
+
+{!traefik-for-business-applications.md!}

docs/content/https/ref-acme.toml

@@ -1,11 +1,11 @@
 # Enable ACME (Let's Encrypt): automatic SSL.
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
 
   # Email address used for registration.
   #
   # Required
   #
-  email = "test@traefik.io"
+  email = "test@example.com"
 
   # File or key used for certificates storage.
   #
@@ -22,6 +22,24 @@
   #
   # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 
+  # The certificates' duration in hours.
+  # It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+  #
+  # Optional
+  # Default: 2160
+  #
+  # certificatesDuration=2160
+
+  # Preferred chain to use.
+  #
+  # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+  # If no match, the default offered chain will be used.
+  #
+  # Optional
+  # Default: ""
+  #
+  # preferredChain = "ISRG Root X1"
+
   # KeyType to use.
   #
   # Optional
@@ -35,13 +53,13 @@
   #
   # Optional (but recommended)
   #
-  [certificatesResolvers.sample.acme.tlsChallenge]
+  [certificatesResolvers.myresolver.acme.tlsChallenge]
 
   # Use a HTTP-01 ACME challenge.
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.httpChallenge]
+  # [certificatesResolvers.myresolver.acme.httpChallenge]
 
     # EntryPoint to use for the HTTP-01 challenges.
     #
@@ -54,7 +72,7 @@
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.dnsChallenge]
+  # [certificatesResolvers.myresolver.acme.dnsChallenge]
 
     # DNS provider used.
     #

docs/content/https/ref-acme.txt

@@ -4,13 +4,13 @@
 #
 # Required
 #
---certificatesResolvers.sample.acme.email="test@traefik.io"
+--certificatesresolvers.myresolver.acme.email=test@example.com
 
 # File or key used for certificates storage.
 #
 # Required
 #
---certificatesResolvers.sample.acme.storage="acme.json"
+--certificatesresolvers.myresolver.acme.storage=acme.json
 
 # CA server to use.
 # Uncomment the line to use Let's Encrypt's staging server,
@@ -19,7 +19,25 @@
 # Optional
 # Default: "https://acme-v02.api.letsencrypt.org/directory"
 #
---certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+
+# The certificates' duration in hours.
+# It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+#
+# Optional
+# Default: 2160
+#
+--certificatesresolvers.myresolver.acme.certificatesDuration=2160
+
+# Preferred chain to use.
+#
+# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+# If no match, the default offered chain will be used.
+#
+# Optional
+# Default: ""
+#
+--certificatesresolvers.myresolver.acme.preferredchain="ISRG Root X1"
 
 # KeyType to use.
 #
@@ -28,38 +46,38 @@
 #
 # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
 #
---certificatesResolvers.sample.acme.keyType=RSA4096
+--certificatesresolvers.myresolver.acme.keytype=RSA4096
 
 # Use a TLS-ALPN-01 ACME challenge.
 #
 # Optional (but recommended)
 #
---certificatesResolvers.sample.acme.tlsChallenge=true
+--certificatesresolvers.myresolver.acme.tlschallenge=true
 
 # Use a HTTP-01 ACME challenge.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.httpChallenge=true
+--certificatesresolvers.myresolver.acme.httpchallenge=true
 
 # EntryPoint to use for the HTTP-01 challenges.
 #
 # Required
 #
---certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
 
 # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
 # Note: mandatory for wildcard certificate generation.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.dnsChallenge=true
+--certificatesresolvers.myresolver.acme.dnschallenge=true
 
 # DNS provider used.
 #
 # Required
 #
---certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+--certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
 
 # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
 # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
@@ -68,14 +86,14 @@
 # Optional
 # Default: 0
 #
---certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
 
 # Use following DNS servers to resolve the FQDN authority.
 #
 # Optional
 # Default: empty
 #
---certificatesResolvers.sample.acme.dnsChallenge.resolvers="1.1.1.1:53,8.8.8.8:53"
+--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 
 # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
 #
@@ -85,4 +103,4 @@
 # Optional
 # Default: false
 #
---certificatesResolvers.sample.acme.dnsChallenge.disablePropagationCheck=true
+--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true

docs/content/https/ref-acme.yaml

@@ -1,5 +1,5 @@
 certificatesResolvers:
-  sample:
+  myresolver:
     # Enable ACME (Let's Encrypt): automatic SSL.
     acme:
 
@@ -7,7 +7,7 @@ certificatesResolvers:
       #
       # Required
       #
-      email: "test@traefik.io"
+      email: "test@example.com"
 
       # File or key used for certificates storage.
       #
@@ -24,6 +24,24 @@ certificatesResolvers:
       #
       # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
 
+      # The certificates' duration in hours.
+      # It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+      #
+      # Optional
+      # Default: 2160
+      #
+      # certificatesDuration: 2160
+
+      # Preferred chain to use.
+      #
+      # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+      # If no match, the default offered chain will be used.
+      #
+      # Optional
+      # Default: ""
+      #
+      # preferredChain: 'ISRG Root X1'
+
       # KeyType to use.
       #
       # Optional

docs/content/https/tls.md

@@ -1,3 +1,8 @@
+---
+title: "Traefik TLS Documentation"
+description: "Learn how to configure the transport layer security (TLS) connection in Traefik Proxy. Read the technical documentation."
+---
+
 # TLS
 
 Transport Layer Security
@@ -13,7 +18,20 @@ See the [Let's Encrypt](./acme.md) page.
 
 To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:
 
-```toml tab="TOML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  certificates:
+    - certFile: /path/to/domain.cert
+      keyFile: /path/to/domain.key
+    - certFile: /path/to/other-domain.cert
+      keyFile: /path/to/other-domain.key
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [[tls.certificates]]
   certFile = "/path/to/domain.cert"
   keyFile = "/path/to/domain.key"
@@ -23,43 +41,56 @@ To add / remove TLS certificates, even when Traefik is already running, their de
   keyFile = "/path/to/other-domain.key"
 ```
 
-```yaml tab="YAML"
-tls:
-  certificates:
-  - certFile: /path/to/domain.cert
-    keyFile: /path/to/domain.key
-  - certFile: /path/to/other-domain.cert
-    keyFile: /path/to/other-domain.key
-```
-
-!!! important "File Provider Only"
+!!! important "Restriction"
 
     In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
     It is the only available method to configure the certificates (as well as the options and the stores).
+    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
 
 ## Certificates Stores
 
 In Traefik, certificates are grouped together in certificates stores, which are defined as such:
 
-```toml tab="TOML"
-[tls.stores]
-  [tls.stores.default]
-```
+```yaml tab="File (YAML)"
+# Dynamic configuration
 
-```yaml tab="YAML"
 tls:
   stores:
     default: {}
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.stores]
+  [tls.stores.default]
+```
+
 !!! important "Restriction"
 
     Any store definition other than the default one (named `default`) will be ignored,
-    and there is thefore only one globally available TLS store.
+    and there is therefore only one globally available TLS store.
 
 In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
 
-```toml tab="TOML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  certificates:
+    - certFile: /path/to/domain.cert
+      keyFile: /path/to/domain.key
+      stores:
+        - default
+    # Note that since no store is defined,
+    # the certificate below will be stored in the `default` store.
+    - certFile: /path/to/other-domain.cert
+      keyFile: /path/to/other-domain.key
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [[tls.certificates]]
   certFile = "/path/to/domain.cert"
   keyFile = "/path/to/domain.key"
@@ -72,19 +103,6 @@ In the `tls.certificates` section, a list of stores can then be specified to ind
   keyFile = "/path/to/other-domain.key"
 ```
 
-```yaml tab="YAML"
-tls:
-  certificates:
-  - certFile: /path/to/domain.cert
-    keyFile: /path/to/domain.key
-    stores:
-    - default
-  # Note that since no store is defined,
-  # the certificate below will be stored in the `default` store.
-  - certFile: /path/to/other-domain.cert
-    keyFile: /path/to/other-domain.key
-```
-
 !!! important "Restriction"
 
     The `stores` list will actually be ignored and automatically set to `["default"]`.
@@ -94,15 +112,9 @@ tls:
 Traefik can use a default certificate for connections without a SNI, or without a matching domain.
 This default certificate should be defined in a TLS store:
 
-```toml tab="TOML"
-[tls.stores]
-  [tls.stores.default]
-    [tls.stores.default.defaultCertificate]
-      certFile = "path/to/cert.crt"
-      keyFile  = "path/to/cert.key"
-```
+```yaml tab="File (YAML)"
+# Dynamic configuration
 
-```yaml tab="YAML"
 tls:
   stores:
     default:
@@ -111,25 +123,138 @@ tls:
         keyFile: path/to/cert.key
 ```
 
-If no default certificate is provided, Traefik generates and uses a self-signed certificate.
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.stores]
+  [tls.stores.default]
+    [tls.stores.default.defaultCertificate]
+      certFile = "path/to/cert.crt"
+      keyFile  = "path/to/cert.key"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  defaultCertificate:
+    secretName: default-certificate
+    
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: default-certificate
+  namespace: default
+  
+type: Opaque
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+If no `defaultCertificate` is provided, Traefik will use the generated one.
+
+### ACME Default Certificate
+
+You can configure Traefik to use an ACME provider (like Let's Encrypt) to generate the default certificate.
+The configuration to resolve the default certificate should be defined in a TLS store:
+
+!!! important "Precedence with the `defaultGeneratedCert` option"
+
+    The `defaultGeneratedCert` definition takes precedence over the ACME default certificate configuration.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  stores:
+    default:
+      defaultGeneratedCert:
+        resolver: myresolver
+        domain:
+          main: example.org
+          sans:
+            - foo.example.org
+            - bar.example.org
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.stores]
+  [tls.stores.default.defaultGeneratedCert]
+    resolver = "myresolver"
+    [tls.stores.default.defaultGeneratedCert.domain]
+      main = "example.org"
+      sans = ["foo.example.org", "bar.example.org"]
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  defaultGeneratedCert:
+    resolver: myresolver
+    domain:
+      main: example.org
+      sans:
+        - foo.example.org
+        - bar.example.org
+```
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
+  - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org"
+  - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.tls.stores.default.defaultgeneratedcert.resolver": "myresolver",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.main": "example.org",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.sans": "foo.example.org, bar.example.org",
+}
+```
 
 ## TLS Options
 
 The TLS options allow one to configure some parameters of the TLS connection.
 
+!!! important "'default' TLS Option"
+
+    The `default` option is special.
+    When no tls options are specified in a tls router, the `default` option is used.  
+    When specifying the `default` option explicitly, make sure not to specify provider namespace as the `default` option does not have one.  
+    Conversely, for cross-provider references, for example, when referencing the file provider from a docker label,
+    you must specify the provider namespace, for example:  
+    `traefik.http.routers.myrouter.tls.options=myoptions@file`
+
+!!! important "TLSOption in Kubernetes"
+
+    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
+    if not explicitly overwritten, should apply to all ingresses.  
+    To achieve that, you'll have to create a TLSOption resource with the name `default`.
+    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
+    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
+    you'll have to add an annotation to the Ingress in the following form:
+    `traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd`
+
 ### Minimum TLS Version
 
-```toml tab="TOML"
-[tls.options]
+```yaml tab="File (YAML)"
+# Dynamic configuration
 
-  [tls.options.default]
-    minVersion = "VersionTLS12"
-
-  [tls.options.mintls13]
-    minVersion = "VersionTLS13"
-```
-
-```yaml tab="YAML"
 tls:
   options:
     default:
@@ -139,21 +264,280 @@ tls:
       minVersion: VersionTLS13
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    minVersion = "VersionTLS12"
+
+  [tls.options.mintls13]
+    minVersion = "VersionTLS13"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  minVersion: VersionTLS12
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: mintls13
+  namespace: default
+
+spec:
+  minVersion: VersionTLS13
+```
+
+### Maximum TLS Version
+
+We discourage the use of this setting to disable TLS1.3.
+
+The recommended approach is to update the clients to support TLS1.3.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      maxVersion: VersionTLS13
+
+    maxtls12:
+      maxVersion: VersionTLS12
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    maxVersion = "VersionTLS13"
+
+  [tls.options.maxtls12]
+    maxVersion = "VersionTLS12"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS13
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: maxtls12
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS12
+```
+
+### Cipher Suites
+
+See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      cipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+    ]
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  cipherSuites:
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+```
+
+!!! important "TLS 1.3"
+
+    Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa. (<https://tools.ietf.org/html/rfc8446>)  
+    With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).
+    <https://golang.org/doc/go1.12#tls_1_3>
+
+### Curve Preferences
+
+This option allows to set the preferred elliptic curves in a specific order.
+
+The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used.
+
+See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    curvePreferences = ["CurveP521", "CurveP384"]
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  curvePreferences:
+    - CurveP521
+    - CurveP384
+```
+
+### Strict SNI Checking
+
+With strict SNI checking enabled, Traefik won't allow connections from clients that do not specify a server_name extension
+or don't match any of the configured certificates.
+The default certificate is irrelevant on that matter.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      sniStrict: true
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    sniStrict = true
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  sniStrict: true
+```
+
+### ALPN Protocols
+
+_Optional, Default="h2, http/1.1, acme-tls/1"_
+
+This option allows to specify the list of supported application level protocols for the TLS handshake,
+in order of preference.
+If the client supports ALPN, the selected protocol will be one from this list, 
+and the connection will fail if there is no mutually supported protocol.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      alpnProtocols:
+        - http/1.1
+        - h2
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    alpnProtocols = ["http/1.1", "h2"]
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  alpnProtocols:
+    - http/1.1
+    - h2
+```
+
 ### Client Authentication (mTLS)
 
 Traefik supports mutual authentication, through the `clientAuth` section.
 
-For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `clientAuth.caFiles`.
- 
+For authentication policies that require verification of the client certificate, the certificate authority for the certificates should be set in `clientAuth.caFiles`.
+
+In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) for more details.
+
 The `clientAuth.clientAuthType` option governs the behaviour as follows:
 
 - `NoClientCert`: disregards any client certificate.
 - `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
-- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles`.
-- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles`. Otherwise proceeds without any certificate.
-- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`. 
+- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`.
+- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`. Otherwise proceeds without any certificate.
+- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      clientAuth:
+        # in PEM format. each file can contain multiple CAs.
+        caFiles:
+          - tests/clientca1.crt
+          - tests/clientca2.crt
+        clientAuthType: RequireAndVerifyClientCert
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
 
-```toml tab="TOML"
 [tls.options]
   [tls.options.default]
     [tls.options.default.clientAuth]
@@ -162,54 +546,19 @@ The `clientAuth.clientAuthType` option governs the behaviour as follows:
       clientAuthType = "RequireAndVerifyClientCert"
 ```
 
-```yaml tab="YAML"
-tls:
-  options:
-    default:
-      clientAuth:
-        # in PEM format. each file can contain multiple CAs.
-        caFiles:
-        - tests/clientca1.crt
-        - tests/clientca2.crt
-        clientAuthType: RequireAndVerifyClientCert
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  clientAuth:
+    # the CA certificate is extracted from key `tls.ca` or `ca.crt` of the given secrets.
+    secretNames:
+      - secretCA
+    clientAuthType: RequireAndVerifyClientCert
 ```
 
-### Cipher Suites
-
-See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
-
-```toml tab="TOML"
-[tls.options]
-  [tls.options.default]
-    cipherSuites = [
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-      "TLS_RSA_WITH_AES_256_GCM_SHA384"
-    ]
-```
-
-```yaml tab="YAML"
-tls:
-  options:
-    default:
-      cipherSuites:
-      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-      - TLS_RSA_WITH_AES_256_GCM_SHA384
-```
-
-### Strict SNI Checking
-
-With strict SNI checking, Traefik won't allow connections from clients connections
-that do not specify a server_name extension.
-
-```toml tab="TOML"
-[tls.options]
-  [tls.options.default]
-    sniStrict = true
-```
-
-```yaml tab="YAML"
-tls:
-  options:
-    default:
-      sniStrict: true
-```
+{!traefik-for-business-applications.md!}

docs/content/includes/.markdownlint.json

@@ -0,0 +1,4 @@
+{
+  "extends": "../../.markdownlint.json",
+  "MD041": false
+}

docs/content/includes/traefik-api-management-kubernetes.md

@@ -0,0 +1,11 @@
+---
+
+!!! question "Managing APIs in Kubernetes?"
+
+    If your organization is publishing, securing, and managing APIs, consider [Traefik Hub](https://traefik.io/traefik-hub/) for your API management solution.
+    
+    - K8s services auto-discovery, 100% CRDs configuration, & full GitOps compliance
+    - Centralized control plane for all APIs, users, & infrastructure components
+    - Self-serve API portal with API discovery, documentation, testing, & access control
+
+    Traefik Hub makes managing APIs easier than ever before. See for yourself in this [short video walkthrough](https://info.traefik.io/watch-traefik-hub-demo).

docs/content/includes/traefik-for-business-applications.md

@@ -0,0 +1,11 @@
+---
+
+!!! question "Using Traefik for Business Applications?"
+
+    If you are using Traefik in your organization, consider [Traefik Enterprise](https://traefik.io/traefik-enterprise/). You can use it as your:
+
+    - [API Gateway](https://traefik.io/solutions/api-gateway/)
+    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
+    - [Docker Swarm Ingress Controller](https://traefik.io/solutions/docker-swarm-ingress/)
+
+    Traefik Enterprise simplifies the discovery, security, and deployment of APIs and microservices across any environment. See it in action in [this short video walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/index.md

@@ -1,9 +1,13 @@
+---
+title: "Traefik Proxy Documentation"
+description: "Traefik Proxy, an open source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
+---
 
 # Welcome
 
 ![Architecture](assets/img/traefik-architecture.png)
 
-Traefik is an [open-source](https://github.com/containous/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
+Traefik is an [open-source](https://github.com/traefik/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
 It receives requests on behalf of your system and finds out which components are responsible for handling them. 
 
 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
@@ -18,6 +22,10 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
 
 -- The Traefik Maintainer Team 
 
-!!! Note
+!!! info
 
-    If you're a businness running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. 
+    Join our user friendly and active [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the traefik community.
+
+    Using Traefik in your organization? Consider [Traefik Enterprise](https://traefik.io/traefik-enterprise/ "Lino to Traefik Enterprise"), our unified API Gateway and Ingress that simplifies the discovery, security, and deployment of APIs and microservices across any environment.
+
+    See it in action in [this short video walkthrough](https://info.traefik.io/watch-traefikee-demo "Link to video walkthrough").

docs/content/middlewares/buffering.md

@@ -1,97 +0,0 @@
-# Buffering
-
-How to Read the Request before Forwarding It
-{: .subtitle }
-
-![Buffering](../assets/img/middleware/buffering.png)
-
-The Buffering middleware gives you control on how you want to read the requests before sending them to services.
-
-With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified limit.
-
-This can help services deal with large data (multipart/form-data for example), and can minimize time spent sending data to a service.
-
-## Configuration Examples
-
-```yaml tab="Docker"
-# Sets the maximum request body to 2Mb
-labels:
-- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
-```
-
-```yaml tab="Kubernetes"
-# Sets the maximum request body to 2Mb
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: limit
-spec:
-  buffering:
-    maxRequestBodyBytes: 250000
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "250000"
-}
-```
-
-```yaml tab="Rancher"
-# Sets the maximum request body to 2Mb
-labels:
-- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
-```
-
-```toml tab="File (TOML)"
-# Sets the maximum request body to 2Mb
-[http.middlewares]
-  [http.middlewares.limit.buffering]
-    maxRequestBodyBytes = 250000
-```
-
-```yaml tab="File (YAML)"
-# Sets the maximum request body to 2Mb
-http:
-  middlewares:
-    limit:
-      buffering:
-        maxRequestBodyBytes: 250000
-```
-
-## Configuration Options
-
-### `maxRequestBodyBytes`
-
-With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
-
-If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response.
-
-### `memRequestBodyBytes`
-
-You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. 
-
-### `maxResponseBodyBytes`
-
-With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
-
-If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
-
-### `memResponseBodyBytes`
-
-You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. 
-
-### `retryExpression`
-
-You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
-
-!!! example "Retries once in case of a network error"
-    
-    ```toml
-    retryExpression = "IsNetworkError() && Attempts() < 2"
-    ```
-    
-Available functions for the retry expression are:
-
-- `Attempts()` number of attempts (the first one counts)
-- `ResponseCode()` response code of the service
-- `IsNetworkError()` - if the response code is related to networking error 

docs/content/middlewares/circuitbreaker.md

@@ -1,175 +0,0 @@
-# CircuitBreaker
-
-Don't Waste Time Calling Unhealthy Services
-{: .subtitle }
-
-![CircuitBreaker](../assets/img/middleware/circuitbreaker.png) 
-
-The circuit breaker protects your system from stacking requests to unhealthy services (resulting in cascading failures).
-
-When your system is healthy, the circuit is close (normal operations). 
-When your system becomes unhealthy, the circuit becomes open and the requests are no longer forwarded (but handled by a fallback mechanism).
-
-To assess if your system is healthy, the circuit breaker constantly monitors the services. 
-
-!!! Note
-
-    - The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state.
-    - The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state.
-
-!!! important
-
-    Each router will eventually gets its own instance of a given circuit breaker. If two different routers refer to the same circuit breaker definition, they will get one instance each. It means that one circuit breaker can be open while the other stays close: their state is not shared. This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
-
-## Configuration Examples
-
-```yaml tab="Docker"
-# Latency Check
-labels:
-- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
-```
-
-```yaml tab="Kubernetes"
-# Latency Check
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: latency-check
-spec:
-  circuitBreaker:
-    expression: LatencyAtQuantileMS(50.0) > 100
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.latency-check.circuitbreaker.expression": "LatencyAtQuantileMS(50.0) > 100"
-}
-```
-
-```yaml tab="Rancher"
-# Latency Check
-labels:
-- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
-```
-
-```toml tab="File (TOML)"
-# Latency Check
-[http.middlewares]
-  [http.middlewares.latency-check.circuitBreaker]
-    expression = "LatencyAtQuantileMS(50.0) > 100"
-```
-
-```yaml tab="File (YAML)"
-# Latency Check
-http:
-  middlewares:
-    latency-check:
-      circuitBreaker:
-        expression: "LatencyAtQuantileMS(50.0) > 100"
-```
-
-## Possible States
-
-There are three possible states for your circuit breaker:
-
-- Close (your service operates normally)
-- Open (the fallback mechanism takes over your service)
-- Recovering (the circuit breaker tries to resume normal operations by progressively sending requests to your service)
-
-### Close
-
-While close, the circuit breaker only collects metrics to analyze the behavior of the requests.
-
-At specified intervals (`checkPeriod`), it will evaluate `expression` to decide if its state must change. 
-
-### Open
-
-While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
-After this duration, it will enter the recovering state.
-
-### Recovering
-
-While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`).
-If your service fails during recovery, the circuit breaker becomes open again.
-If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
-
-## Configuration Options
-
-### Configuring the Trigger
-
-You can specify an `expression` that, once matched, will trigger the circuit breaker (and apply the fallback mechanism instead of calling your services).
-
-The `expression` can check three different metrics:
-
-- The network error ratio (`NetworkErrorRatio`)
-- The status code ratio (`ResponseCodeRatio`)
-- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
-
-#### `NetworkErrorRatio`
-
-If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
-
-#### `ResponseCodeRatio`
-
-You can trigger the circuit breaker based on the ratio of a given range of status codes.
-
-The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`, `dividedByTo`.
-
-The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`).
-
-!!! Note
-    If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
-    
-    `from`is inclusive, `to` is exclusive. 
-
-For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX). 
-
-#### `LatencyAtQuantileMS`
-
-You can trigger the circuit breaker when a given proportion of your requests become too slow.
-
-For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
-
-!!! Note
-
-    You must provide a float number (with the trailing .0) for the quantile value
- 
-#### Using multiple metrics
-
-You can combine multiple metrics using operators in your expression.
-
-Supported operators are:
-
-- AND (`&&`)
-- OR (`||`)
-
-For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%. 
-
-#### Operators
-
-Here is the list of supported operators:
-
-- Greater than (`>`)
-- Greater or equal than (`>=`)
-- Lesser than (`<`)
-- Lesser or equal than (`<=`)
-- Equal (`==`)
-- Not Equal (`!=`)
- 
-### Fallback mechanism
-
-The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured. 
-
-### `CheckPeriod`
-
-The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
-
-### `FallbackDuration`
-
-By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
-
-### `RecoveringDuration`
-
-The duration of the recovering mode (recovering state). 
-
-By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.  

docs/content/middlewares/compress.md

@@ -1,60 +0,0 @@
-# Compress
-
-Compressing the Response before Sending it to the Client
-{: .subtitle }
-
-![Compress](../assets/img/middleware/compress.png)
-
-The Compress middleware enables the gzip compression. 
-
-## Configuration Examples
-
-```yaml tab="Docker"
-# Enable gzip compression
-labels:
-- "traefik.http.middlewares.test-compress.compress=true"
-```
-
-```yaml tab="Kubernetes"
-# Enable gzip compression
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: test-compress
-spec:
-  compress: {}
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-compress.compress": "true"
-}
-```
-
-```yaml tab="Rancher"
-# Enable gzip compression
-labels:
-- "traefik.http.middlewares.test-compress.compress=true"
-```
-
-```toml tab="File (TOML)"
-# Enable gzip compression
-[http.middlewares]
-  [http.middlewares.test-compress.compress]
-```
-
-```yaml tab="File (YAML)"
-# Enable gzip compression
-http:
-  middlewares:
-    test-compress:
-      compress: {}
-```
-
-## Notes
-
-Responses are compressed when:
-
-* The response body is larger than `1400` bytes.
-* The `Accept-Encoding` request header contains `gzip`.
-* The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.

docs/content/middlewares/errorpages.md

@@ -1,105 +0,0 @@
-# ErrorPage
-
-It Has Never Been Easier to Say That Something Went Wrong
-{: .subtitle }
-
-![ErrorPages](../assets/img/middleware/errorpages.png)
-
-The ErrorPage middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-
-!!! important
-    The error page itself is _not_ hosted by Traefik.
-
-## Configuration Examples
-
-```yaml tab="Docker"
-# Dynamic Custom Error Page for 5XX Status Code
-labels:
-- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
-- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
-- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: test-errorpage
-spec:
-  errors:
-    status:
-    - 500-599
-    query: /{status}.html
-    service:
-      name: whoami
-      port: 80
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-errorpage.errors.status": "500-599",
-  "traefik.http.middlewares.test-errorpage.errors.service": "serviceError",
-  "traefik.http.middlewares.test-errorpage.errors.query": "/{status}.html"
-}
-```
-
-```yaml tab="Rancher"
-# Dynamic Custom Error Page for 5XX Status Code
-labels:
-- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
-- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
-- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
-```
-
-```toml tab="File (TOML)"
-# Custom Error Page for 5XX
-[http.middlewares]
-  [http.middlewares.test-errorpage.errors]
-    status = ["500-599"]
-    service = "serviceError"
-    query = "/{status}.html"
-
-[http.services]
-  # ... definition of error-handler-service and my-service
-```
-
-```yaml tab="File (YAML)"
-# Custom Error Page for 5XX
-http:
-  middlewares:
-    test-errorpage:
-      errors:
-        status:
-        - "500-599"
-        service: serviceError
-        query: "/{status}.html"
-
-[http.services]
-  # ... definition of error-handler-service and my-service
-```
-
-!!! note 
-    In this example, the error page URL is based on the status code (`query=/{status}.html`).
-
-## Configuration Options
-
-### `status`
-
-The `status` that will trigger the error page.
-
-The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
- 
-!!! Note
-
-    You can define either a status code like `500` or ranges with a syntax like `500-599`.
-
-### `service`
-
-The service that will serve the new requested error page.
-
-!!! Note
-    In kubernetes, you need to reference a kubernetes service instead of a traefik service.
-
-### `query`
-
-The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.