Prepare release v2.3.2

Co-authored-by: jbdoumenjou <jb.doumenjou@gmail.com>

.dockerignore

@@ -1,3 +1,5 @@
 dist/
 !dist/traefik
 site/
+vendor/
+.idea/

.github/CODEOWNERS

@@ -1,24 +0,0 @@
-provider/kubernetes/**  @containous/kubernetes
-provider/rancher/**     @containous/rancher
-provider/marathon/**    @containous/marathon
-provider/docker/**      @containous/docker
-
-docs/user-guide/kubernetes.md       @containous/kubernetes
-docs/user-guide/marathon.md         @containous/marathon
-docs/user-guide/swarm.md            @containous/docker
-docs/user-guide/swarm-mode.md       @containous/docker
-
-docs/configuration/backends/docker.md       @containous/docker
-docs/configuration/backends/kubernetes.md   @containous/kubernetes
-docs/configuration/backends/marathon.md     @containous/marathon
-docs/configuration/backends/rancher.md      @containous/rancher
-
-examples/k8s/                   @containous/kubernetes
-examples/compose-k8s.yaml       @containous/kubernetes
-examples/k8s.namespace.yaml     @containous/kubernetes
-examples/compose-rancher.yml    @containous/rancher
-examples/compose-marathon.yml   @containous/marathon
-
-vendor/github.com/gambol99/go-marathon  @containous/marathon
-vendor/github.com/rancher               @containous/rancher
-vendor/k8s.io/                          @containous/kubernetes

.github/ISSUE_TEMPLATE.md

@@ -1,3 +1,7 @@
+<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
+
+### Do you want to request a *feature* or report a *bug*?
+
 <!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 
@@ -8,21 +12,12 @@ For end-user related support questions, please refer to one of the following:
 
 -->
 
-
-### Do you want to request a *feature* or report a *bug*?
-
-<!--
-If you intend to ask a support question: DO NOT FILE AN ISSUE.
--->
-
-### Did you try using a 1.7.x configuration for the version 2.0?
-
-- [ ] Yes
-- [ ] No
+Bug
 
 <!--
 
-If you just checked the "Yes" box, be aware that this is probably not a bug. The configurations between 1.X and 2.X are NOT compatible. Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+The configurations between 1.X and 2.X are NOT compatible.
+Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.
 
 -->
 
@@ -30,7 +25,7 @@ If you just checked the "Yes" box, be aware that this is probably not a bug. The
 
 <!--
 
-HOW TO WRITE A GOOD ISSUE?
+HOW TO WRITE A GOOD BUG REPORT?
 
 - Respect the issue template as much as possible.
 - The title should be short and descriptive.
@@ -52,13 +47,12 @@ HOW TO WRITE A GOOD ISSUE?
 ### Output of `traefik version`: (_What version of Traefik are you using?_)
 
 <!--
+`latest` is not considered as a valid version.
+
 For the Traefik Docker image:
     docker run [IMAGE] version
     ex: docker run traefik version
 
-For the alpine Traefik Docker image:
-    docker run [IMAGE] traefik version
-    ex: docker run traefik traefik version
 -->
 
 ```
@@ -70,12 +64,13 @@ For the alpine Traefik Docker image:
 ```toml
 # (paste your configuration here)
 ```
+
 <!--
 Add more configuration information here.
 -->
 
 
-### If applicable, please paste the log output at DEBUG level (`--log.level=DEBUG` switch)
+### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
 
 ```
 (paste your output here)

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -3,6 +3,9 @@ name: Bug report
 about: Create a report to help us improve
 
 ---
+<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
+
+### Do you want to request a *feature* or report a *bug*?
 
 <!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
@@ -14,19 +17,12 @@ For end-user related support questions, please refer to one of the following:
 
 -->
 
-
-### Do you want to request a *feature* or report a *bug*?
-
 Bug
 
-### Did you try using a 1.7.x configuration for the version 2.0?
-
-- [ ] Yes
-- [ ] No
-
 <!--
 
-If you just checked the "Yes" box, be aware that this is probably not a bug. The configurations between 1.X and 2.X are NOT compatible. Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+The configurations between 1.X and 2.X are NOT compatible.
+Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.
 
 -->
 
@@ -56,13 +52,12 @@ HOW TO WRITE A GOOD BUG REPORT?
 ### Output of `traefik version`: (_What version of Traefik are you using?_)
 
 <!--
+`latest` is not considered as a valid version.
+
 For the Traefik Docker image:
     docker run [IMAGE] version
     ex: docker run traefik version
 
-For the alpine Traefik Docker image:
-    docker run [IMAGE] traefik version
-    ex: docker run traefik traefik version
 -->
 
 ```

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -3,6 +3,9 @@ name: Feature request
 about: Suggest an idea for this project
 
 ---
+<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
+
+### Do you want to request a *feature* or report a *bug*?
 
 <!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
@@ -14,9 +17,6 @@ For end-user related support questions, please refer to one of the following:
 
 -->
 
-
-### Do you want to request a *feature* or report a *bug*?
-
 Feature
 
 ### What did you expect to see?

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,18 +1,19 @@
 <!--
 PLEASE READ THIS MESSAGE.
 
-HOW TO WRITE A GOOD PULL REQUEST?
+Documentation fixes or enhancements:
+- for Traefik v1: use branch v1.7
+- for Traefik v2: use branch v2.3
 
-- Make it small.
-- Do only one thing.
-- Avoid re-formatting.
-- Make sure the code builds.
-- Make sure all tests pass.
-- Add tests.
-- Write useful descriptions and titles.
-- Address review comments in terms of additional commits.
-- Do not amend/squash existing ones unless the PR is trivial.
-- Read the contributing guide: https://github.com/containous/traefik/blob/master/CONTRIBUTING.md.
+Bug fixes:
+- for Traefik v1: use branch v1.7
+- for Traefik v2: use branch v2.3
+
+Enhancements:
+- for Traefik v1: we only accept bug fixes
+- for Traefik v2: use branch master
+
+HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
 
 -->
 

.gitignore

@@ -16,3 +16,5 @@
 *.exe
 cover.out
 vendor/
+plugins-storage/
+traefik_changelog.md

.golangci.toml

@@ -1,6 +1,9 @@
 [run]
-  deadline = "10m"
+  timeout = "10m"
   skip-files = []
+  skip-dirs = [
+    "pkg/provider/kubernetes/crd/generated/",
+  ]
 
 [linters-settings]
 
@@ -40,7 +43,18 @@
     "scopelint",
     "gochecknoinits",
     "gochecknoglobals",
+    "godox",
+    "gocognit",
     "bodyclose", # Too many false-positive and panics.
+    "wsl", # Too strict
+    "gomnd", # Too strict
+    "stylecheck", # skip because report issues related to some generated files.
+    "testpackage", # Too strict
+    "goerr113", # Too strict
+    "nestif", # Too many false-positive.
+    "noctx", # Too strict
+    "exhaustive", # Too strict
+    "nlreturn", # Too strict
   ]
 
 [issues]
@@ -54,7 +68,7 @@
   ]
  [[issues.exclude-rules]]
     path = "(.+)_test.go"
-    linters = ["goconst", "funlen"]
+    linters = ["goconst", "funlen", "godot"]
  [[issues.exclude-rules]]
     path = "integration/.+_test.go"
     text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
@@ -85,6 +99,18 @@
  [[issues.exclude-rules]]
     path = "cmd/configuration.go"
     text = "string `traefik` has (\\d) occurrences, make it a constant"
+ [[issues.exclude-rules]]
+    path = "pkg/server/middleware/middlewares.go"
+    text = "Function 'buildConstructor' has too many statements"
  [[issues.exclude-rules]] # FIXME must be fixed
     path = "cmd/context.go"
     text = "S1000: should use a simple channel send/receive instead of `select` with a single case"
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/haystack/logger.go"
+    linters = ["goprintffuncname"]
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/tracing.go"
+    text = "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
+ [[issues.exclude-rules]]
+    path = "pkg/log/deprecated.go"
+    linters = ["godot"]

.goreleaser.yml

@@ -7,11 +7,11 @@ before:
 builds:
   - binary: traefik
 
-    main: ./cmd/traefik/traefik.go
+    main: ./cmd/traefik/
     env:
       - CGO_ENABLED=0
     ldflags:
-      - -s -w -X github.com/containous/traefik/v2/pkg/version.Version={{.Version}} -X github.com/containous/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/containous/traefik/v2/pkg/version.BuildDate={{.Date}}
+      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}
 
     goos:
       - linux
@@ -34,8 +34,10 @@ builds:
         goarch: 386
       - goos: openbsd
         goarch: arm
+      - goos: openbsd
+        goarch: arm64
       - goos: freebsd
-        goarch: arm
+        goarch: arm64
 
 changelog:
   skip: true

.semaphoreci/setup.sh

@@ -1,6 +1,6 @@
 # For personnal CI
-# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/containous/
-# cd /home/runner/workspace/src/github.com/containous/traefik/
+# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/traefik/
+# cd /home/runner/workspace/src/github.com/traefik/traefik/
 for s in apache2 cassandra elasticsearch memcached mysql mongod postgresql sphinxsearch rethinkdb rabbitmq-server redis-server; do sudo service $s stop; done
 sudo swapoff -a
 sudo dd if=/dev/zero of=/swapfile bs=1M count=3072
@@ -10,7 +10,7 @@ sudo rm -rf /home/runner/.rbenv
 sudo rm -rf /usr/local/golang/{1.4.3,1.5.4,1.6.4,1.7.6,1.8.6,1.9.7,1.10.3,1.11}
 #export DOCKER_VERSION=18.06.3
 source .semaphoreci/vars
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
+if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/traefik/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
 echo ${SHOULD_TEST}
 if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
 echo ${TEMP_STORAGE}
@@ -18,9 +18,9 @@ echo ${SHOULD_TEST}
 #if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
 #if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
 if [ -n "$SHOULD_TEST" ]; then docker version; fi
-export GO_VERSION=1.12
+export GO_VERSION=1.13
 if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
-#if [ "${GO_VERSION}" == '1.13' ]; then export GO_VERSION=1.13rc2; fi
+#if [ "${GO_VERSION}" == '1.15' ]; then export GO_VERSION=1.15rc2; fi
 echo "Selected Go version: ${GO_VERSION}"
 
 if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi

.semaphoreci/vars

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -e
 
-export REPO='containous/traefik'
+export REPO='traefik/traefik'
 
 if VERSION=$(git describe --exact-match --abbrev=0 --tags);
 then
@@ -10,7 +10,7 @@ else
   export VERSION=''
 fi
 
-export CODENAME=montdor
+export CODENAME=picodon
 
 export N_MAKE_JOBS=2
 

.travis.yml

@@ -11,7 +11,7 @@ env:
   global:
     - REPO=$TRAVIS_REPO_SLUG
     - VERSION=$TRAVIS_TAG
-    - CODENAME=montdor
+    - CODENAME=picodon
     - GO111MODULE=on
 
 script:
@@ -29,8 +29,9 @@ before_deploy:
       if [ "$TRAVIS_TAG" ]; then
         make release-packages;
       fi;
-      curl -sfL https://raw.githubusercontent.com/containous/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
-      structor -o containous -r traefik --dockerfile-url="https://raw.githubusercontent.com/containous/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/containous/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/containous/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug;
+      curl -sfL https://raw.githubusercontent.com/traefik/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
+      curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b "${GOPATH}/bin" ${MIXTUS_VERSION}
+      structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug;
     fi
 
 deploy:
@@ -40,19 +41,17 @@ deploy:
     skip_cleanup: true
     file_glob: true
     on:
-      repo: containous/traefik
+      repo: traefik/traefik
       tags: true
   - provider: script
     script: sh script/deploy.sh
     skip_cleanup: true
     on:
-      repo: containous/traefik
+      repo: traefik/traefik
       tags: true
-  - provider: pages
-    edge: false
-    github_token: ${GITHUB_TOKEN}
-    local_dir: site
+  - provider: script
+    script: mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
     skip_cleanup: true
     on:
-      repo: containous/traefik
-      all_branches: true
+      repo: traefik/traefik
+      all_branches: true

CODE_OF_CONDUCT.md

@@ -36,7 +36,7 @@ Representation of a project may be further defined and clarified by project main
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@containo.us
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@traefik.io
 All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 
 The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 
 Further details of specific enforcement policies may be posted separately.
@@ -48,4 +48,4 @@ Project maintainers who do not follow or enforce the Code of Conduct in good fai
 This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
 
 [homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[version]: http://contributor-covenant.org/version/1/4/

CONTRIBUTING.md

@@ -1,3 +1,4 @@
 # Contributing
 
-See <https://docs.traefik.io/v2.0/contributing/thank-you/>.
+- https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
+- https://doc.traefik.io/traefik/contributing/submitting-issues/

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2018 Containous SAS
+Copyright (c) 2016-2020 Containous SAS; 2020 Traefik Labs
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -13,7 +13,7 @@ GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/nul
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
 
 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
-TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
+TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")
 
 INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
@@ -29,13 +29,16 @@ TRAEFIK_ENVS := \
 	-e CI \
 	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.
 
-TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/containous/traefik/$(BIND_DIR)"
+TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/traefik/traefik/$(BIND_DIR)"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
-DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) -it $(DOCKER_RUN_OPTS)
-DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) -i $(DOCKER_RUN_OPTS)
+DOCKER_NON_INTERACTIVE ?= false
+DOCKER_RUN_TRAEFIK := docker run --add-host=host.docker.internal:127.0.0.1 $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)
 
 PRE_TARGET ?= build-dev-image
 
+PLATFORM_URL := $(if $(PLATFORM_URL),$(PLATFORM_URL),"https://pilot.traefik.io")
+
 default: binary
 
 ## Build Dev Docker image
@@ -52,7 +55,7 @@ dist:
 
 ## Build WebUI Docker image
 build-webui-image:
-	docker build -t traefik-webui -f webui/Dockerfile webui
+	docker build -t traefik-webui --build-arg ARG_PLATFORM_URL=$(PLATFORM_URL) -f webui/Dockerfile webui
 
 ## Generate WebUI
 generate-webui: build-webui-image
@@ -131,7 +134,7 @@ generate-crd:
 ## Create packages for the release
 release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(DOCKER_RUN_TRAEFIK_NOTTY) goreleaser release --skip-publish
+	$(DOCKER_RUN_TRAEFIK_NOTTY) goreleaser release --skip-publish --timeout="60m"
 	$(DOCKER_RUN_TRAEFIK_NOTTY) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \

README.md

@@ -4,11 +4,11 @@
 </p>
 
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
-[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
-[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](http://goreportcard.com/report/containous/traefik)
+[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
+[![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
-[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
-[![Join the community support forum at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
+[![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
 
 
@@ -33,7 +33,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo
 
 ---
 
-:warning: Please be aware that the old configurations for Traefik v1.X are NOT compatible with the v2.X config as of now. If you're testing out v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/v2.0/).
+:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://doc.traefik.io/traefik/).
 
 ## Overview
 
@@ -69,22 +69,15 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 ## Supported Backends
 
-- [Docker](https://docs.traefik.io/configuration/backends/docker) / [Swarm mode](https://docs.traefik.io/configuration/backends/docker#docker-swarm-mode)
-- [Kubernetes](https://docs.traefik.io/configuration/backends/kubernetes)
-- [Mesos](https://docs.traefik.io/configuration/backends/mesos) / [Marathon](https://docs.traefik.io/configuration/backends/marathon)
-- [Rancher](https://docs.traefik.io/configuration/backends/rancher) (API, Metadata)
-- [Azure Service Fabric](https://docs.traefik.io/configuration/backends/servicefabric)
-- [Consul Catalog](https://docs.traefik.io/configuration/backends/consulcatalog)
-- [Consul](https://docs.traefik.io/configuration/backends/consul) / [Etcd](https://docs.traefik.io/configuration/backends/etcd) / [Zookeeper](https://docs.traefik.io/configuration/backends/zookeeper) / [BoltDB](https://docs.traefik.io/configuration/backends/boltdb)
-- [Eureka](https://docs.traefik.io/configuration/backends/eureka)
-- [Amazon ECS](https://docs.traefik.io/configuration/backends/ecs)
-- [Amazon DynamoDB](https://docs.traefik.io/configuration/backends/dynamodb)
-- [File](https://docs.traefik.io/configuration/backends/file)
-- [Rest](https://docs.traefik.io/configuration/backends/rest)
+- [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
+- [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
+- [Marathon](https://doc.traefik.io/traefik/providers/marathon/)
+- [Rancher](https://doc.traefik.io/traefik/providers/rancher/) (Metadata)
+- [File](https://doc.traefik.io/traefik/providers/file/)
 
 ## Quickstart
 
-To get your hands on Traefik, you can use the [5-Minute Quickstart](http://docs.traefik.io/#the-traefik-quickstart-using-docker) in our documentation (you will need Docker).
+To get your hands on Traefik, you can use the [5-Minute Quickstart](https://doc.traefik.io/traefik/getting-started/quick-start/) in our documentation (you will need Docker).
 
 ## Web UI
 
@@ -94,27 +87,28 @@ You can access the simple HTML frontend of Traefik.
 
 ## Documentation
 
-You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
-A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
+You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
 
-:warning: If you're testing out v2, please ensure you are using the [v2 documentation](https://docs.traefik.io/v2.0/).
+If you are using Traefik v1, you can find the complete documentation at [https://doc.traefik.io/traefik/v1.7/](https://doc.traefik.io/traefik/v1.7/).
+
+A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
 ## Support
 
 To get community support, you can:
-- join the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+- join the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 
-If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
+If you need commercial support, please contact [Traefik.io](https://traefik.io) by mail: <mailto:support@traefik.io>.
 
 ## Download
 
-- Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/master/traefik.sample.toml):
 
 ```shell
 ./traefik --configFile=traefik.toml
 ```
 
-- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/master/traefik.sample.toml):
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
@@ -123,22 +117,12 @@ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.to
 - Or get the sources:
 
 ```shell
-git clone https://github.com/containous/traefik
+git clone https://github.com/traefik/traefik
 ```
 
 ## Introductory Videos
 
-:warning: Please be aware that these videos are for v1.X. The old configurations for Traefik v1.X are NOT compatible with Traefik v2. If you're testing out v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/v2.0/).
-
-Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at GopherCon 2017.
-You will learn Traefik basics in less than 10 minutes.
-
-[![Traefik GopherCon 2017](https://img.youtube.com/vi/RgudiksfL-k/0.jpg)](https://www.youtube.com/watch?v=RgudiksfL-k)
-
-Here is a talk given by [Ed Robinson](https://github.com/errm) at [ContainerCamp UK](https://container.camp) conference.
-You will learn fundamental Traefik features and see some demos with Kubernetes.
-
-[![Traefik ContainerCamp UK](https://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I)
+You can find high level and deep dive videos on [videos.traefik.io](https://videos.traefik.io).
 
 ## Maintainers
 
@@ -154,23 +138,23 @@ By participating in this project, you agree to abide by its terms.
 ## Release Cycle
 
 - We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
-- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0)
-- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only)
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
 
-Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out)
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).
 
-We use [Semantic Versioning](http://semver.org/)
+We use [Semantic Versioning](https://semver.org/).
 
-## Mailing lists
+## Mailing Lists
 
-- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news)
+- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news).
 - Security announcements: mail at security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
 
 ## Credits
 
-Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the logo ![logo](docs/content/assets/img/traefik.icon.png).
+Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the gopher's logo!.
 
-Traefik's logo is licensed under the Creative Commons 3.0 Attributions license.
+The gopher's logo of Traefik is licensed under the Creative Commons 3.0 Attributions license.
 
-Traefik's logo was inspired by the gopher stickers made by Takuya Ueda (https://twitter.com/tenntenn).
-The original Go gopher was designed by Renee French (http://reneefrench.blogspot.com/).
+The gopher's logo of Traefik was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
+The original Go gopher was designed by [Renee French](https://reneefrench.blogspot.com/).

build.Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.13-alpine
+FROM golang:1.15-alpine
 
 RUN apk --update upgrade \
     && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
@@ -19,19 +19,19 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.18.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.31.0
 
-# Download golangci-lint and misspell binary to bin folder in $GOPATH
-RUN GO111MODULE=off go get github.com/client9/misspell/cmd/misspell
+# Download misspell binary to bin folder in $GOPATH
+RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
 
 # Download goreleaser binary to bin folder in $GOPATH
 RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh
 
-WORKDIR /go/src/github.com/containous/traefik
+WORKDIR /go/src/github.com/traefik/traefik
 
 # Download go modules
 COPY go.mod .
 COPY go.sum .
 RUN GO111MODULE=on GOPROXY=https://proxy.golang.org go mod download
 
-COPY . /go/src/github.com/containous/traefik
+COPY . /go/src/github.com/traefik/traefik

cmd/configuration.go

@@ -3,8 +3,8 @@ package cmd
 import (
 	"time"
 
-	"github.com/containous/traefik/v2/pkg/config/static"
-	"github.com/containous/traefik/v2/pkg/types"
+	ptypes "github.com/traefik/paerser/types"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )
 
 // TraefikCmdConfiguration wraps the static configuration and extra parameters.
@@ -23,7 +23,7 @@ func NewTraefikConfiguration() *TraefikCmdConfiguration {
 			},
 			EntryPoints: make(static.EntryPoints),
 			Providers: &static.Providers{
-				ProvidersThrottleDuration: types.Duration(2 * time.Second),
+				ProvidersThrottleDuration: ptypes.Duration(2 * time.Second),
 			},
 			ServersTransport: &static.ServersTransport{
 				MaxIdleConnsPerHost: 200,

cmd/context.go

@@ -7,7 +7,7 @@ import (
 	"syscall"
 )
 
-// ContextWithSignal creates a context canceled when SIGINT or SIGTERM are notified
+// ContextWithSignal creates a context canceled when SIGINT or SIGTERM are notified.
 func ContextWithSignal(ctx context.Context) context.Context {
 	newCtx, cancel := context.WithCancel(ctx)
 	signals := make(chan os.Signal)

cmd/healthcheck/healthcheck.go

@@ -7,15 +7,15 @@ import (
 	"os"
 	"time"
 
-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/config/static"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )
 
 // NewCmd builds a new HealthCheck command.
 func NewCmd(traefikConfiguration *static.Configuration, loaders []cli.ResourceLoader) *cli.Command {
 	return &cli.Command{
 		Name:          "healthcheck",
-		Description:   `Calls Traefik /ping to check the health of Traefik (the API must be enabled).`,
+		Description:   `Calls Traefik /ping endpoint (disabled by default) to check the health of Traefik.`,
 		Configuration: traefikConfiguration,
 		Run:           runCmd(traefikConfiguration),
 		Resources:     loaders,
@@ -45,15 +45,20 @@ func runCmd(traefikConfiguration *static.Configuration) func(_ []string) error {
 	}
 }
 
-// Do try to do a healthcheck
+// Do try to do a healthcheck.
 func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 	if staticConfiguration.Ping == nil {
 		return nil, errors.New("please enable `ping` to use health check")
 	}
 
-	pingEntryPoint, ok := staticConfiguration.EntryPoints["traefik"]
+	ep := staticConfiguration.Ping.EntryPoint
+	if ep == "" {
+		ep = "traefik"
+	}
+
+	pingEntryPoint, ok := staticConfiguration.EntryPoints[ep]
 	if !ok {
-		return nil, errors.New("missing `ping` entrypoint")
+		return nil, fmt.Errorf("ping: missing %s entry point", ep)
 	}
 
 	client := &http.Client{Timeout: 5 * time.Second}
@@ -70,5 +75,5 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 
 	path := "/"
 
-	return client.Head(protocol + "://" + pingEntryPoint.Address + path + "ping")
+	return client.Head(protocol + "://" + pingEntryPoint.GetAddress() + path + "ping")
 }

cmd/traefik/plugins.go

@@ -0,0 +1,40 @@
+package main
+
+import (
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/plugins"
+)
+
+const outputDir = "./plugins-storage/"
+
+func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, *plugins.DevPlugin, error) {
+	if !isPilotEnabled(staticCfg) || !hasPlugins(staticCfg) {
+		return nil, map[string]plugins.Descriptor{}, nil, nil
+	}
+
+	opts := plugins.ClientOptions{
+		Output: outputDir,
+		Token:  staticCfg.Pilot.Token,
+	}
+
+	client, err := plugins.NewClient(opts)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	err = plugins.Setup(client, staticCfg.Experimental.Plugins, staticCfg.Experimental.DevPlugin)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	return client, staticCfg.Experimental.Plugins, staticCfg.Experimental.DevPlugin, nil
+}
+
+func isPilotEnabled(staticCfg *static.Configuration) bool {
+	return staticCfg.Pilot != nil && staticCfg.Pilot.Token != ""
+}
+
+func hasPlugins(staticCfg *static.Configuration) bool {
+	return staticCfg.Experimental != nil &&
+		(len(staticCfg.Experimental.Plugins) > 0 || staticCfg.Experimental.DevPlugin != nil)
+}

cmd/traefik/traefik.go

@@ -3,33 +3,42 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	stdlog "log"
 	"net/http"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"time"
 
-	"github.com/containous/traefik/v2/autogen/genstatic"
-	"github.com/containous/traefik/v2/cmd"
-	"github.com/containous/traefik/v2/cmd/healthcheck"
-	cmdVersion "github.com/containous/traefik/v2/cmd/version"
-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/collector"
-	"github.com/containous/traefik/v2/pkg/config/dynamic"
-	"github.com/containous/traefik/v2/pkg/config/static"
-	"github.com/containous/traefik/v2/pkg/log"
-	"github.com/containous/traefik/v2/pkg/provider/acme"
-	"github.com/containous/traefik/v2/pkg/provider/aggregator"
-	"github.com/containous/traefik/v2/pkg/safe"
-	"github.com/containous/traefik/v2/pkg/server"
-	"github.com/containous/traefik/v2/pkg/server/router"
-	traefiktls "github.com/containous/traefik/v2/pkg/tls"
-	"github.com/containous/traefik/v2/pkg/version"
 	"github.com/coreos/go-systemd/daemon"
 	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/sirupsen/logrus"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/autogen/genstatic"
+	"github.com/traefik/traefik/v2/cmd"
+	"github.com/traefik/traefik/v2/cmd/healthcheck"
+	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
+	tcli "github.com/traefik/traefik/v2/pkg/cli"
+	"github.com/traefik/traefik/v2/pkg/collector"
+	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	"github.com/traefik/traefik/v2/pkg/config/runtime"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/metrics"
+	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
+	"github.com/traefik/traefik/v2/pkg/pilot"
+	"github.com/traefik/traefik/v2/pkg/plugins"
+	"github.com/traefik/traefik/v2/pkg/provider/acme"
+	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
+	"github.com/traefik/traefik/v2/pkg/provider/traefik"
+	"github.com/traefik/traefik/v2/pkg/safe"
+	"github.com/traefik/traefik/v2/pkg/server"
+	"github.com/traefik/traefik/v2/pkg/server/middleware"
+	"github.com/traefik/traefik/v2/pkg/server/service"
+	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/types"
+	"github.com/traefik/traefik/v2/pkg/version"
 	"github.com/vulcand/oxy/roundrobin"
 )
 
@@ -37,7 +46,7 @@ func main() {
 	// traefik config inits
 	tConfig := cmd.NewTraefikConfiguration()
 
-	loaders := []cli.ResourceLoader{&cli.FileLoader{}, &cli.FlagLoader{}, &cli.EnvLoader{}}
+	loaders := []cli.ResourceLoader{&tcli.FileLoader{}, &tcli.FlagLoader{}, &tcli.EnvLoader{}}
 
 	cmdTraefik := &cli.Command{
 		Name: "traefik",
@@ -65,10 +74,10 @@ Complete documentation is available at https://traefik.io`,
 	err = cli.Execute(cmdTraefik)
 	if err != nil {
 		stdlog.Println(err)
-		os.Exit(1)
+		logrus.Exit(1)
 	}
 
-	os.Exit(0)
+	logrus.Exit(0)
 }
 
 func runCmd(staticConfiguration *static.Configuration) error {
@@ -77,7 +86,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
 	if err := roundrobin.SetDefaultWeight(0); err != nil {
-		log.WithoutContext().Errorf("Could not set roundrobin default weight: %v", err)
+		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
 	}
 
 	staticConfiguration.SetEffectiveConfiguration()
@@ -105,46 +114,19 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	stats(staticConfiguration)
 
-	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
-
-	tlsManager := traefiktls.NewManager()
-
-	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
-
-	serverEntryPointsTCP := make(server.TCPEntryPoints)
-	for entryPointName, config := range staticConfiguration.EntryPoints {
-		ctx := log.With(context.Background(), log.Str(log.EntryPointName, entryPointName))
-		serverEntryPointsTCP[entryPointName], err = server.NewTCPEntryPoint(ctx, config)
-		if err != nil {
-			return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
-		}
-		serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProviders)
-
+	svr, err := setupServer(staticConfiguration)
+	if err != nil {
+		return err
 	}
 
-	svr := server.NewServer(*staticConfiguration, providerAggregator, serverEntryPointsTCP, tlsManager)
-
-	resolverNames := map[string]struct{}{}
-
-	for _, p := range acmeProviders {
-		resolverNames[p.ResolverName] = struct{}{}
-		svr.AddListener(p.ListenConfiguration)
-	}
-
-	svr.AddListener(func(config dynamic.Configuration) {
-		for rtName, rt := range config.HTTP.Routers {
-			if rt.TLS == nil || rt.TLS.CertResolver == "" {
-				continue
-			}
-
-			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
-				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
-			}
-		}
-	})
-
 	ctx := cmd.ContextWithSignal(context.Background())
 
+	if staticConfiguration.Experimental != nil && staticConfiguration.Experimental.DevPlugin != nil {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithTimeout(ctx, 30*time.Minute)
+		defer cancel()
+	}
+
 	if staticConfiguration.Ping != nil {
 		staticConfiguration.Ping.WithContext(ctx)
 	}
@@ -169,7 +151,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 			for range tick {
 				resp, errHealthCheck := healthcheck.Do(*staticConfiguration)
 				if resp != nil {
-					resp.Body.Close()
+					_ = resp.Body.Close()
 				}
 
 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
@@ -185,11 +167,157 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	svr.Wait()
 	log.WithoutContext().Info("Shutting down")
-	logrus.Exit(0)
 	return nil
 }
 
-// initACMEProvider creates an acme provider from the ACME part of globalConfiguration
+func setupServer(staticConfiguration *static.Configuration) (*server.Server, error) {
+	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
+
+	// adds internal provider
+	err := providerAggregator.AddProvider(traefik.New(*staticConfiguration))
+	if err != nil {
+		return nil, err
+	}
+
+	tlsManager := traefiktls.NewManager()
+
+	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
+
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
+	if err != nil {
+		return nil, err
+	}
+
+	serverEntryPointsUDP, err := server.NewUDPEntryPoints(staticConfiguration.EntryPoints)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx := context.Background()
+	routinesPool := safe.NewPool(ctx)
+
+	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
+
+	var aviator *pilot.Pilot
+	if isPilotEnabled(staticConfiguration) {
+		pilotRegistry := metrics.RegisterPilot()
+
+		aviator = pilot.New(staticConfiguration.Pilot.Token, pilotRegistry, routinesPool)
+		routinesPool.GoCtx(func(ctx context.Context) {
+			aviator.Tick(ctx)
+		})
+
+		metricRegistries = append(metricRegistries, pilotRegistry)
+	}
+
+	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
+	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry)
+
+	client, plgs, devPlugin, err := initPlugins(staticConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	pluginBuilder, err := plugins.NewBuilder(client, plgs, devPlugin)
+	if err != nil {
+		return nil, err
+	}
+
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder)
+
+	var defaultEntryPoints []string
+	for name, cfg := range staticConfiguration.EntryPoints {
+		protocol, err := cfg.GetProtocol()
+		if err != nil {
+			// Should never happen because Traefik should not start if protocol is invalid.
+			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+		}
+
+		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
+			defaultEntryPoints = append(defaultEntryPoints, name)
+		}
+	}
+
+	sort.Strings(defaultEntryPoints)
+
+	watcher := server.NewConfigurationWatcher(
+		routinesPool,
+		providerAggregator,
+		time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration),
+		defaultEntryPoints,
+	)
+
+	watcher.AddListener(func(conf dynamic.Configuration) {
+		ctx := context.Background()
+		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
+	})
+
+	watcher.AddListener(func(_ dynamic.Configuration) {
+		metricsRegistry.ConfigReloadsCounter().Add(1)
+		metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
+	})
+
+	watcher.AddListener(switchRouter(routerFactory, acmeProviders, serverEntryPointsTCP, serverEntryPointsUDP, aviator))
+
+	watcher.AddListener(func(conf dynamic.Configuration) {
+		if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
+			var eps []string
+			for key := range serverEntryPointsTCP {
+				eps = append(eps, key)
+			}
+
+			metrics.OnConfigurationUpdate(conf, eps)
+		}
+	})
+
+	resolverNames := map[string]struct{}{}
+	for _, p := range acmeProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		watcher.AddListener(p.ListenConfiguration)
+	}
+
+	watcher.AddListener(func(config dynamic.Configuration) {
+		for rtName, rt := range config.HTTP.Routers {
+			if rt.TLS == nil || rt.TLS.CertResolver == "" {
+				continue
+			}
+
+			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
+				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+			}
+		}
+	})
+
+	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog), nil
+}
+
+func switchRouter(routerFactory *server.RouterFactory, acmeProviders []*acme.Provider, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints, aviator *pilot.Pilot) func(conf dynamic.Configuration) {
+	return func(conf dynamic.Configuration) {
+		rtConf := runtime.NewConfig(conf)
+
+		routers, udpRouters := routerFactory.CreateRouters(rtConf)
+
+		for entryPointName, rt := range routers {
+			for _, p := range acmeProviders {
+				if p != nil && p.HTTPChallenge != nil && p.HTTPChallenge.EntryPoint == entryPointName {
+					rt.HTTPHandler(p.CreateHandler(rt.GetHTTPHandler()))
+					break
+				}
+			}
+		}
+
+		if aviator != nil {
+			aviator.SetRuntimeConfiguration(rtConf)
+		}
+
+		serverEntryPointsTCP.Switch(routers)
+		serverEntryPointsUDP.Switch(udpRouters)
+	}
+}
+
+// initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
 	challengeStore := acme.NewLocalChallengeStore()
 	localStores := map[string]*acme.LocalStore{}
@@ -209,20 +337,78 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 			}
 
 			if err := providerAggregator.AddProvider(p); err != nil {
-				log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
+				log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
 				continue
 			}
+
 			p.SetTLSManager(tlsManager)
+
 			if p.TLSChallenge != nil {
 				tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
 			}
+
 			p.SetConfigListenerChan(make(chan dynamic.Configuration))
+
 			resolvers = append(resolvers, p)
 		}
 	}
 	return resolvers
 }
 
+func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
+	if metricsConfig == nil {
+		return nil
+	}
+
+	var registries []metrics.Registry
+
+	if metricsConfig.Prometheus != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
+		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
+		if prometheusRegister != nil {
+			registries = append(registries, prometheusRegister)
+			log.FromContext(ctx).Debug("Configured Prometheus metrics")
+		}
+	}
+
+	if metricsConfig.Datadog != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
+		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
+		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
+			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
+	}
+
+	if metricsConfig.StatsD != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
+		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
+		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
+			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
+	}
+
+	if metricsConfig.InfluxDB != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
+		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
+		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
+			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
+	}
+
+	return registries
+}
+
+func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
+	if conf == nil {
+		return nil
+	}
+
+	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
+	if err != nil {
+		log.WithoutContext().Warnf("Unable to create access logger : %v", err)
+		return nil
+	}
+
+	return accessLoggerMiddleware
+}
+
 func configureLogging(staticConfiguration *static.Configuration) {
 	// configure default log flags
 	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
@@ -260,7 +446,7 @@ func configureLogging(staticConfiguration *static.Configuration) {
 	if len(logFile) > 0 {
 		dir := filepath.Dir(logFile)
 
-		if err := os.MkdirAll(dir, 0755); err != nil {
+		if err := os.MkdirAll(dir, 0o755); err != nil {
 			log.WithoutContext().Errorf("Failed to create log path %s: %s", dir, err)
 		}
 
@@ -292,13 +478,13 @@ func stats(staticConfiguration *static.Configuration) {
 		logger.Info(`Stats collection is enabled.`)
 		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
 		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://docs.traefik.io/v2.0/contributing/data-collection/`)
+		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
 		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://docs.traefik.io/v2.0/contributing/data-collection/
+More details on: https://doc.traefik.io/traefik/contributing/data-collection/
 `)
 	}
 }

cmd/version/version.go

@@ -7,8 +7,8 @@ import (
 	"runtime"
 	"text/template"
 
-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/version"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/pkg/version"
 )
 
 var versionTemplate = `Version:      {{.Version}}
@@ -17,7 +17,7 @@ Go version:   {{.GoVersion}}
 Built:        {{.BuildTime}}
 OS/Arch:      {{.Os}}/{{.Arch}}`
 
-// NewCmd builds a new Version command
+// NewCmd builds a new Version command.
 func NewCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "version",
@@ -33,7 +33,7 @@ func NewCmd() *cli.Command {
 	}
 }
 
-// GetPrint write Printable version
+// GetPrint write Printable version.
 func GetPrint(wr io.Writer) error {
 	tmpl, err := template.New("").Parse(versionTemplate)
 	if err != nil {

contrib/systemd/traefik.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Traefik
-Documentation=https://docs.traefik.io
+Documentation=https://doc.traefik.io/traefik/
 #After=network-online.target
 #AssertFileIsExecutable=/usr/bin/traefik
 #AssertPathExists=/etc/traefik/traefik.toml

docs/.markdownlint.json

@@ -7,5 +7,6 @@
     "MD026": false,
     "MD033": false,
     "MD034": false,
-    "MD036": false
+    "MD036": false,
+    "MD046": false
 }

docs/CNAME

@@ -1 +0,0 @@
-docs.traefik.io

docs/check.Dockerfile

@@ -1,9 +1,6 @@
 
-FROM alpine:3.9 as alpine
+FROM alpine:3.10 as alpine
 
-# The "build-dependencies" virtual package provides build tools for html-proofer installation.
-# It compile ruby-nokogiri, because alpine native version is always out of date
-# This virtual package is cleaned at the end.
 RUN apk --no-cache --no-progress add \
     libcurl \
     ruby \
@@ -11,21 +8,21 @@ RUN apk --no-cache --no-progress add \
     ruby-etc \
     ruby-ffi \
     ruby-json \
-  && apk add --no-cache --virtual build-dependencies \
-    build-base \
-    libcurl \
-    libxml2-dev \
-    libxslt-dev \
-    ruby-dev \
-  && gem install --no-document html-proofer -v 3.10.2 \
-  && apk del build-dependencies
+    ruby-nokogiri
+RUN gem install html-proofer --version 3.13.0 --no-document -- --use-system-libraries
 
 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \
     git \
     nodejs \
-    npm \
-  && npm install markdownlint@0.12.0 markdownlint-cli@0.13.0 --global
+    npm
+
+# To handle 'not get uid/gid'
+RUN npm config set unsafe-perm true
+
+RUN npm install --global \
+    markdownlint@0.17.2 \
+    markdownlint-cli@0.19.0
 
 # Finally the shell tools we need for later
 # tini helps to terminate properly all the parallelized tasks when sending CTRL-C

docs/content/assets/styles/content.css

@@ -0,0 +1,70 @@
+.md-container {
+  padding-top: 0;
+}
+
+.md-content h1 {
+  color: var(--dark) !important;
+  font-weight: bold !important;
+}
+
+.md-content a {
+  color: var(--blue) !important;
+}
+
+.md-content a:hover {
+  font-weight: bold !important;
+}
+
+.md-typeset p code,
+.md-typeset .codehilite,
+.md-typeset .highlight {
+  background-color: var(--light-blue) !important;
+}
+
+.md-typeset table:not([class]) th {
+  background: var(--dark) !important;
+  color: white !important;
+}
+
+/* Front page image size */
+img[src$='#small'] {
+  width: 150px;
+}
+img[src$='#medium'] {
+  width: 300px;
+}
+
+/* Center table and objects */
+.center,
+img,
+.md-typeset__table {
+  display: block !important;
+  margin: 0 auto;
+}
+
+.md-typeset table:not([class]) tr td:first-child {
+  text-align: left;
+}
+.md-typeset table:not([class]) th:not([align]),
+.md-typeset table:not([class]) td:not([align]) {
+  text-align: center;
+}
+article p:not([class]),
+article ul:not([class]),
+article ol:not([class]) {
+  padding-left: 0.8em !important;
+}
+
+/* Fix for Chrome */
+.md-typeset__table td code {
+  word-break: unset;
+}
+
+.md-typeset__table tr :nth-child(1) {
+  word-wrap: break-word;
+  max-width: 30em;
+}
+
+p {
+  text-align: justify;
+}

docs/content/assets/styles/extra.css

@@ -1,63 +0,0 @@
-@import url('https://fonts.googleapis.com/css?family=Noto+Sans|Noto+Serif');
-
-.md-logo img {
-    background-color: white;
-    border-radius: 50%;
-    width: 30px;
-    height: 30px;
-}
-
-/* Fix for Chrome */
-.md-typeset__table td code {
-    word-break: unset;
-}
-
-.md-typeset__table tr :nth-child(1) {
-    word-wrap: break-word;
-    max-width: 30em;
-}
-
-body {
-    font-family: 'Noto Sans', sans-serif;
-}
-
-h1 {
-    font-weight: bold !important;
-    color: rgba(0,0,0,.9) !important;
-}
-
-h2 {
-    font-weight: bold !important;
-}
-
-h3 {
-    font-weight: bold !important;
-}
-
-.md-typeset h5 {
-    text-transform: none;
-}
-
-figcaption {
-    text-align: center;
-    font-size: 0.8em;
-    font-style: italic;
-    color: #8D909F;
-}
-
-p.subtitle {
-    color: rgba(0,0,0,.54);
-    padding-top: 0;
-    margin-top: -2em;
-    font-weight: bold;
-    font-size: 1.25em;
-}
-
-.markdown-body .task-list-item {
-    list-style-type: none !important;
-}
-
-.markdown-body .task-list-item input[type="checkbox"] {
-    margin: 0 4px 0.25em -20px;
-    vertical-align: middle;
-}

docs/content/assets/styles/footer.css

@@ -0,0 +1,10 @@
+.md-footer-meta {
+  background-color: var(--dark);
+}
+
+.md-footer-privacy-policy {
+  margin: 0 .6rem;
+  padding: .4rem 0;
+  color: hsla(0,0%,100%,.3);
+  font-size: .64rem;
+}

docs/content/assets/styles/header.css

@@ -0,0 +1,484 @@
+@import url('https://fonts.googleapis.com/css?family=Rubik:300i,400,400i,500,500i,700&display=swap');
+
+.wrapper-1200 {
+  width: 100%;
+  max-width: 61rem;
+  margin: 0 auto;
+  padding: 0 .6rem;
+}
+
+@media (max-width: 700px) {
+  .wrapper-1200 {
+    padding: 0 20px;
+  }
+}
+
+.btn-type-1 {
+  outline: none;
+  border: none;
+  background-color: #1e54d5;
+  line-height: 1em;
+  border-radius: 8px;
+  padding: 12px 15px;
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+  font-size: 1.25rem;
+  background-image: linear-gradient(to top, rgba(0, 0, 0, 0.28) 1%, #1e54d5 99%);
+  font-weight: 500;
+  text-align: center;
+  color: white;
+  transition: all 0.2s;
+}
+
+.button--secondary {
+  outline: none;
+  border: 2px solid #1e54d5 !important;
+  background: transparent;
+  line-height: 1em;
+  border-radius: 8px;
+  padding: 9px 13px;
+  letter-spacing: 0;
+  font-size: 1.3rem;
+  font-weight: 500;
+  text-align: center;
+  color: #1e54d5;
+  transition: all 0.2s;
+  display: inline-block;
+}
+.button--secondary:hover {
+  color: white !important;
+  background: #1e54d5;
+}
+.button--secondary:focus {
+  color: white !important;
+  background: #1e54d5;
+}
+
+.site-header-and-placeholder-wrapper {
+  position: relative;
+  height: 64px;
+}
+
+.site-header {
+  position: fixed;
+  width: 100%;
+  top: 0;
+  left: 0;
+  transition: height 0.1s;
+  z-index: 100;
+  background: white;
+  box-shadow: 0 0 7px 0 #00000021;
+  border-bottom: 1px solid #e2e2e2;
+  height: 64px;
+  display: flex;
+  align-items: center;
+  font-size: 10px;
+  font-family: 'Rubik', -apple-system, 'BlinkMacSystemFont', 'Segoe UI',
+    'Helvetica Neue', sans-serif;
+  color: #06102a;
+  -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
+}
+
+.site-header.scrolled {
+  box-shadow: 0 0 5px 0 #00000028;
+  position: fixed;
+  top: 0;
+  height: 52px;
+}
+.site-header.scrolled .site-header__title a {
+  font-size: 2.2em;
+}
+
+.header-placeholder {
+  background: none;
+  width: 100%;
+  height: 64px;
+  position: absolute;
+}
+.header-placeholder.active {
+  display: block;
+}
+
+.site-header .wrapper-1200 {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+}
+.site-header .wrapper-1200 .left {
+  display: flex;
+  align-items: center;
+  justify-content: flex-start;
+}
+
+.site-header__logo {
+  max-width: 145px;
+}
+
+.site-header__title a {
+  color: #06102a;
+  font-size: 2.2em;
+  font-weight: 500;
+  transition: all 0.2s;
+  text-transform: uppercase;
+  letter-spacing: 0.02em;
+}
+
+/* Navigation */
+.site-header__nav .menu-item-wrapper {
+  display: inline-block;
+  padding-left: 30px;
+}
+.site-header__nav .menu-item {
+  color: #06102a;
+  transition: all 0.05s;
+  font-size: 1.45em;
+  line-height: 1em;
+  font-weight: 500;
+}
+.site-header__nav .menu-item:hover {
+  color: #8a959e;
+}
+.site-header__nav .menu-item--with-icon {
+  display: flex;
+  align-items: center;
+  justify-content: flex-start;
+}
+.site-header__nav .menu-item--with-icon .title {
+  margin-right: 3px;
+}
+.site-header__nav .menu-item--with-icon .icon {
+  width: 20px;
+  height: 20px;
+  transition: all 0.1s;
+}
+.site-header__nav .menu-item--with-icon .icon svg {
+  stroke-width: 2.5 !important;
+  width: 100%;
+  height: 100%;
+}
+.site-header__nav .menu-item-wrapper--dropdown {
+  position: relative;
+}
+.site-header__nav .menu-item-wrapper--dropdown:hover .nav-dropdown-menu {
+  display: block;
+}
+.site-header__nav .nav-dropdown-menu {
+  display: none;
+}
+
+.nav-dropdown-menu {
+  position: absolute;
+  z-index: 500;
+  background: transparent;
+}
+
+.nav-dropdown-menu-wrapper {
+  border-radius: 8px;
+  box-shadow: 0 12px 40px 0 rgba(1, 10, 32, 0.24);
+  background: white;
+  margin: 8px 0;
+  overflow: hidden;
+}
+
+/* Products, Solutions dropdown menu */
+.nav-dropdown-menu--products,
+.nav-dropdown-menu--solutions {
+  width: 500px;
+}
+.nav-dropdown-menu--products .nav-dropdown-menu-wrapper,
+.nav-dropdown-menu--solutions .nav-dropdown-menu-wrapper {
+  padding: 20px;
+}
+.nav-dropdown-menu--products .nav-dropdown-menu-wrapper {
+  height: 430px;
+}
+
+.nav-dropdown-menu--products .dm-header,
+.nav-dropdown-menu--solutions .dm-header {
+  font-size: 1.1em;
+  font-weight: 500;
+  font-stretch: normal;
+  font-style: normal;
+  line-height: normal;
+  letter-spacing: 3.67px;
+  color: #505769;
+  margin-bottom: 20px;
+  text-transform: uppercase;
+}
+.nav-dropdown-menu--products .dm-item,
+.nav-dropdown-menu--solutions .dm-item {
+  border: none;
+  margin: 0 0 24px;
+  color: #06102a;
+  transition: all 0.1s;
+  position: relative;
+  width: 100%;
+}
+.nav-dropdown-menu--products .dm-item:last-child,
+.nav-dropdown-menu--solutions .dm-item:last-child {
+  margin-bottom: 0;
+}
+.nav-dropdown-menu--products .dm-item .dmi-image {
+  width: 104px;
+  height: 72px;
+  position: absolute;
+  /*background: #f4f4f4;*/
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  padding: 20px;
+  border-radius: 4px;
+  z-index: 0;
+}
+
+.nav-dropdown-menu--solutions .dm-item .dmi-image {
+  width: 65px;
+  padding: 10px;
+  background: white;
+  height: auto;
+  position: absolute;
+  z-index: 0;
+}
+
+.nav-dropdown-menu--solutions .dm-item .dmi-image img {
+  width: 100%;
+}
+.nav-dropdown-menu--products .dm-item .dmi-details,
+.nav-dropdown-menu--solutions .dm-item .dmi-details {
+  padding: 6px 0 0 127px;
+  width: 100%;
+  background: transparent;
+  display: block;
+  color: #06102a;
+  position: relative;
+  z-index: 1;
+}
+.nav-dropdown-menu--products .dm-item .dmi-details:hover,
+.nav-dropdown-menu--solutions .dm-item .dmi-details:hover {
+  color: #1e54d5;
+}
+.nav-dropdown-menu--products .dm-item .dmi-title,
+.nav-dropdown-menu--solutions .dm-item .dmi-title {
+  font-size: 1.6em;
+  font-weight: 500;
+  margin: 0 0 2px;
+}
+.nav-dropdown-menu--products .dm-item .dmi-description,
+.nav-dropdown-menu--solutions .dm-item .dmi-description {
+  font-size: 1.4em;
+  opacity: 0.7;
+  line-height: 1.6em;
+}
+.nav-dropdown-menu--products .dm-item--traefikee .dmi-image img,
+.nav-dropdown-menu--solutions .dm-item--traefikee .dmi-image img {
+  transform: scale(1.1);
+}
+
+.nav-dropdown-menu--solutions .dm-item .dmi-details {
+  padding: 5px 0 0 80px;
+}
+.nav-dropdown-menu--solutions .dm-item:last-child {
+  margin-bottom: 10px;
+}
+
+/* Dropdown menu: Learn and Company */
+.nav-dropdown-menu--learn {
+  width: 250px;
+}
+.nav-dropdown-menu--company {
+  width: 500px;
+}
+.nav-dropdown-menu--company .nav-dropdown-menu-wrapper {
+  display: grid;
+  grid-template-columns: 50% 50%;
+}
+.nav-dropdown-menu--learn .dm-left,
+.nav-dropdown-menu--company .dm-left {
+  padding: 25px;
+}
+.nav-dropdown-menu--learn .dm-header,
+.nav-dropdown-menu--company .dm-header {
+  font-size: 1.1em;
+  font-weight: 500;
+  font-stretch: normal;
+  font-style: normal;
+  line-height: normal;
+  letter-spacing: 3.67px;
+  color: #505769;
+  margin-bottom: 20px;
+  text-transform: uppercase;
+}
+.nav-dropdown-menu--learn .dm-item,
+.nav-dropdown-menu--company .dm-item {
+  display: block;
+  font-size: 1.6em;
+  font-weight: 500;
+  color: #06102a;
+  margin-bottom: 15px;
+}
+.nav-dropdown-menu--learn .dm-item:last-child,
+.nav-dropdown-menu--company .dm-item:last-child {
+  margin-bottom: 0;
+}
+.nav-dropdown-menu--learn .dm-item:hover,
+.nav-dropdown-menu--company .dm-item:hover {
+  color: #1e54d5;
+}
+
+.dm-preview {
+  background: #edeff4;
+  overflow: hidden;
+  height: 100%;
+  display: flex;
+  flex-direction: column;
+}
+
+.dm-preview__feature-image {
+  overflow: hidden;
+  display: block;
+}
+
+.dm-preview__feature-image img {
+  width: 100%;
+  height: 145px;
+  background: #ffffff no-repeat 50%;
+  object-fit: cover;
+  vertical-align: middle;
+}
+
+.dm-preview__content {
+  padding: 15px;
+  display: flex;
+  justify-content: flex-start;
+  align-items: flex-start;
+  flex-direction: column;
+  flex: 1;
+  position: relative;
+}
+
+.dm-preview__tag {
+  display: block;
+  font-size: 1.2em;
+  color: #db7d11;
+  letter-spacing: 2.5px;
+  font-weight: 500;
+  margin: 0 0;
+  text-transform: uppercase;
+}
+
+.dm-preview__title {
+  font-size: 1.6em;
+  font-weight: 500;
+  line-height: 1.6em;
+  margin: 0;
+  color: #06102a;
+  display: block;
+  flex: 1;
+  position: relative;
+  z-index: 1;
+  padding-bottom: 20px;
+}
+
+.dm-preview .arrow-link {
+  justify-content: flex-start;
+  font-size: 1.4em;
+  position: absolute;
+  bottom: 12px;
+  z-index: 0;
+}
+
+/* Dropdown menu: Company */
+.nav-dropdown-menu--company {
+  width: 450px;
+}
+
+.nav-dropdown-menu--company .dm-right {
+  background: #06102a;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  flex-direction: column;
+  color: white;
+  padding: 20px;
+}
+.nav-dropdown-menu--company .dm-right p {
+  font-size: 1.6em;
+  font-weight: 500;
+  margin: 0 0 15px;
+  text-align: center;
+}
+.nav-dropdown-menu--company .dm-right a {
+  text-transform: uppercase;
+  line-height: 1.5em;
+  padding: 9px 12px;
+  font-size: 1.2em;
+}
+
+/* Demo */
+.site-header__demo-button .button--secondary {
+  font-size: 1.4em;
+  padding: 8px 12px;
+  border-radius: 6px;
+}
+
+/* Drawer */
+.site-header .drawer {
+  display: none;
+}
+
+@media (max-width: 1219px) {
+  .site-header__nav .menu-item-wrapper {
+    padding-left: 20px;
+  }
+}
+@media (max-width: 980px) {
+  .site-header__nav {
+    display: none;
+  }
+
+  .site-header .drawer {
+    display: block;
+  }
+
+  .site-header .right .site-header__demo-button {
+    display: none;
+  }
+
+  html [data-md-color-primary=indigo] .md-nav--primary .md-nav__title--site {
+    background-color: #06102a;
+  }
+
+  html .md-nav--primary .md-nav__title {
+    padding: 64px .8rem .2rem;
+  }
+
+  .md-search__inner {
+    top: 64px;
+    right: 0;
+  }
+}
+
+.md-header .md-search {
+  margin-right: 12.1rem;
+}
+
+.site-header__main {
+  display: flex;
+  align-items: center;
+}
+
+.dmi-image.proxy {
+  background-color: #24a1c1;
+}
+
+.dmi-image.mesh {
+  background-color: #9d0fb0;
+}
+
+.dmi-image.enterprise {
+  background-color: #0060e0;
+}
+
+.dmi-image.pilot {
+  background-color: #db7d11;
+}

docs/content/assets/styles/menu.css

@@ -0,0 +1,101 @@
+.md-nav__link {
+  margin-left: -0.4rem;
+  padding: 0 0.4rem;
+  line-height: 32px;
+  color: var(--dark) !important;
+}
+
+.md-nav__link::after {
+  font-size: 16px;
+  vertical-align: -.25em;
+}
+
+.md-nav__toggle:checked + .md-nav__link,
+.md-nav__link--active,
+.md-nav__link:hover {
+  border-radius: 8px;
+  background-color: var(--light-blue) !important;
+  color: var(--dark) !important;
+  transition: background-color 0.3s ease;
+}
+
+.md-nav__link--active {
+  color: var(--blue) !important;
+  font-weight: bold;
+}
+
+.md-sidebar--primary {
+  background-color: white;
+}
+
+.md-sidebar--secondary .md-nav__title {
+  font-size: 12px;
+  text-transform: uppercase;
+  margin-bottom: 0.4rem;
+  padding: 0;
+}
+
+.md-sidebar--secondary .md-sidebar__scrollwrap {
+  border-radius: 8px;
+  background-color: var(--light-blue) !important;
+}
+
+.md-sidebar--secondary .md-nav__title {
+  padding: 0.8rem 0.4rem 0.8rem;
+}
+
+.md-sidebar--secondary .md-nav__list {
+  padding: 0 0.4rem 0.8rem 1.2rem;
+}
+
+.md-sidebar--secondary .md-sidebar__scrollwrap .md-nav__link {
+  font-weight: 300;
+}
+
+.md-sidebar--secondary
+  .md-sidebar__scrollwrap
+  .md-nav__link[data-md-state='blur'],
+.md-sidebar--secondary .md-sidebar__scrollwrap .md-nav__link:hover {
+  color: var(--blue) !important;
+  font-weight: bold;
+}
+
+.md-sidebar--secondary .md-nav__item {
+  padding: 0 0 0 0.4rem;
+}
+
+.md-sidebar--secondary .md-nav__link {
+  margin-top: 0.225em;
+  padding: 0.1rem 0.2rem;
+}
+
+.md-sidebar--secondary li {
+  list-style-type: disc;
+}
+
+.md-sidebar--secondary .repo_url {
+  padding: 10px 0 14px 0;
+}
+
+
+.md-search__inner {
+  width: inherit;
+  float: inherit;
+}
+
+.md-search__input {
+  margin-bottom: 10px;
+  border-radius: 4px; 
+  background-color: inherit;
+  border: 1px solid rgba(0,0,0,.07);
+}
+
+.md-search__input::placeholder {
+  color: rgba(0,0,0,.07);
+}
+
+@media only screen and (min-width: 60em) {
+  [data-md-toggle=search]:checked~.md-header .md-search__inner {
+    margin-top: 100px;
+  }
+}

docs/content/assets/styles/product-switcher.css

@@ -0,0 +1,24 @@
+.product-switcher {
+  font-size: 10px;
+  font-family: 'Rubik', -apple-system, 'BlinkMacSystemFont', 'Segoe UI',
+    'Helvetica Neue', sans-serif;
+  color: #06102a;
+  -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
+}
+
+.product-switcher .menu-item-wrapper {
+  padding-left: 15px;
+}
+
+.product-switcher img {
+  margin-right: 10px;
+}
+
+.product-switcher img.gopher {
+  margin: 0 2px 0 16px;
+}
+
+.product-switcher .nav-dropdown-menu--products .nav-dropdown-menu-wrapper {
+  width: auto;
+  height: 335px;
+}

docs/content/assets/styles/root.css

@@ -0,0 +1,10 @@
+:root {
+  --dark: #06102a;
+  --blue: #04B5D1;
+  --light-blue: #E4F7FA;
+
+  --input-bg-color: white;
+  --input-color: black;
+  --input-placeholder-color: #bbb;
+  --input-border-color: #dcdcdc;
+}

docs/content/contributing/advocating.md

@@ -5,6 +5,6 @@ Spread the Love & Tell Us about It
 
 There are many ways to contribute to the project, and there is one that always spark joy: when we see/read about users talking about how Traefik helps them solve their problems.
 
-If you're talking about Traefik, [let us know](https://blog.containo.us/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
+If you're talking about Traefik, [let us know](https://blog.traefik.io/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
 
-Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/containous/traefik/wiki/Awesome-Traefik).
+Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/traefik/traefik/wiki/Awesome-Traefik).

docs/content/contributing/building-testing.md

@@ -16,6 +16,8 @@ For changes to its dependencies, the `dep` dependency management tool is require
 Run make with the `binary` target.
 This will create binaries for the Linux platform in the `dist` folder.
 
+In case when you run build on CI, you may probably want to run docker in non-interactive mode. To achieve that define `DOCKER_NON_INTERACTIVE=true` environment variable.
+
 ```bash
 $ make binary
 docker build -t traefik-webui -f webui/Dockerfile webui
@@ -28,12 +30,12 @@ Successfully tagged traefik-webui:latest
 [...]
 docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
 Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.13-alpine
+Step 1/10 : FROM golang:1.14-alpine
  ---> f4bfb3d22bda
 [...]
 Successfully built 5c3c1a911277
 Successfully tagged traefik-dev:4475--feature-documentation
-docker run  -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER		 -v "/home/ldez/sources/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
+docker run  -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER		 -v "/home/ldez/sources/go/src/github.com/traefik/traefik/"dist":/go/src/github.com/traefik/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
 ---> Making bundle: generate (in .)
 removed 'autogen/genstatic/gen.go'
 
@@ -60,12 +62,13 @@ PRE_TARGET= make test-unit
 
 Requirements:
 
-- `go` v1.13+
+- `go` v1.14+
 - environment variable `GO111MODULE=on`
+- [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
 
 !!! tip "Source Directory"
 
-    It is recommended that you clone Traefik into the `~/go/src/github.com/containous/traefik` directory.
+    It is recommended that you clone Traefik into the `~/go/src/github.com/traefik/traefik` directory.
     This is the official golang workspace hierarchy that will allow dependencies to be properly resolved.
 
 !!! note "Environment"
@@ -97,29 +100,31 @@ Requirements:
 #### Build Traefik
 
 Once you've set up your go environment and cloned the source repository, you can build Traefik.
-Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process).
+
+Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).
 
 ```bash
-cd ~/go/src/github.com/containous/traefik
+cd ~/go/src/github.com/traefik/traefik
 
 # Get go-bindata. (Important: the ellipses are required.)
 GO111MODULE=off go get github.com/containous/go-bindata/...
+```
 
-# Let's build
+```bash
+# Generate UI static files
+rm -rf static/ autogen/; make generate-webui
 
-# generate
-# (required to merge non-code components into the final binary, such as the web dashboard and the provider's templates)
+# required to merge non-code components into the final binary,
+# such as the web dashboard/UI
 go generate
+```
 
+```bash
 # Standard go build
 go build ./cmd/traefik
 ```
 
-You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
-
-### Updating the templates
-
-If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.
+You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/traefik/traefik` directory.
 
 ## Testing
 
@@ -133,13 +138,13 @@ Run all tests (unit and integration) using the `test` target.
 $ make test-unit
 docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
 # […]
-docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
+docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/traefik/traefik/dist:/go/src/github.com/traefik/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
 ---> Making bundle: generate (in .)
 removed 'gen.go'
 
 ---> Making bundle: test-unit (in .)
 + go test -cover -coverprofile=cover.out .
-ok      github.com/containous/traefik   0.005s  coverage: 4.1% of statements
+ok      github.com/traefik/traefik   0.005s  coverage: 4.1% of statements
 
 Test success
 ```
@@ -167,7 +172,7 @@ More: https://labix.org/gocheck
 Unit tests can be run from the cloned directory using `$ go test ./...` which should return `ok`, similar to:
 
 ```test
-ok      _/home/user/go/src/github/containous/traefik    0.004s
+ok      _/home/user/go/src/github/traefik/traefik    0.004s
 ```
 
 Integration tests must be run from the `integration/` directory and require the `-integration` switch: `$ cd integration && go test -integration ./...`.

docs/content/contributing/data-collection.md

@@ -29,7 +29,7 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to
 
 ## Collected Data
 
-This feature comes from the public proposal [here](https://github.com/containous/traefik/issues/2369).
+This feature comes from the public proposal [here](https://github.com/traefik/traefik/issues/2369).
 
 In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
 Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
@@ -42,57 +42,54 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
 - a hash of the configuration
 - an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).
 
-!!! note
-    We do not collect the dynamic configuration information (routers & services).
-    We do not collect these data to run advertising programs.
-    We do not sell these data to third-parties.
+!!! info
+    
+    - We do not collect the dynamic configuration information (routers & services).
+    - We do not collect this data to run advertising programs.
+    - We do not sell this data to third-parties.
 
 ### Example of Collected Data
 
-??? example "Original configuration"
+```toml tab="Original configuration"
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
 
-    ```toml
-    [entryPoints]
-      [entryPoints.web]
-         address = ":80"
-    
-    [api]
-    
-    [providers.docker]
-      endpoint = "tcp://10.10.10.10:2375"
-      exposedByDefault = true
-      swarmMode = true
-    
-      [providers.docker.TLS]
-        ca = "dockerCA"
-        cert = "dockerCert"
-        key = "dockerKey"
-        insecureSkipVerify = true
-    ```
+[api]
 
-??? example "Resulting Obfuscated Configuration"
+[providers.docker]
+  endpoint = "tcp://10.10.10.10:2375"
+  exposedByDefault = true
+  swarmMode = true
 
-    ```toml
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-    
-    [api]
-    
-    [providers.docker]
-      endpoint = "xxxx"
-      exposedByDefault = true
-      swarmMode = true
-    
-      [providers.docker.TLS]
-        ca = "xxxx"
-        cert = "xxxx"
-        key = "xxxx"
-        insecureSkipVerify = false
-    ```
+  [providers.docker.TLS]
+    ca = "dockerCA"
+    cert = "dockerCert"
+    key = "dockerKey"
+    insecureSkipVerify = true
+```
+
+```toml tab="Resulting Obfuscated Configuration"
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
+
+[api]
+
+[providers.docker]
+  endpoint = "xxxx"
+  exposedByDefault = true
+  swarmMode = true
+
+  [providers.docker.TLS]
+    ca = "xxxx"
+    cert = "xxxx"
+    key = "xxxx"
+    insecureSkipVerify = true
+```
 
 ## The Code for Data Collection
 
-If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/pkg/collector/collector.go)
+If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)
 
 By default we anonymize all configuration fields, except fields tagged with `export=true`.

docs/content/contributing/documentation.md

@@ -10,7 +10,7 @@ Let's see how.
 
 ### General
 
-This [documentation](https://docs.traefik.io/) is built with [mkdocs](https://mkdocs.org/).
+This [documentation](https://doc.traefik.io/traefik/) is built with [mkdocs](https://mkdocs.org/).
 
 ### Method 1: `Docker` and `make`
 
@@ -20,7 +20,7 @@ You can build the documentation and test it locally (with live reloading), using
 $ make docs
 docker build -t traefik-docs -f docs.Dockerfile .
 # […]
-docker run  --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
+docker run  --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
 # […]
 [I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000
 [I 170828 20:47:48 handlers:60] Start watching changes
@@ -75,7 +75,7 @@ To check that the documentation meets standard expectations (no dead links, html
 $ make docs-verify
 docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image
 ...
-docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
+docker run --rm -v /home/travis/build/traefik/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
 === Checking HTML content...
 Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html...
 ```

docs/content/contributing/maintainers.md

@@ -15,12 +15,12 @@
 * Michaël Matur [@mmatur](https://github.com/mmatur)
 * Gérald Croës [@geraldcroes](https://github.com/geraldcroes)
 * Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou)
-* Damien Duportal [@dduportal](https://github.com/dduportal)
 * Mathieu Lonjaret [@mpl](https://github.com/mpl)
+* Romain Tribotté [@rtribotte](https://github.com/rtribotte)
 
 ## Contributions Daily Meeting
 
-* 3 Maintainers should attend to a Contributions Daily Meeting where we sort and label new issues ([is:issue label:status/0-needs-triage](https://github.com/containous/traefik/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Astatus%2F0-needs-triage+)), and review every Pull Requests
+* 3 Maintainers should attend to a Contributions Daily Meeting where we sort and label new issues ([is:issue label:status/0-needs-triage](https://github.com/traefik/traefik/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Astatus%2F0-needs-triage+)), and review every Pull Requests
 * Every pull request should be checked during the Contributions Daily Meeting
     * Even if it’s already assigned
     * Even PR labelled with `contributor/waiting-for-corrections` or `contributor/waiting-for-feedback`
@@ -43,7 +43,7 @@ We use [PRM](https://github.com/ldez/prm) to manage locally pull requests.
 
 ## Bots
 
-### [Myrmica Lobicornis](https://github.com/containous/lobicornis/)
+### [Myrmica Lobicornis](https://github.com/traefik/lobicornis/)
 
 Update and Merge Pull Request.
 
@@ -67,12 +67,12 @@ This label is used when:
 * Merging branches into the master
 * Preparing the release
 
-### [Myrmica Bibikoffi](https://github.com/containous/bibikoffi/)
+### [Myrmica Bibikoffi](https://github.com/traefik/bibikoffi/)
 
 * closes stale issues [cron]
     * use some criterion as number of days between creation, last update, labels, ...
 
-### [Myrmica Aloba](https://github.com/containous/aloba)
+### [Myrmica Aloba](https://github.com/traefik/aloba)
 
 Manage GitHub labels.
 

docs/content/contributing/submitting-issues.md

@@ -3,7 +3,7 @@
 Help Us Help You!
 {: .subtitle }
 
-We use the [GitHub issue tracker](https://github.com/containous/traefik/issues) to keep track of issues in Traefik. 
+We use the [GitHub issue tracker](https://github.com/traefik/traefik/issues) to keep track of issues in Traefik. 
 
 The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting).
 To save us some time and get quicker feedback, be sure to follow the guide lines below.
@@ -14,7 +14,7 @@ To save us some time and get quicker feedback, be sure to follow the guide lines
 
     For end-user related support questions, try using first:
 
-    - the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+    - the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 
 ## Issue Title
 
@@ -22,7 +22,7 @@ The title must be short and descriptive. (~60 characters)
 
 ## Description
 
-Follow the [issue template](https://github.com/containous/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible.
+Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible.
 
 Explain us in which conditions you encountered the issue, what is your context.
 

docs/content/contributing/submitting-pull-requests.md

@@ -3,11 +3,11 @@
 A Quick Guide for Efficient Contributions
 {: .subtitle }
 
-So you've decide to improve Traefik? 
+So you've decided to improve Traefik? 
 Thank You! 
 Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.
 
-Let's go though the classic pitfalls to make sure everything is right. 
+Let's go through the classic pitfalls to make sure everything is right. 
 
 ## Title
 
@@ -15,7 +15,7 @@ The title must be short and descriptive. (~60 characters)
 
 ## Description
 
-Follow the [pull request template](https://github.com/containous/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible.
+Follow the [pull request template](https://github.com/traefik/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible.
 
 Explain the conditions which led you to write this PR: give us context.
 The context should lead to something, an idea or a problem that you’re facing.
@@ -36,7 +36,7 @@ Help the readers focus on what matters, and help them understand the structure o
 - Add tests.
 - Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
 
-!!! note "third-party dependencies"
+!!! note "Third-Party Dependencies"
 
     If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
 

docs/content/contributing/submitting-security-issues.md

@@ -0,0 +1,16 @@
+# Security
+
+## Security Advisories
+
+We strongly advise you to join our mailing list to be aware of the latest announcements from our security team.
+You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+
+## CVE
+
+Reported vulnerabilities can be found on 
+[cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
+
+## Report a Vulnerability
+
+We want to keep Traefik safe for everyone.
+If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).

docs/content/contributing/thank-you.md

@@ -3,8 +3,8 @@
 _You_ Made It
 {: .subtitle}
 
-Traefik truly is an [open-source project](https://github.com/containous/traefik/),
-and wouldn't have become what it is today without the help of our [many contributors](https://github.com/containous/traefik/graphs/contributors) (at the time of writing this),
+Traefik truly is an [open-source project](https://github.com/traefik/traefik/),
+and wouldn't have become what it is today without the help of our [many contributors](https://github.com/traefik/traefik/graphs/contributors) (at the time of writing this),
 not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.
 
 So once again, thank you for your invaluable help on making Traefik such a good product.

docs/content/getting-started/concepts.md

@@ -23,11 +23,11 @@ The opposite is true: when you remove a service from your infrastructure, the ro
 
 You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.
 
-!!! note "Many different rules"
+!!! info "Many different rules"
 
     In the example above, we used the request [path](../routing/routers/index.md#rule) to determine which service was in charge, but of course you can use many other different [rules](../routing/routers/index.md#rule).
 
-!!! note "Updating the requests"
+!!! info "Updating the requests"
 
     In the [middleware](../middlewares/overview.md) section, you can learn about how to update the requests before forwarding them to the services.
 

docs/content/getting-started/configuration-overview.md

@@ -16,28 +16,30 @@ The _dynamic configuration_ contains everything that defines how the requests ar
 This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.    
 
 !!! warning "Incompatible Configuration"
-    Please be aware that the old configurations for Traefik v1.X are NOT compatible with the v2.X config as of now.
-    If you're testing out v2, please ensure you are using a v2 configuration.
+    Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now.
+    If you are running v2, please ensure you are using a v2 configuration.
 
 ## The Dynamic Configuration 
 
-Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).
+Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file.
 
-!!! Note 
+Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../routing/overview.md).
+
+!!! info ""
 
     In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
     
-!!! Note
+!!! info "HTTPS Certificates also belong to the dynamic configuration."
     
-    HTTPS Certificates also belong to the dynamic configuration. You can add / update / remove them without restarting your Traefik instance. 
+    You can add / update / remove them without restarting your Traefik instance. 
  
 ## The Static Configuration
 
-There are three different, mutually exclusive, ways to define static configuration options in Traefik:
+There are three different, **mutually exclusive** (e.g. you can use only one at the same time), ways to define static configuration options in Traefik:
 
-- In a configuration file
-- In the command-line arguments
-- As environment variables
+1. In a configuration file
+1. In the command-line arguments
+1. As environment variables
 
 These ways are evaluated in the order listed above.
 
@@ -72,7 +74,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:2.0 --help
+# ex: docker run traefik:2.1 --help
 ```
 
 All available arguments can also be found [here](../reference/static-configuration/cli.md).

docs/content/getting-started/install-traefik.md

@@ -3,16 +3,20 @@
 You can install Traefik with the following flavors:
 
 * [Use the official Docker image](./#use-the-official-docker-image)
+* [Use the Helm Chart](./#use-the-helm-chart)
 * [Use the binary distribution](./#use-the-binary-distribution)
 * [Compile your binary from the sources](./#compile-your-binary-from-the-sources)
 
 ## Use the Official Docker Image
 
-Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.0/traefik.sample.toml):
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
 
-```shell
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.3/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.3/traefik.sample.yml)
+
+```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.0
+    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.3
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -20,15 +24,116 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.0.0`
-    * Docker images comes in 2 flavors: scratch based or alpine based.
-    * All the orchestrator using docker images could fetch the official Traefik docker image.
+    ex: `traefik:v2.1.4`
+    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
+    * Any orchestrator using docker images can fetch the official Traefik docker image.
+
+## Use the Helm Chart
+
+!!! warning
+    
+    The Traefik Chart from 
+    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://doc.traefik.io/traefik/v1.7).
+
+Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/traefik/traefik-helm-chart>.
+
+Ensure that the following requirements are met:
+
+* Kubernetes 1.14+
+* Helm version 3.x is [installed](https://helm.sh/docs/intro/install/)
+
+Add Traefik's chart repository to Helm:
+
+```bash
+helm repo add traefik https://helm.traefik.io/traefik
+```
+
+You can update the chart repository by running:
+
+```bash
+helm repo update
+```
+
+And install it with the `helm` command line:
+
+```bash
+helm install traefik traefik/traefik
+```
+
+!!! tip "Helm Features"
+    
+    All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
+    For instance, installing the chart in a dedicated namespace:
+
+    ```bash tab="Install in a Dedicated Namespace"
+    kubectl create ns traefik-v2
+    # Install in the namespace "traefik-v2"
+    helm install --namespace=traefik-v2 \
+        traefik traefik/traefik
+    ```
+
+??? example "Installing with Custom Values"
+    
+    You can customize the installation by specifying custom values,
+    as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
+    {: #helm-custom-values }
+    
+    The values are not (yet) documented, but are self-explanatory:
+    you can look at the [default `values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
+    
+    You can also set Traefik command line flags using `additionalArguments`.
+    Example of installation with logging set to `DEBUG`:
+    
+    ```bash tab="Using Helm CLI"
+    helm install --namespace=traefik-v2 \
+        --set="additionalArguments={--log.level=DEBUG}" \
+        traefik traefik/traefik
+    ```
+    
+    ```yml tab="With a custom values file"
+    # File custom-values.yml
+    ## Install with "helm install --values=./custom-values.yml traefik traefik/traefik
+    additionalArguments:
+      - "--log.level=DEBUG"
+    ```
+    
+### Exposing the Traefik dashboard
+
+This HelmChart does not expose the Traefik dashboard by default, for security concerns.
+Thus, there are multiple ways to expose the dashboard.
+For instance, the dashboard access could be achieved through a port-forward :
+
+```shell
+kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
+```
+
+Accessible with the url: http://127.0.0.1:9000/dashboard/
+
+Another way would be to apply your own configuration, for instance,
+by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):
+
+```yaml
+# dashboard.yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: dashboard
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+```
 
 ## Use the Binary Distribution
 
-Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page.
+Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page.
 
-??? tip "Check the integrity of the downloaded file"
+??? info "Check the integrity of the downloaded file"
 
     ```bash tab="Linux"
     # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
@@ -45,7 +150,7 @@ Grab the latest binary from the [releases](https://github.com/containous/traefik
     Get-FileHash ./traefik_${traefik_version}_windows_${arch}.zip -Algorithm SHA256
     ```
 
-??? tip "Extract the downloaded archive"
+??? info "Extract the downloaded archive"
 
     ```bash tab="Linux"
     tar -zxvf traefik_${traefik_version}_linux_${arch}.tar.gz

docs/content/getting-started/quick-start.md

@@ -14,8 +14,8 @@ version: '3'
 
 services:
   reverse-proxy:
-    # The official v2.0 Traefik docker image
-    image: traefik:v2.0
+    # The official v2 Traefik docker image
+    image: traefik:v2.3
     # Enables the web UI and tells Traefik to listen to docker
     command: --api.insecure=true --providers.docker
     ports:
@@ -48,7 +48,7 @@ Edit your `docker-compose.yml` file and add the following at the end of your fil
 # ...
   whoami:
     # A container that exposes an API to show its IP address
-    image: containous/whoami
+    image: traefik/whoami
     labels:
       - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
 ```

docs/content/glossary.md

@@ -12,7 +12,7 @@ Where Every Technical Word finds its Definition`
 - [ ] [Static configuration](getting-started/configuration-overview.md#the-static-configuration)
 - [ ] [Dynamic configuration](getting-started/configuration-overview.md#the-dynamic-configuration)
 - [ ] ACME
-- [ ] TraefikEE
+- [ ] Traefik Enterprise
 - [ ] Tracing
 - [ ] Metrics
 - [ ] Orchestrator

docs/content/https/.markdownlint.json

@@ -0,0 +1,4 @@
+{
+    "extends": "../../.markdownlint.json",
+    "MD041": false
+}

docs/content/https/acme.md

@@ -8,53 +8,22 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
 !!! warning "Let's Encrypt and Rate Limiting"
     Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
 
-## Configuration Examples
+    Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
+    when experimenting to avoid hitting this limit too fast.
+    
+## Certificate Resolvers
 
-??? example "Enabling ACME"
-    
-    ```toml tab="File (TOML)"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-    
-      [entryPoints.web-secure]
-        address = ":443"
-    
-    [certificatesResolvers.sample.acme]
-      email = "your-email@your-domain.org"
-      storage = "acme.json"
-      [acme.httpChallenge]
-        # used during the challenge
-        entryPoint = "web"
-    ```
-    
-    ```yaml tab="File (YAML)"
-    entryPoints:
-      web:
-        address: ":80"
-    
-      web-secure:
-        address: ":443"
-    
-    certificatesResolvers:
-      sample:
-        acme:
-          email: your-email@your-domain.org
-          storage: acme.json
-          httpChallenge:
-            # used during the challenge
-            entryPoint: web
-    ```
-    
-    ```bash tab="CLI"
-    --entryPoints.web.address=":80"
-    --entryPoints.websecure.address=":443"
-    # ...
-    --certificatesResolvers.sample.acme.email="your-email@your-domain.org"
-    --certificatesResolvers.sample.acme.storage="acme.json"
-    # used during the challenge
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
-    ```
+Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration), 
+which are responsible for retrieving certificates from an ACME server.
+
+Then, each ["router"](../routing/routers/index.md) is configured to enable TLS,
+and is associated to a certificate resolver through the [`tls.certresolver` configuration option](../routing/routers/index.md#certresolver).
+
+Certificates are requested for domain names retrieved from the router's [dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration).
+
+You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).
+
+!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
 
 ??? note "Configuration Reference"
     
@@ -73,17 +42,120 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
     --8<-- "content/https/ref-acme.txt"
     ```
 
+## Domain Definition
+
+Certificate resolvers request certificates for a set of the domain names 
+inferred from routers, with the following logic:
+
+- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
+  then the certificate resolver uses the `main` (and optionally `sans`) option of `tls.domains` to know the domain names for this router.
+
+- If no [`tls.domains`](../routing/routers/index.md#domains) option is set, 
+  then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule), 
+  by checking the `Host()` matchers. 
+  Please note that [multiple `Host()` matchers can be used](../routing/routers/index.md#certresolver)) for specifying multiple domain names for this router.
+
+Please note that:
+
+- When multiple domain names are inferred from a given router,
+  only **one** certificate is requested with the first domain name as the main domain,
+  and the other domains as ["SANs" (Subject Alternative Name)](https://en.wikipedia.org/wiki/Subject_Alternative_Name).
+
+- As [ACME V2 supports "wildcard domains"](#wildcard-domains),
+  any router can provide a [wildcard domain](https://en.wikipedia.org/wiki/Wildcard_certificate) name, as "main" domain or as "SAN" domain.
+
+Please check the [configuration examples below](#configuration-examples) for more details.
+
+## Configuration Examples
+
+??? example "Enabling ACME"
+    
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+    
+      [entryPoints.websecure]
+        address = ":443"
+    
+    [certificatesResolvers.myresolver.acme]
+      email = "your-email@example.com"
+      storage = "acme.json"
+      [certificatesResolvers.myresolver.acme.httpChallenge]
+        # used during the challenge
+        entryPoint = "web"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+    
+      websecure:
+        address: ":443"
+    
+    certificatesResolvers:
+      myresolver:
+        acme:
+          email: your-email@example.com
+          storage: acme.json
+          httpChallenge:
+            # used during the challenge
+            entryPoint: web
+    ```
+    
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
+    # ...
+    --certificatesresolvers.myresolver.acme.email=your-email@example.com
+    --certificatesresolvers.myresolver.acme.storage=acme.json
+    # used during the challenge
+    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
+    ```
+
+!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
+??? example "Single Domain from Router's Rule Example"
+    
+    * A certificate for the domain `example.com` is requested:
+
+    --8<-- "content/https/include-acme-single-domain-example.md"
+
+??? example "Multiple Domains from Router's Rule Example"
+ 
+    * A certificate for the domains `example.com` (main) and `blog.example.org`
+      is requested:
+    
+    --8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
+    
+??? example "Multiple Domains from Router's `tls.domain` Example"
+
+    * A certificate for the domains `example.com` (main) and `*.example.org` (SAN)
+      is requested:
+      
+    --8<-- "content/https/include-acme-multiple-domains-example.md"
+
 ## Automatic Renewals
 
 Traefik automatically tracks the expiry date of ACME certificates it generates.
 
 If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.
 
-!!! note
+!!! info ""
     Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
 
+## Using LetsEncrypt with Kubernetes
+
+When using LetsEncrypt with kubernetes, there are some known caveats with both the [ingress](../providers/kubernetes-ingress.md) and [crd](../providers/kubernetes-crd.md) providers.
+
+!!! info ""
+    If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.
+
 ## The Different ACME Challenges
 
+!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
 ### `tlsChallenge`
 
 Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
@@ -94,14 +166,14 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 ??? example "Configuring the `tlsChallenge`"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.tlsChallenge]
+      [certificatesResolvers.myresolver.acme.tlsChallenge]
     ```
 
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           tlsChallenge: {}
@@ -109,7 +181,7 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.tlsChallenge=true
+    --certificatesresolvers.myresolver.acme.tlschallenge=true
     ```
 
 ### `httpChallenge`
@@ -117,21 +189,21 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
 
 As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
+when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpchallenge.entrypoint` must be reachable by Let's Encrypt through port 80.
 
-??? example "Using an EntryPoint Called http for the `httpChallenge`"
+??? example "Using an EntryPoint Called web for the `httpChallenge`"
 
     ```toml tab="File (TOML)"
     [entryPoints]
       [entryPoints.web]
         address = ":80"
       
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.myresolver.acme.httpChallenge]
         entryPoint = "web"
     ```
 
@@ -140,11 +212,11 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
       web:
         address: ":80"
     
-      web-secure:
+      websecure:
         address: ":443"
     
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           httpChallenge:
@@ -152,13 +224,13 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
     ```
     
     ```bash tab="CLI"
-    --entryPoints.web.address=":80"
-    --entryPoints.websecure.address=":443"
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
     # ...
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
     ```
 
-!!! note
+!!! info ""
     Redirection is fully compatible with the `HTTP-01` challenge.
 
 ### `dnsChallenge`
@@ -168,9 +240,9 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 ??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.dnsChallenge]
+      [certificatesResolvers.myresolver.acme.dnsChallenge]
         provider = "digitalocean"
         delayBeforeCheck = 0
     # ...
@@ -178,7 +250,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           dnsChallenge:
@@ -189,8 +261,8 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
-    --certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+    --certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
+    --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
     # ...
     ```
 
@@ -203,21 +275,29 @@ Here is a list of supported `providers`, that can automate the DNS verification,
 along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
 Do not hesitate to complete it.
 
-Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
+Many lego environment variables can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
 For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
 
+For complete details, refer to your provider's _Additional configuration_ link.
+
 | Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       |                                                                             |
 |-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
 | [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
 | [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
-| [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
+| [ArvanCloud](https://www.arvancloud.com/en)                 | `arvancloud`   | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)   |
+| [Auroradns](https://www.pcextreme.com/dns-health-checks)    | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
+| [Autodns](https://www.internetx.com/domains/autodns/)       | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
 | [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
 | [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
+| [Checkdomain](https://www.checkdomain.de/)                  | `checkdomain`  | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
+| [CloudDNS](https://vshosting.eu/)                           | `clouddns`     | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)     |
 | [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
-| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key`                                               | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
+| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
 | [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
 | [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
+| [Constellix](https://constellix.com)                        | `constellix`   | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)   |
+| [deSEC](https://desec.io)                                   | `desec`        | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)        |
 | [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
 | [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
 | [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
@@ -226,55 +306,69 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)    |
 | [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)      |
 | [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)          |
+| [Dynu](https://www.dynu.com)                                | `dynu`         | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)         |
 | [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)      |
+| [EdgeDNS](https://www.akamai.com/)                          | `edgedns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
 | External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
 | [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)     |
-| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/fastdns)      |
+| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
 | [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)        |
 | [Gandi v5](http://doc.livedns.gandi.net)                    | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)      |
 | [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)       |
 | [GoDaddy](https://godaddy.com/)                             | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)      |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)       |
+| [Hetzner](https://hetzner.com)                              | `hetzner`      | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)      |
 | [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
 | HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
+| [HyperOne](https://www.hyperone.com)                        | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
 | [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
 | [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
 | [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
-| [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
-| [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4)     |
-| manual                                                      | -              | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
+| [Linode v4](https://www.linode.com)                         | `linode`       | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
+| [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
+| [LuaDNS](https://luadns.com)                                | `luadns`       | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)       |
+| manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
+| [Mythic Beasts](https://www.mythic-beasts.com)              | `mythicbeasts` | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts) |
 | [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
 | [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
 | [Namesilo](https://www.namesilo.com/)                       | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)     |
 | [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
+| [Netlify](https://www.netlify.com)                          | `netlify`      | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)      |
 | [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
-| [Ns1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
+| [NS1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
 | [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
 | [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
 | [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)    |
 | [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)  |
 | [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)         |
 | [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)    |
+| [reg.ru](https://www.reg.ru)                                | `regru`        | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)        |
 | [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)      |
 | [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
+| [RimuHosting](https://rimuhosting.com)                      | `rimuhosting`  | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)  |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)  |
+| [Scaleway](https://www.scaleway.com)                        | `scaleway`     | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)     |
 | [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
+| [Servercow](https://servercow.de)                           | `servercow`    | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)    |
 | [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
 | [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
 | [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
 | [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)       |
 | [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)        |
+| [Yandex](https://yandex.com)                                | `yandex`       | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)       |
 | [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
+| [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
 
 [^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
-[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application)
+[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production)
 [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
 [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
+[^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
 
-!!! note "`delayBeforeCheck`"
+!!! info "`delayBeforeCheck`"
     By default, the `provider` verifies the TXT record _before_ letting ACME verify.
     You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
     This option is useful when internal networks block external DNS queries.
@@ -284,28 +378,28 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 Use custom DNS servers to resolve the FQDN authority.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
   # ...
-  [certificatesResolvers.sample.acme.dnsChallenge]
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
     # ...
     resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
 ```
 
 ```yaml tab="File (YAML)"
 certificatesResolvers:
-  sample:
+  myresolver:
     acme:
       # ...
       dnsChallenge:
         # ...
         resolvers:
-        - "1.1.1.1:53"
-        - "8.8.8.8:53"
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
 ```
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.dnsChallenge.resolvers:="1.1.1.1:53,8.8.8.8:53"
+--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```
 
 #### Wildcard Domains
@@ -313,12 +407,21 @@ certificatesResolvers:
 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
 As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
 
-## `caServer`
+## More Configuration
+
+### `caServer`
+
+_Required, Default="https://acme-v02.api.letsencrypt.org/directory"_
+
+The CA server to use:
+
+- Let's Encrypt production server: https://acme-v02.api.letsencrypt.org/directory
+- Let's Encrypt staging server: https://acme-staging-v02.api.letsencrypt.org/directory
 
 ??? example "Using the Let's Encrypt staging server"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
       caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
       # ...
@@ -326,7 +429,7 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
     
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           caServer: https://acme-staging-v02.api.letsencrypt.org/directory
@@ -335,16 +438,18 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
 
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+    --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
     # ...
     ```
 
-## `storage`
+### `storage`
+
+_Required, Default="acme.json"_
 
 The `storage` option sets the location where your ACME certificates are saved to.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
   # ...
   storage = "acme.json"
   # ...
@@ -352,7 +457,7 @@ The `storage` option sets the location where your ACME certificates are saved to
 
 ```yaml tab="File (YAML)"
 certificatesResolvers:
-  sample:
+  myresolver:
     acme:
       # ...
       storage: acme.json
@@ -361,22 +466,16 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.storage=acme.json
+--certificatesresolvers.myresolver.acme.storage=acme.json
 # ...
 ```
 
-The value can refer to some kinds of storage:
-
-- a JSON file
-
-### In a File
-
-ACME certificates can be stored in a JSON file that needs to have a `600` file mode .
+ACME certificates are stored in a JSON file that needs to have a `600` file mode.
 
 In Docker you can mount either the JSON file, or the folder containing it:
 
 ```bash
-docker run -v "/my/host/acme.json:acme.json" traefik
+docker run -v "/my/host/acme.json:/acme.json" traefik
 ```
 
 ```bash
@@ -384,7 +483,66 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 ```
 
 !!! warning
-    For concurrency reason, this file cannot be shared across multiple instances of Traefik. Use a key value store entry instead.
+    For concurrency reasons, this file cannot be shared across multiple instances of Traefik.
+
+### `preferredChain`
+
+_Optional, Default=""_
+
+Preferred chain to use.
+
+If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+If no match, the default offered chain will be used.
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  preferredChain = "ISRG Root X1"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      preferredChain: 'ISRG Root X1'
+      # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
+# ...
+```
+
+### `keyType`
+
+_Optional, Default="RSA4096"_
+
+KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  keyType = "RSA4096"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      keyType: 'RSA4096'
+      # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.keyType="RSA4096"
+# ...
+```
 
 ## Fallback
 
@@ -394,5 +552,5 @@ If Let's Encrypt is not reachable, the following certificates will apply:
   1. Expired ACME certificates
   1. Provided certificates
 
-!!! note
+!!! important
     For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.

docs/content/https/include-acme-multiple-domains-example.md

@@ -0,0 +1,91 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.routers.blog.tls.domains[0].main=example.org
+    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`example.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certResolver: myresolver
+    domains:
+    - main: example.org
+      sans:
+      - '*.example.org'
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
+  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "Host(`example.com`) && Path(`/blog`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver" # From static configuration
+      [[http.routers.blog.tls.domains]]
+        main = "example.org"
+        sans = ["*.example.org"]
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`example.com`) && Path(`/blog`)"
+      tls:
+        certResolver: myresolver
+        domains:
+          - main: "example.org"
+            sans:
+              - "*.example.org"
+```

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: (Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certResolver: myresolver
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
+      tls:
+        certResolver: myresolver
+```

docs/content/https/include-acme-single-domain-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`example.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certResolver: myresolver
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+  rule = "Host(`example.com`) && Path(`/blog`)"
+  [http.routers.blog.tls]
+    certResolver = "myresolver"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`example.com`) && Path(`/blog`)"
+      tls:
+        certResolver: myresolver
+```

docs/content/https/ref-acme.toml

@@ -1,11 +1,11 @@
 # Enable ACME (Let's Encrypt): automatic SSL.
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
 
   # Email address used for registration.
   #
   # Required
   #
-  email = "test@traefik.io"
+  email = "test@example.com"
 
   # File or key used for certificates storage.
   #
@@ -22,6 +22,16 @@
   #
   # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 
+  # Preferred chain to use.
+  #
+  # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+  # If no match, the default offered chain will be used.
+  #
+  # Optional
+  # Default: ""
+  #
+  # preferredChain = "ISRG Root X1"
+
   # KeyType to use.
   #
   # Optional
@@ -35,13 +45,13 @@
   #
   # Optional (but recommended)
   #
-  [certificatesResolvers.sample.acme.tlsChallenge]
+  [certificatesResolvers.myresolver.acme.tlsChallenge]
 
   # Use a HTTP-01 ACME challenge.
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.httpChallenge]
+  # [certificatesResolvers.myresolver.acme.httpChallenge]
 
     # EntryPoint to use for the HTTP-01 challenges.
     #
@@ -54,7 +64,7 @@
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.dnsChallenge]
+  # [certificatesResolvers.myresolver.acme.dnsChallenge]
 
     # DNS provider used.
     #

docs/content/https/ref-acme.txt

@@ -4,13 +4,13 @@
 #
 # Required
 #
---certificatesResolvers.sample.acme.email="test@traefik.io"
+--certificatesresolvers.myresolver.acme.email=test@example.com
 
 # File or key used for certificates storage.
 #
 # Required
 #
---certificatesResolvers.sample.acme.storage="acme.json"
+--certificatesresolvers.myresolver.acme.storage=acme.json
 
 # CA server to use.
 # Uncomment the line to use Let's Encrypt's staging server,
@@ -19,7 +19,17 @@
 # Optional
 # Default: "https://acme-v02.api.letsencrypt.org/directory"
 #
---certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+
+# Preferred chain to use.
+#
+# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+# If no match, the default offered chain will be used.
+#
+# Optional
+# Default: ""
+#
+--certificatesresolvers.myresolver.acme.preferredchain="ISRG Root X1"
 
 # KeyType to use.
 #
@@ -28,38 +38,38 @@
 #
 # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
 #
---certificatesResolvers.sample.acme.keyType=RSA4096
+--certificatesresolvers.myresolver.acme.keytype=RSA4096
 
 # Use a TLS-ALPN-01 ACME challenge.
 #
 # Optional (but recommended)
 #
---certificatesResolvers.sample.acme.tlsChallenge=true
+--certificatesresolvers.myresolver.acme.tlschallenge=true
 
 # Use a HTTP-01 ACME challenge.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.httpChallenge=true
+--certificatesresolvers.myresolver.acme.httpchallenge=true
 
 # EntryPoint to use for the HTTP-01 challenges.
 #
 # Required
 #
---certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
 
 # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
 # Note: mandatory for wildcard certificate generation.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.dnsChallenge=true
+--certificatesresolvers.myresolver.acme.dnschallenge=true
 
 # DNS provider used.
 #
 # Required
 #
---certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+--certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
 
 # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
 # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
@@ -68,14 +78,14 @@
 # Optional
 # Default: 0
 #
---certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
 
 # Use following DNS servers to resolve the FQDN authority.
 #
 # Optional
 # Default: empty
 #
---certificatesResolvers.sample.acme.dnsChallenge.resolvers="1.1.1.1:53,8.8.8.8:53"
+--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 
 # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
 #
@@ -85,4 +95,4 @@
 # Optional
 # Default: false
 #
---certificatesResolvers.sample.acme.dnsChallenge.disablePropagationCheck=true
+--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true

docs/content/https/ref-acme.yaml

@@ -1,5 +1,5 @@
 certificatesResolvers:
-  sample:
+  myresolver:
     # Enable ACME (Let's Encrypt): automatic SSL.
     acme:
 
@@ -7,7 +7,7 @@ certificatesResolvers:
       #
       # Required
       #
-      email: "test@traefik.io"
+      email: "test@example.com"
 
       # File or key used for certificates storage.
       #
@@ -24,6 +24,16 @@ certificatesResolvers:
       #
       # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
 
+      # Preferred chain to use.
+      #
+      # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+      # If no match, the default offered chain will be used.
+      #
+      # Optional
+      # Default: ""
+      #
+      # preferredChain: 'ISRG Root X1'
+
       # KeyType to use.
       #
       # Optional

docs/content/https/tls.md

@@ -13,7 +13,9 @@ See the [Let's Encrypt](./acme.md) page.
 
 To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [[tls.certificates]]
   certFile = "/path/to/domain.cert"
   keyFile = "/path/to/domain.key"
@@ -23,30 +25,37 @@ To add / remove TLS certificates, even when Traefik is already running, their de
   keyFile = "/path/to/other-domain.key"
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   certificates:
-  - certFile: /path/to/domain.cert
-    keyFile: /path/to/domain.key
-  - certFile: /path/to/other-domain.cert
-    keyFile: /path/to/other-domain.key
+    - certFile: /path/to/domain.cert
+      keyFile: /path/to/domain.key
+    - certFile: /path/to/other-domain.cert
+      keyFile: /path/to/other-domain.key
 ```
 
-!!! important "File Provider Only"
+!!! important "Restriction"
 
     In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
     It is the only available method to configure the certificates (as well as the options and the stores).
+    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
 
 ## Certificates Stores
 
 In Traefik, certificates are grouped together in certificates stores, which are defined as such:
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [tls.stores]
   [tls.stores.default]
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   stores:
     default: {}
@@ -59,7 +68,9 @@ tls:
 
 In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [[tls.certificates]]
   certFile = "/path/to/domain.cert"
   keyFile = "/path/to/domain.key"
@@ -72,17 +83,19 @@ In the `tls.certificates` section, a list of stores can then be specified to ind
   keyFile = "/path/to/other-domain.key"
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   certificates:
-  - certFile: /path/to/domain.cert
-    keyFile: /path/to/domain.key
-    stores:
-    - default
-  # Note that since no store is defined,
-  # the certificate below will be stored in the `default` store.
-  - certFile: /path/to/other-domain.cert
-    keyFile: /path/to/other-domain.key
+    - certFile: /path/to/domain.cert
+      keyFile: /path/to/domain.key
+      stores:
+        - default
+    # Note that since no store is defined,
+    # the certificate below will be stored in the `default` store.
+    - certFile: /path/to/other-domain.cert
+      keyFile: /path/to/other-domain.key
 ```
 
 !!! important "Restriction"
@@ -94,7 +107,9 @@ tls:
 Traefik can use a default certificate for connections without a SNI, or without a matching domain.
 This default certificate should be defined in a TLS store:
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [tls.stores]
   [tls.stores.default]
     [tls.stores.default.defaultCertificate]
@@ -102,7 +117,9 @@ This default certificate should be defined in a TLS store:
       keyFile  = "path/to/cert.key"
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   stores:
     default:
@@ -117,9 +134,30 @@ If no default certificate is provided, Traefik generates and uses a self-signed
 
 The TLS options allow one to configure some parameters of the TLS connection.
 
+!!! important "'default' TLS Option"
+
+    The `default` option is special.
+    When no tls options are specified in a tls router, the `default` option is used.  
+    When specifying the `default` option explicitly, make sure not to specify provider namespace as the `default` option does not have one.  
+    Conversely, for cross-provider references, for example, when referencing the file provider from a docker label,
+    you must specify the provider namespace, for example:  
+    `traefik.http.routers.myrouter.tls.options=myoptions@file`
+
+!!! important "TLSOptions in Kubernetes"
+
+    When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that,
+    if not explicitly overwritten, should apply to all ingresses.  
+    To achieve that, you'll have to create a TLSOptions CR with the name `default`.
+    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
+    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
+    you'll have to add an annotation to the Ingress in the following form:
+    `traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd`
+
 ### Minimum TLS Version
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [tls.options]
 
   [tls.options.default]
@@ -129,7 +167,9 @@ The TLS options allow one to configure some parameters of the TLS connection.
     minVersion = "VersionTLS13"
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   options:
     default:
@@ -139,6 +179,226 @@ tls:
       minVersion: VersionTLS13
 ```
 
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  minVersion: VersionTLS12
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: mintls13
+  namespace: default
+
+spec:
+  minVersion: VersionTLS13
+```
+
+### Maximum TLS Version
+
+We discourage the use of this setting to disable TLS1.3.
+
+The recommended approach is to update the clients to support TLS1.3.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    maxVersion = "VersionTLS13"
+
+  [tls.options.maxtls12]
+    maxVersion = "VersionTLS12"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      maxVersion: VersionTLS13
+
+    maxtls12:
+      maxVersion: VersionTLS12
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS13
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: maxtls12
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS12
+```
+
+### Cipher Suites
+
+See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+    ]
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      cipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  cipherSuites:
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+```
+
+!!! important "TLS 1.3"
+
+    Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa. (<https://tools.ietf.org/html/rfc8446>)  
+    With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).
+    <https://golang.org/doc/go1.12#tls_1_3>
+
+### Curve Preferences
+
+This option allows to set the preferred elliptic curves in a specific order.
+
+The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used.
+
+See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    curvePreferences = ["CurveP521", "CurveP384"]
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  curvePreferences:
+    - CurveP521
+    - CurveP384
+```
+
+### Strict SNI Checking
+
+With strict SNI checking enabled, Traefik won't allow connections from clients
+that do not specify a server_name extension or don't match any certificate configured on the tlsOption.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    sniStrict = true
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      sniStrict: true
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  sniStrict: true
+```
+
+### Prefer Server Cipher Suites
+
+This option allows the server to choose its most preferred cipher suite instead of the client's.
+Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    preferServerCipherSuites = true
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      preferServerCipherSuites: true
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  preferServerCipherSuites: true
+```
+
 ### Client Authentication (mTLS)
 
 Traefik supports mutual authentication, through the `clientAuth` section.
@@ -153,7 +413,9 @@ The `clientAuth.clientAuthType` option governs the behaviour as follows:
 - `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles`. Otherwise proceeds without any certificate.
 - `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`. 
 
-```toml tab="TOML"
+```toml tab="File (TOML)"
+# Dynamic configuration
+
 [tls.options]
   [tls.options.default]
     [tls.options.default.clientAuth]
@@ -162,54 +424,31 @@ The `clientAuth.clientAuthType` option governs the behaviour as follows:
       clientAuthType = "RequireAndVerifyClientCert"
 ```
 
-```yaml tab="YAML"
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
 tls:
   options:
     default:
       clientAuth:
         # in PEM format. each file can contain multiple CAs.
         caFiles:
-        - tests/clientca1.crt
-        - tests/clientca2.crt
+          - tests/clientca1.crt
+          - tests/clientca2.crt
         clientAuthType: RequireAndVerifyClientCert
 ```
 
-### Cipher Suites
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
 
-See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
-
-```toml tab="TOML"
-[tls.options]
-  [tls.options.default]
-    cipherSuites = [
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-      "TLS_RSA_WITH_AES_256_GCM_SHA384"
-    ]
-```
-
-```yaml tab="YAML"
-tls:
-  options:
-    default:
-      cipherSuites:
-      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-      - TLS_RSA_WITH_AES_256_GCM_SHA384
-```
-
-### Strict SNI Checking
-
-With strict SNI checking, Traefik won't allow connections from clients connections
-that do not specify a server_name extension.
-
-```toml tab="TOML"
-[tls.options]
-  [tls.options.default]
-    sniStrict = true
-```
-
-```yaml tab="YAML"
-tls:
-  options:
-    default:
-      sniStrict: true
+spec:
+  clientAuth:
+    # the CA certificate is extracted from key `tls.ca` of the given secrets.
+    secretNames:
+      - secretCA
+    clientAuthType: RequireAndVerifyClientCert
 ```

docs/content/index.md

@@ -3,7 +3,7 @@
 
 ![Architecture](assets/img/traefik-architecture.png)
 
-Traefik is an [open-source](https://github.com/containous/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
+Traefik is an [open-source](https://github.com/traefik/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
 It receives requests on behalf of your system and finds out which components are responsible for handling them. 
 
 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
@@ -18,6 +18,11 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
 
 -- The Traefik Maintainer Team 
 
-!!! Note
+!!! info
 
-    If you're a businness running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. 
+    Join our user friendly and active [Community Forum](https://community.traefik.io) to discuss, learn, and connect with the traefik community.
+    
+    If you're a business running critical services behind Traefik,
+    know that [Traefik Labs](https://traefik.io), the company that sponsors Traefik's development,
+    can provide [commercial support](https://info.traefik.io/commercial-services)
+    and develops an [Enterprise Edition](https://traefik.io/traefik-enterprise/) of Traefik.

docs/content/middlewares/addprefix.md

@@ -12,7 +12,7 @@ The AddPrefix middleware updates the URL Path of the request before forwarding i
 ```yaml tab="Docker"
 # Prefixing with /foo
 labels:
-- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```
 
 ```yaml tab="Kubernetes"
@@ -26,6 +26,11 @@ spec:
     prefix: /foo
 ```
 
+```yaml tab="Consul Catalog"
+# Prefixing with /foo
+- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.add-foo.addprefix.prefix": "/foo"
@@ -35,7 +40,7 @@ spec:
 ```yaml tab="Rancher"
 # Prefixing with /foo
 labels:
-- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```
 
 ```toml tab="File (TOML)"
@@ -58,4 +63,5 @@ http:
 
 ### `prefix`
 
-`prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`).
+`prefix` is the string to add before the current path in the requested URL.
+It should include the leading slash (`/`).

docs/content/middlewares/basicauth.md

@@ -12,11 +12,13 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
 ```yaml tab="Docker"
 # Declaring the user list
 #
-# Note: all dollar signs in the hash need to be doubled for escaping.
+# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
 # To create user:password pair, it's possible to use this command:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+#
+# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
 labels:
-- "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
 
 ```yaml tab="Kubernetes"
@@ -30,6 +32,10 @@ spec:
     secret: secretName
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
@@ -39,7 +45,7 @@ spec:
 ```yaml tab="Rancher"
 # Declaring the user list
 labels:
-- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
 ```toml tab="File (TOML)"
@@ -59,15 +65,15 @@ http:
     test-auth:
       basicAuth:
         users:
-        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
-        - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
 ## Configuration Options
 
 ### General
 
-Passwords must be encoded using MD5, SHA1, or BCrypt.
+Passwords must be hashed using MD5, SHA1, or BCrypt.
 
 !!! tip 
 
@@ -75,9 +81,9 @@ Passwords must be encoded using MD5, SHA1, or BCrypt.
 
 ### `users`
 
-The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
+The `users` option is an array of authorized users. Each user will be declared using the `name:hashed-password` format.
 
-!!! Note
+!!! note ""
     
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
     - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
@@ -86,10 +92,10 @@ The `users` option is an array of authorized users. Each user will be declared u
 # Declaring the user list
 #
 # Note: all dollar signs in the hash need to be doubled for escaping.
-# To create user:password pair, it's possible to use this command:
+# To create a user:password pair, the following command can be used:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
 labels:
-- "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
 
 ```yaml tab="Kubernetes"
@@ -103,6 +109,10 @@ spec:
     secret: authsecret
 
 ---
+# Note: in a kubernetes secret the string (e.g. generated by htpasswd) must be base64-encoded first.
+# To create an encoded user:password pair, the following command can be used:
+# htpasswd -nb user password | openssl base64
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -115,6 +125,11 @@ data:
     aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
 ```
 
+```yaml tab="Consul Catalog"
+# Declaring the user list
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
@@ -124,7 +139,7 @@ data:
 ```yaml tab="Rancher"
 # Declaring the user list
 labels:
-- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
 ```toml tab="File (TOML)"
@@ -144,24 +159,24 @@ http:
     test-auth:
       basicAuth:
         users:
-        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
-        - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
 ### `usersFile`
 
 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
 
-The file content is a list of `name:encoded-password`.
+The file content is a list of `name:hashed-password`.
 
-!!! Note
+!!! note ""
     
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
     - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
 ```
 
 ```yaml tab="Kubernetes"
@@ -186,6 +201,10 @@ data:
     aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.usersfile": "/path/to/my/usersfile"
@@ -224,7 +243,7 @@ You can customize the realm for the authentication with the `realm` option. The
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
 ```
 
 ```yaml tab="Kubernetes"
@@ -237,6 +256,10 @@ spec:
     realm: MyRealm
 ```
 
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.realm": "MyRealm"
@@ -268,7 +291,7 @@ You can define a header field to store the authenticated user using the `headerF
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
+  - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
 ```
 
 ```yaml tab="Kubernetes"
@@ -282,6 +305,10 @@ spec:
     headerField: X-WebAuth-User
 ```
 
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.my-auth.basicauth.headerField": "X-WebAuth-User"
@@ -309,7 +336,7 @@ Set the `removeHeader` option to `true` to remove the authorization header befor
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -322,6 +349,10 @@ spec:
     removeHeader: true
 ```
 
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.removeheader": "true"
@@ -330,7 +361,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
 ```
 
 ```toml tab="File (TOML)"

docs/content/middlewares/buffering.md

@@ -16,7 +16,7 @@ This can help services deal with large data (multipart/form-data for example), a
 ```yaml tab="Docker"
 # Sets the maximum request body to 2Mb
 labels:
-- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
 ```yaml tab="Kubernetes"
@@ -27,26 +27,31 @@ metadata:
   name: limit
 spec:
   buffering:
-    maxRequestBodyBytes: 250000
+    maxRequestBodyBytes: 2000000
+```
+
+```yaml tab="Consul Catalog"
+# Sets the maximum request body to 2Mb
+- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "250000"
+  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
 }
 ```
 
 ```yaml tab="Rancher"
 # Sets the maximum request body to 2Mb
 labels:
-- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
 ```toml tab="File (TOML)"
 # Sets the maximum request body to 2Mb
 [http.middlewares]
   [http.middlewares.limit.buffering]
-    maxRequestBodyBytes = 250000
+    maxRequestBodyBytes = 2000000
 ```
 
 ```yaml tab="File (YAML)"
@@ -55,7 +60,7 @@ http:
   middlewares:
     limit:
       buffering:
-        maxRequestBodyBytes: 250000
+        maxRequestBodyBytes: 2000000
 ```
 
 ## Configuration Options
@@ -64,33 +69,249 @@ http:
 
 With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
 
-If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response.
+If the request exceeds the allowed size, it is not forwarded to the service and the client gets a `413 (Request Entity Too Large)` response.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    maxRequestBodyBytes: 2000000
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxRequestBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        maxRequestBodyBytes: 2000000
+```
 
 ### `memRequestBodyBytes`
 
-You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. 
+You can configure a threshold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. 
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    memRequestBodyBytes: 2000000
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.memRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    memRequestBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        memRequestBodyBytes: 2000000
+```
 
 ### `maxResponseBodyBytes`
 
-With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
+With the `maxResponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
 
 If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
 
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    maxResponseBodyBytes: 2000000
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxResponseBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        maxResponseBodyBytes: 2000000
+```
+
 ### `memResponseBodyBytes`
 
-You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. 
+You can configure a threshold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. 
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    memResponseBodyBytes: 2000000
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.memResponseBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    memResponseBodyBytes = 2000000
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    limit:
+      buffering:
+        memResponseBodyBytes: 2000000
+```
 
 ### `retryExpression`
 
 You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
 
-!!! example "Retries once in case of a network error"
+??? example "Retries once in case of a network error"
     
-    ```toml
-    retryExpression = "IsNetworkError() && Attempts() < 2"
+    ```yaml tab="Docker"
+    labels:
+      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
     ```
     
-Available functions for the retry expression are:
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: limit
+    spec:
+      buffering:
+        retryExpression: "IsNetworkError() && Attempts() < 2"
+    ```
+    
+    ```yaml tab="Consul Catalog"
+    - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
+    ```
+        
+    ```json tab="Marathon"
+    "labels": {
+      "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"
+    }
+    ```
+    
+    ```yaml tab="Rancher"
+    labels:
+      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
+    ```
+    
+    ```toml tab="File (TOML)"
+    [http.middlewares]
+      [http.middlewares.limit.buffering]
+        retryExpression = "IsNetworkError() && Attempts() < 2"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    http:
+      middlewares:
+        limit:
+          buffering:
+            retryExpression: "IsNetworkError() && Attempts() < 2"
+    ```
+
+The retry expression is defined as a logical combination of the functions below with the operators AND (`&&`) and OR (`||`). At least one function is required:
 
 - `Attempts()` number of attempts (the first one counts)
 - `ResponseCode()` response code of the service

docs/content/middlewares/chain.md

@@ -14,14 +14,14 @@ Example "A Chain for WhiteList, BasicAuth, and HTTPS"
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.routers.router1.service=service1"
-- "traefik.http.routers.router1.middlewares=secured"
-- "traefik.http.routers.router1.rule=Host(`mydomain`)"
-- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
-- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-- "http.services.service1.loadbalancer.server.port=80"
+  - "traefik.http.routers.router1.service=service1"
+  - "traefik.http.routers.router1.middlewares=secured"
+  - "traefik.http.routers.router1.rule=Host(`mydomain`)"
+  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "http.services.service1.loadbalancer.server.port=80"
 ```
 
 ```yaml tab="Kubernetes"
@@ -83,6 +83,17 @@ spec:
     - 127.0.0.1/32
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.routers.router1.service=service1"
+- "traefik.http.routers.router1.middlewares=secured"
+- "traefik.http.routers.router1.rule=Host(`mydomain`)"
+- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+- "http.services.service1.loadbalancer.server.port=80"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.routers.router1.service": "service1",
@@ -98,14 +109,14 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.routers.router1.service=service1"
-- "traefik.http.routers.router1.middlewares=secured"
-- "traefik.http.routers.router1.rule=Host(`mydomain`)"
-- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
-- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-- "http.services.service1.loadbalancer.server.port=80"
+  - "traefik.http.routers.router1.service=service1"
+  - "traefik.http.routers.router1.middlewares=secured"
+  - "traefik.http.routers.router1.rule=Host(`mydomain`)"
+  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "http.services.service1.loadbalancer.server.port=80"
 ```
 
 ```toml tab="File (TOML)"
@@ -143,21 +154,21 @@ http:
     router1:
       service: service1
       middlewares:
-      - secured
+        - secured
       rule: "Host(`mydomain`)"
 
   middlewares:
     secured:
       chain:
         middlewares:
-        - https-only
-        - known-ips
-        - auth-users
+          - https-only
+          - known-ips
+          - auth-users
 
     auth-users:
       basicAuth:
         users:
-        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 
     https-only:
       redirectScheme:
@@ -166,12 +177,12 @@ http:
     known-ips:
       ipWhiteList:
         sourceRange:
-        - "192.168.1.7"
-        - "127.0.0.1/32"
+          - "192.168.1.7"
+          - "127.0.0.1/32"
 
   services:
     service1:
       loadBalancer:
         servers:
-        - url: "http://127.0.0.1:80"
+          - url: "http://127.0.0.1:80"
 ```

docs/content/middlewares/circuitbreaker.md

@@ -7,26 +7,31 @@ Don't Waste Time Calling Unhealthy Services
 
 The circuit breaker protects your system from stacking requests to unhealthy services (resulting in cascading failures).
 
-When your system is healthy, the circuit is close (normal operations). 
+When your system is healthy, the circuit is closed (normal operations).
 When your system becomes unhealthy, the circuit becomes open and the requests are no longer forwarded (but handled by a fallback mechanism).
 
 To assess if your system is healthy, the circuit breaker constantly monitors the services. 
 
-!!! Note
+!!! note ""
 
     - The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state.
     - The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state.
 
 !!! important
 
-    Each router will eventually gets its own instance of a given circuit breaker. If two different routers refer to the same circuit breaker definition, they will get one instance each. It means that one circuit breaker can be open while the other stays close: their state is not shared. This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
+    Each router will eventually gets its own instance of a given circuit breaker.
+    
+    If two different routers refer to the same circuit breaker definition, they will get one instance each.
+    It means that one circuit breaker can be open while the other stays closed: their state is not shared.
+    
+    This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
 # Latency Check
 labels:
-- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```
 
 ```yaml tab="Kubernetes"
@@ -40,6 +45,11 @@ spec:
     expression: LatencyAtQuantileMS(50.0) > 100
 ```
 
+```yaml tab="Consul Catalog"
+# Latency Check
+- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.latency-check.circuitbreaker.expression": "LatencyAtQuantileMS(50.0) > 100"
@@ -49,7 +59,7 @@ spec:
 ```yaml tab="Rancher"
 # Latency Check
 labels:
-- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```
 
 ```toml tab="File (TOML)"
@@ -72,13 +82,13 @@ http:
 
 There are three possible states for your circuit breaker:
 
-- Close (your service operates normally)
+- Closed (your service operates normally)
 - Open (the fallback mechanism takes over your service)
 - Recovering (the circuit breaker tries to resume normal operations by progressively sending requests to your service)
 
-### Close
+### Closed
 
-While close, the circuit breaker only collects metrics to analyze the behavior of the requests.
+While the circuit is closed, the circuit breaker only collects metrics to analyze the behavior of the requests.
 
 At specified intervals (`checkPeriod`), it will evaluate `expression` to decide if its state must change. 
 
@@ -117,7 +127,7 @@ The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`,
 
 The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`).
 
-!!! Note
+!!! note ""
     If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
     
     `from`is inclusive, `to` is exclusive. 
@@ -130,7 +140,7 @@ You can trigger the circuit breaker when a given proportion of your requests bec
 
 For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
 
-!!! Note
+!!! note ""
 
     You must provide a float number (with the trailing .0) for the quantile value
  
@@ -155,14 +165,16 @@ Here is the list of supported operators:
 - Lesser or equal than (`<=`)
 - Equal (`==`)
 - Not Equal (`!=`)
- 
+
 ### Fallback mechanism
 
-The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured. 
+The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service).
+This behavior cannot be configured. 
 
 ### `CheckPeriod`
 
-The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
+The interval used to evaluate `expression` and decide if the state of the circuit breaker must change.
+By default, `CheckPeriod` is 100ms. This value cannot be configured.
 
 ### `FallbackDuration`
 

docs/content/middlewares/compress.md

@@ -12,7 +12,7 @@ The Compress middleware enables the gzip compression.
 ```yaml tab="Docker"
 # Enable gzip compression
 labels:
-- "traefik.http.middlewares.test-compress.compress=true"
+  - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -25,6 +25,11 @@ spec:
   compress: {}
 ```
 
+```yaml tab="Consul Catalog"
+# Enable gzip compression
+- "traefik.http.middlewares.test-compress.compress=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-compress.compress": "true"
@@ -34,7 +39,7 @@ spec:
 ```yaml tab="Rancher"
 # Enable gzip compression
 labels:
-- "traefik.http.middlewares.test-compress.compress=true"
+  - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
 ```toml tab="File (TOML)"
@@ -51,10 +56,69 @@ http:
       compress: {}
 ```
 
-## Notes
+!!! info
+    
+    Responses are compressed when:
+    
+    * The response body is larger than `1400` bytes.
+    * The `Accept-Encoding` request header contains `gzip`.
+    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
 
-Responses are compressed when:
+    If Content-Type header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type. 
+    It will also set accordingly the `Content-Type` header with the detected MIME type.
+    
+## Configuration Options
 
-* The response body is larger than `1400` bytes.
-* The `Accept-Encoding` request header contains `gzip`.
-* The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
+### `excludedContentTypes`
+
+`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests to before compressing.
+
+The requests with content types defined in `excludedContentTypes` are not compressed.
+
+Content types are compared in a case-insensitive, whitespace-ignored manner.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    excludedContentTypes:
+      - text/event-stream
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress.excludedcontenttypes": "text/event-stream"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    excludedContentTypes = ["text/event-stream"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        excludedContentTypes:
+          - text/event-stream
+```

docs/content/middlewares/contenttype.md

@@ -0,0 +1,86 @@
+
+# ContentType
+
+Handling ContentType auto-detection
+{: .subtitle }
+
+The Content-Type middleware - or rather its unique `autoDetect` option -
+specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.
+
+As a proxy, the default behavior should be to leave the header alone,
+regardless of what the backend did with it.
+However, the historic default was to always auto-detect and set the header if it was nil,
+and it is going to be kept that way in order to support users currently relying on it.
+This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+
+!!! info
+
+    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
+    is still to automatically set the `Content-Type` header.
+    Therefore, given the default value of the `autoDetect` option (false),
+    simply enabling this middleware for a router switches the router's behavior.
+    
+    The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
+    Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).
+
+## Configuration Examples
+
+```yaml tab="Docker"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```yaml tab="Kubernetes"
+# Disable auto-detection
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: autodetect
+spec:
+  contentType:
+    autoDetect: false
+```
+
+```yaml tab="Consul Catalog"
+# Disable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
+}
+```
+
+```yaml tab="Rancher"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```toml tab="File (TOML)"
+# Disable auto-detection
+[http.middlewares]
+  [http.middlewares.autodetect.contentType]
+     autoDetect=false
+```
+
+```yaml tab="File (YAML)"
+# Disable auto-detection
+http:
+  middlewares:
+    autodetect:
+      contentType:
+        autoDetect: false
+```
+
+## Configuration Options
+
+### `autoDetect`
+
+`autoDetect` specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.

docs/content/middlewares/digestauth.md

@@ -12,7 +12,7 @@ The DigestAuth middleware is a quick way to restrict access to your services to
 ```yaml tab="Docker"
 # Declaring the user list
 labels:
-- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
 ```yaml tab="Kubernetes"
@@ -26,6 +26,11 @@ spec:
     secret: userssecret
 ```
 
+```yaml tab="Consul Catalog"
+# Declaring the user list
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
@@ -35,7 +40,7 @@ spec:
 ```yaml tab="Rancher"
 # Declaring the user list
 labels:
-- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
 ```toml tab="File (TOML)"
@@ -55,8 +60,8 @@ http:
     test-auth:
       digestAuth:
         users:
-        - "test:traefik:a2688e031edb4be6a3797f3882655c05"
-        - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+          - "test:traefik:a2688e031edb4be6a3797f3882655c05"
+          - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
 ## Configuration Options
@@ -69,14 +74,14 @@ http:
 
 The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
 
-!!! Note
+!!! note ""
     
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
     - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
 ```yaml tab="Kubernetes"
@@ -100,6 +105,10 @@ data:
     dGVzdDp0cmFlZmlrOmEyNjg4ZTAzMWVkYjRiZTZhMzc5N2YzODgyNjU1YzA1CnRlc3QyOnRyYWVmaWs6NTE4ODQ1ODAwZjllMmJmYjFmMWY3NDBlYzI0ZjA3NGUKCg==
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
@@ -108,7 +117,7 @@ data:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
 ```toml tab="File (TOML)"
@@ -126,8 +135,8 @@ http:
     test-auth:
       digestAuth:
         users:
-        - "test:traefik:a2688e031edb4be6a3797f3882655c05"
-        - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+          - "test:traefik:a2688e031edb4be6a3797f3882655c05"
+          - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
 ### `usersFile`
@@ -136,14 +145,14 @@ The `usersFile` option is the path to an external file that contains the authori
 
 The file content is a list of `name:realm:encoded-password`.
 
-!!! Note
+!!! note ""
     
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
     - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
 ```
 
 ```yaml tab="Kubernetes"
@@ -168,6 +177,10 @@ data:
     aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
@@ -206,7 +219,7 @@ You can customize the realm for the authentication with the `realm` option. The
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
 ```
 
 ```yaml tab="Kubernetes"
@@ -219,6 +232,10 @@ spec:
     realm: MyRealm
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
@@ -264,9 +281,8 @@ spec:
     headerField: X-WebAuth-User
 ```
 
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```
 
 ```json tab="Marathon"
@@ -275,6 +291,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares.my-auth.digestAuth]
   # ...
@@ -296,7 +317,7 @@ Set the `removeHeader` option to `true` to remove the authorization header befor
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -309,6 +330,10 @@ spec:
     removeHeader: true
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"

docs/content/middlewares/errorpages.md

@@ -15,9 +15,9 @@ The ErrorPage middleware returns a custom page in lieu of the default, according
 ```yaml tab="Docker"
 # Dynamic Custom Error Page for 5XX Status Code
 labels:
-- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
-- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
-- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
+  - "traefik.http.middlewares.test-errorpage.errors.status=500-599"
+  - "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
+  - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
 ```
 
 ```yaml tab="Kubernetes"
@@ -28,13 +28,20 @@ metadata:
 spec:
   errors:
     status:
-    - 500-599
+      - 500-599
     query: /{status}.html
     service:
       name: whoami
       port: 80
 ```
 
+```yaml tab="Consul Catalog"
+# Dynamic Custom Error Page for 5XX Status Code
+- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
+- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
+- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-errorpage.errors.status": "500-599",
@@ -46,9 +53,9 @@ spec:
 ```yaml tab="Rancher"
 # Dynamic Custom Error Page for 5XX Status Code
 labels:
-- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
-- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
-- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
+  - "traefik.http.middlewares.test-errorpage.errors.status=500-599"
+  - "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
+  - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
 ```
 
 ```toml tab="File (TOML)"
@@ -70,7 +77,7 @@ http:
     test-errorpage:
       errors:
         status:
-        - "500-599"
+          - "500-599"
         service: serviceError
         query: "/{status}.html"
 
@@ -78,7 +85,7 @@ http:
   # ... definition of error-handler-service and my-service
 ```
 
-!!! note 
+!!! note "" 
     In this example, the error page URL is based on the status code (`query=/{status}.html`).
 
 ## Configuration Options
@@ -89,7 +96,7 @@ The `status` that will trigger the error page.
 
 The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
  
-!!! Note
+!!! note "" 
 
     You can define either a status code like `500` or ranges with a syntax like `500-599`.
 
@@ -97,7 +104,7 @@ The status code ranges are inclusive (`500-599` will trigger with every code bet
 
 The service that will serve the new requested error page.
 
-!!! Note
+!!! note "" 
     In kubernetes, you need to reference a kubernetes service instead of a traefik service.
 
 ### `query`

docs/content/middlewares/forwardauth.md

@@ -12,48 +12,53 @@ Otherwise, the response from the authentication server is returned.
 ## Configuration Examples
 
 ```yaml tab="Docker"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```yaml tab="Kubernetes"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
+```
+
+```yaml tab="Consul Catalog"
+# Forward authentication to example.com
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
 }
 ```
 
 ```yaml tab="Rancher"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```toml tab="File (TOML)"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
 ```
 
 ```yaml tab="File (YAML)"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
 ```
 
 ## Configuration Options
@@ -64,7 +69,7 @@ The `address` option defines the authentication server address.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```yaml tab="Kubernetes"
@@ -74,24 +79,28 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth 
+    address: https://example.com/auth 
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
 }
 ```
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
 ```
 
 ```yaml tab="File (YAML)"
@@ -99,7 +108,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
 ```
 
 ### `trustForwardHeader`
@@ -108,7 +117,7 @@ Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwa
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -118,10 +127,14 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     trustForwardHeader: true
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
@@ -130,13 +143,13 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```
 
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     trustForwardHeader = true
 ```
 
@@ -145,7 +158,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         trustForwardHeader: true
 ```
 
@@ -155,7 +168,7 @@ The `authResponseHeaders` option is the list of the headers to copy from the aut
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```
 
 ```yaml tab="Kubernetes"
@@ -165,10 +178,14 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     authResponseHeaders:
-    - X-Auth-User
-    - X-Secret
+      - X-Auth-User
+      - X-Secret
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```
 
 ```json tab="Marathon"
@@ -179,13 +196,13 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```
 
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     authResponseHeaders = ["X-Auth-User", "X-Secret"]
 ```
 
@@ -194,10 +211,10 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         authResponseHeaders:
-        - "X-Auth-User"
-        - "X-Secret"
+          - "X-Auth-User"
+          - "X-Secret"
 ```
 
 ### `tls`
@@ -206,11 +223,11 @@ The `tls` option is the TLS configuration from Traefik to the authentication ser
 
 #### `tls.ca`
 
-TODO add description.
+Certificate Authority used for the secured connection to the authentication server.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
 ```
 
 ```yaml tab="Kubernetes"
@@ -220,7 +237,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       caSecret: mycasercret
 
@@ -235,6 +252,10 @@ data:
   ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt"
@@ -243,13 +264,13 @@ data:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
 ```
 
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       ca = "path/to/local.crt"
 ```
@@ -259,18 +280,23 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           ca: "path/to/local.crt"
 ```
 
 #### `tls.caOptional`
 
-TODO add description.
+Policy used for the secured connection with TLS Client Authentication to the authentication server.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -280,11 +306,15 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       caOptional: true
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true"
@@ -293,13 +323,13 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
 ```
 
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       caOptional = true
 ```
@@ -309,19 +339,19 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           caOptional: true
 ```
 
 #### `tls.cert`
 
-TODO add description.
+Public certificate used for the secured connection to the authentication server.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```
 
 ```yaml tab="Kubernetes"
@@ -331,7 +361,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       certSecret: mytlscert
 
@@ -347,6 +377,11 @@ data:
   tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
@@ -356,14 +391,14 @@ data:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```
 
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       cert = "path/to/foo.cert"
       key = "path/to/foo.key"
@@ -374,23 +409,23 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           cert: "path/to/foo.cert"
           key: "path/to/foo.key"
 ```
 
-!!! Note
+!!! info
     For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
 #### `tls.key`
 
-TODO add description.
+Private certificate used for the secure connection to the authentication server.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```
 
 ```yaml tab="Kubernetes"
@@ -400,7 +435,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       certSecret: mytlscert
 
@@ -416,6 +451,11 @@ data:
   tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
@@ -425,14 +465,14 @@ data:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```
 
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       cert = "path/to/foo.cert"
       key = "path/to/foo.key"
@@ -443,22 +483,22 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           cert: "path/to/foo.cert"
           key: "path/to/foo.key"
 ```
 
-!!! Note
+!!! info
     For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
 #### `tls.insecureSkipVerify`
 
-TODO add description.
+If `insecureSkipVerify` is `true`, TLS for the connection to authentication server accepts any certificate presented by the server and any host name in that certificate.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -468,8 +508,13 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
-    insecureSkipVerify: true
+    address: https://example.com/auth
+    tls:
+      insecureSkipVerify: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
 ```
 
 ```json tab="Marathon"
@@ -480,14 +525,15 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
 ```
 
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
-    insecureSkipVerify: true
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      insecureSkipVerify: true
 ```
 
 ```yaml tab="File (YAML)"
@@ -495,6 +541,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
-        insecureSkipVerify: true
+        address: "https://example.com/auth"
+        tls:
+          insecureSkipVerify: true
 ```

docs/content/middlewares/headers.md

@@ -15,8 +15,8 @@ Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
-- "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
+  - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```
 
 ```yaml tab="Kubernetes"
@@ -32,6 +32,11 @@ spec:
       X-Custom-Response-Header: "value"
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
@@ -41,8 +46,8 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
-- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```
 
 ```toml tab="File (TOML)"
@@ -91,6 +96,10 @@ spec:
       X-Custom-Response-Header: "" # Removes
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
@@ -142,8 +151,13 @@ metadata:
   name: testHeader
 spec:
   headers:
-    frameDeny: "true"
-    sslRedirect: "true"
+    frameDeny: true
+    sslRedirect: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.framedeny=true"
+- "traefik.http.middlewares.testheader.headers.sslredirect=true"
 ```
 
 ```json tab="Marathon"
@@ -162,8 +176,8 @@ labels:
 ```toml tab="File (TOML)"    
 [http.middlewares]
   [http.middlewares.testHeader.headers]
-    FrameDeny = true
-    SSLRedirect = true
+    frameDeny = true
+    sslRedirect = true
 ```
 
 ```yaml tab="File (YAML)"  
@@ -171,8 +185,8 @@ http:
   middlewares:
     testHeader:
       headers:
-        FrameDeny: true
-        SSLRedirect: true
+        frameDeny: true
+        sslRedirect: true
 ```
 
 ### CORS Headers
@@ -183,7 +197,7 @@ This functionality allows for more advanced security features to quickly be set.
 ```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
   - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
   - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@@ -199,15 +213,24 @@ spec:
       - "GET"
       - "OPTIONS"
       - "PUT"
-    accessControlAllowOrigin: "origin-list-or-null"
+    accessControlAllowOriginList:
+      - "https://foo.bar.org"
+      - "https://example.org"
     accessControlMaxAge: 100
-    addVaryHeader: "true"
+    addVaryHeader: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+- "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
+- "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+- "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
 
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
-  "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin": "origin-list-or-null",
+  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
   "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
   "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
 }
@@ -216,7 +239,7 @@ spec:
 ```yaml tab="Rancher"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
   - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
   - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@@ -225,7 +248,7 @@ labels:
 [http.middlewares]
   [http.middlewares.testHeader.headers]
     accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
-    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
     accessControlMaxAge = 100
     addVaryHeader = true
 ```
@@ -235,11 +258,13 @@ http:
   middlewares:
     testHeader:
       headers:
-        accessControlAllowMethod:
-        - GET
-        - OPTIONS
-        - PUT
-        accessControlAllowOrigin: "origin-list-or-null"
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlAllowOriginList:
+          - https://foo.bar.org
+          - https://example.org
         accessControlMaxAge: 100
         addVaryHeader: true
 ```
@@ -251,7 +276,7 @@ http:
 !!! warning
     If the custom header name is the same as one header name of the request or response, it will be replaced.
 
-!!! note
+!!! note ""
     The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
 
 ### `customRequestHeaders`
@@ -274,14 +299,22 @@ The `accessControlAllowHeaders` indicates which header field names can be used a
 
 The  `accessControlAllowMethods` indicates which methods can be used during requests.
 
-### `accessControlAllowOrigin`
+### `accessControlAllowOriginList`
 
-The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values.
-The three options for this value are:
+The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.
 
-- `origin-list-or-null`
-- `*`
-- `null`
+A wildcard origin `*` can also be configured, and will match all requests.
+If this value is set by a backend server, it will be overwritten by Traefik
+
+This value can contains a list of allowed origins.
+
+More information including how to use the settings can be found on:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
+
+Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
 
 ### `accessControlExposeHeaders`
 
@@ -289,11 +322,11 @@ The `accessControlExposeHeaders` indicates which headers are safe to expose to t
 
 ### `accessControlMaxAge`
 
-The `accessControlMaxAge` indicates how long a preflight request can be cached.
+The `accessControlMaxAge` indicates how long (in seconds) a preflight request can be cached.
 
 ### `addVaryHeader`
 
-The `addVaryHeader` is used in conjunction with `accessControlAllowOrigin` to determine whether the vary header should be added or modified to demonstrate that server responses can differ beased on the value of the origin header.
+The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
 
 ### `allowedHosts` 
 
@@ -331,7 +364,7 @@ If set to 0, would NOT include the header.
 
 ### `stsIncludeSubdomains` 
 
-The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header.
+The `stsIncludeSubdomains` is set to true, the `includeSubDomains` directive will be appended to the Strict-Transport-Security header.
 
 ### `stsPreload` 
 

docs/content/middlewares/inflightreq.md

@@ -11,7 +11,7 @@ To proactively prevent services from being overwhelmed with high load, a limit o
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
 
 ```yaml tab="Kubernetes"
@@ -24,6 +24,11 @@ spec:
     amount: 10
 ```
 
+```yaml tab="Consul Catalog"
+# Limiting to 10 simultaneous connections
+- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
@@ -33,7 +38,7 @@ spec:
 ```yaml tab="Rancher"
 # Limiting to 10 simultaneous connections
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
 
 ```toml tab="File (TOML)"
@@ -59,6 +64,54 @@ http:
 The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
 The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
 
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    amount: 10
+```
+
+```yaml tab="Consul Catalog"
+# Limiting to 10 simultaneous connections
+- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inFlightReq]
+    amount = 10 
+```
+
+```yaml tab="File (YAML)"
+# Limiting to 10 simultaneous connections
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        amount: 10 
+```
+
 ### `sourceCriterion`
  
 SourceCriterion defines what criterion is used to group requests as originating from a common source.
@@ -76,7 +129,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is lesser than or equal to 0.
     
-!!! note "Example of Depth & X-Forwarded-For"
+!!! example "Example of Depth & X-Forwarded-For"
 
     If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
 
@@ -86,14 +139,62 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
 
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    sourceCriterion:
+      ipStrategy:
+        depth: 2
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
+      depth = 2
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        sourceCriterion:
+          ipStrategy:
+            depth: 2
+```
+
 ##### `ipStrategy.excludedIPs`
 
 `excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
 
-!!! important
-    If `depth` is specified, `excludedIPs` is ignored.
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
 
-!!! note "Example of ExcludedIPs & X-Forwarded-For"
+!!! example "Example of ExcludedIPs & X-Forwarded-For"
 
     | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
     |-----------------------------------------|-----------------------|--------------|
@@ -105,7 +206,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```yaml tab="Kubernetes"
@@ -122,8 +223,7 @@ spec:
         - 192.168.1.7
 ```
 
-```yaml tab="Rancher"
-labels:
+```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
@@ -133,6 +233,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-inflightreq.inflightreq]
@@ -148,8 +253,8 @@ http:
         sourceCriterion:
           ipStrategy:
             excludedIPs:
-            - "127.0.0.1/32"
-            - "192.168.1.7"
+              - "127.0.0.1/32"
+              - "192.168.1.7"
 ```
 
 #### `sourceCriterion.requestHeaderName`
@@ -158,7 +263,7 @@ Requests having the same value for the given header are grouped as coming from t
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
 
 ```yaml tab="Kubernetes"
@@ -172,8 +277,7 @@ spec:
       requestHeaderName: username
 ```
 
-```yaml tab="Rancher"
-labels:
+```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
 
@@ -183,6 +287,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-inflightreq.inflightreq]
@@ -205,7 +314,7 @@ Whether to consider the request host as the source.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -219,8 +328,7 @@ spec:
       requestHost: true
 ```
 
-```yaml tab="Rancher"
-labels:
+```yaml tab="Cosul Catalog"
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
 
@@ -230,6 +338,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-inflightreq.inflightreq]

docs/content/middlewares/ipwhitelist.md

@@ -12,7 +12,7 @@ IPWhitelist accepts / refuses requests based on the client IP.
 ```yaml tab="Docker"
 # Accepts request from defined IP
 labels:
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```yaml tab="Kubernetes"
@@ -23,8 +23,13 @@ metadata:
 spec:
   ipWhiteList:
     sourceRange:
-    - 127.0.0.1/32
-    - 192.168.1.7
+      - 127.0.0.1/32
+      - 192.168.1.7
+```
+
+```yaml tab="Consul Catalog"
+# Accepts request from defined IP
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```json tab="Marathon"
@@ -36,7 +41,7 @@ spec:
 ```yaml tab="Rancher"
 # Accepts request from defined IP
 labels:
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```toml tab="File (TOML)"
@@ -53,15 +58,15 @@ http:
     test-ipwhitelist:
       ipWhiteList:
         sourceRange:
-        - "127.0.0.1/32"
-        - "192.168.1.7"
+          - "127.0.0.1/32"
+          - "192.168.1.7"
 ```
 
 ## Configuration Options
 
 ### `sourceRange`
 
-The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
+The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
 
 ### `ipStrategy`
 
@@ -71,23 +76,13 @@ The `ipStrategy` option defines two parameters that sets how Traefik will determ
 
 The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
 
-!!! note "Examples of Depth & X-Forwarded-For"
+!!! example "Examples of Depth & X-Forwarded-For"
 
-    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
-    
-    ??? note "More examples"
-    
-        | `X-Forwarded-For`                       | `depth` | clientIP     |
-        |-----------------------------------------|---------|--------------|
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
-    
     ```yaml tab="Docker"
     # Whitelisting Based on `X-Forwarded-For` with `depth=2`
     labels:
-        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
     ```
     
     ```yaml tab="Kubernetes"
@@ -99,24 +94,30 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
     spec:
       ipWhiteList:
         sourceRange:
-        - 127.0.0.1/32
-        - 192.168.1.7
+          - 127.0.0.1/32
+          - 192.168.1.7
         ipStrategy:
           depth: 2
     ```
     
+    ```yaml tab="Consul Catalog"
+    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
+    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+    ```
+    
+    ```json tab="Marathon"
+    "labels": {
+      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
+    }
+    ```
+    
     ```yaml tab="Rancher"
     # Whitelisting Based on `X-Forwarded-For` with `depth=2`
     labels:
-        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-    ```
-    
-    ```json tab="Marathon"
-    "labels": {
-        "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-        "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
-    }
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
     ```
     
     ```toml tab="File (TOML)"
@@ -135,34 +136,29 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
         test-ipwhitelist:
           ipWhiteList:
             sourceRange:
-            - "127.0.0.1/32"
-            - "192.168.1.7"
+              - "127.0.0.1/32"
+              - "192.168.1.7"
             ipStrategy:
               depth: 2
     ```
+    
+    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
+    
+    ??? example "More examples"
+    
+        | `X-Forwarded-For`                       | `depth` | clientIP     |
+        |-----------------------------------------|---------|--------------|
+        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
 
-!!! note
+!!! info
 
     - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
     - `depth` is ignored if its value is lesser than or equal to 0.
 
 #### `ipStrategy.excludedIPs`
 
-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
-
-!!! note "Examples of ExcludedIPs & X-Forwarded-For"
-
-    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
-    |-----------------------------------------|-----------------------|--------------|
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
-
-!!! important
-    If `depth` is specified, `excludedIPs` is ignored.
-
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
@@ -179,20 +175,25 @@ spec:
   ipWhiteList:
     ipStrategy:
       excludedIPs:
-      - 127.0.0.1/32
-      - 192.168.1.7
+        - 127.0.0.1/32
+        - 192.168.1.7
+```
+
+```yaml tab="Consul Catalog"
+# Exclude from `X-Forwarded-For`
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
 ```
 
 ```yaml tab="Rancher"
 # Exclude from `X-Forwarded-For`
 labels:
-    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
-```json tab="Marathon"
-"labels": {
-    "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
-}
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```toml tab="File (TOML)"
@@ -211,6 +212,20 @@ http:
       ipWhiteList:
         ipStrategy:
           excludedIPs:
-          - "127.0.0.1/32"
-          - "192.168.1.7"
+            - "127.0.0.1/32"
+            - "192.168.1.7"
 ```
+
+`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Examples of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |

docs/content/middlewares/overview.md

@@ -5,19 +5,24 @@ Tweaking the Request
 
 ![Overview](../assets/img/middleware/overview.png)
 
-Attached to the routers, pieces of middleware are a mean of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
+Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
 
-There are many different available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
+There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
 
 Pieces of middleware can be combined in chains to fit every scenario.
 
+!!! warning "Provider Namespace"
+
+    Be aware of the concept of Providers Namespace described in the [Configuration Discovery](../providers/overview.md#provider-namespace) section. 
+    It also applies to Middlewares.
+
 ## Configuration Example
 
 ```yaml tab="Docker"
 # As a Docker Label
 whoami:
   #  A container that exposes an API to show its IP address
-  image: containous/whoami
+  image: traefik/whoami
   labels:
     # Create a middleware named `foo-add-prefix`
     - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
@@ -25,7 +30,7 @@ whoami:
     - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```
 
-```yaml tab="Kubernetes"
+```yaml tab="Kubernetes IngressRoute"
 # As a Kubernetes Traefik IngressRoute
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
@@ -60,7 +65,14 @@ spec:
   routes:
     # more fields...
     middlewares:
-    - name: stripprefix
+      - name: stripprefix
+```
+
+```yaml tab="Consul Catalog"
+# Create a middleware named `foo-add-prefix`
+- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+# Apply the middleware named `foo-add-prefix` to the router named `router1`
+- "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
 ```
 
 ```json tab="Marathon"
@@ -106,7 +118,7 @@ http:
     router1:
       service: myService
       middlewares:
-      - "foo-add-prefix"
+        - "foo-add-prefix"
       rule: "Host(`example.com`)"
 
   middlewares:
@@ -118,81 +130,9 @@ http:
     service1:
       loadBalancer:
         servers:
-        - url: "http://127.0.0.1:80"
+          - url: "http://127.0.0.1:80"
 ```
 
-## Provider Namespace
-
-When you declare a middleware, it lives in its provider namespace.
-For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.
-
-If you use multiple providers and wish to reference a middleware declared in another provider
-(aka referencing a cross-provider middleware),
-then you'll have to append to the middleware name, the `@` separator, followed by the provider name.
-
-```text
-<resource-name>@<provider-name>
-```
-
-!!! important "Kubernetes Namespace"
-
-	As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
-with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
-In this case, since the definition of the middleware is not in kubernetes,
-specifying a "kubernetes namespace" when referring to the resource does not make any sense,
-and therefore this specification would be ignored even if present.
-
-!!! abstract "Referencing a Middleware from Another Provider"
-
-    Declaring the add-foo-prefix in the file provider.
-
-    ```toml tab="File (TOML)"
-    [http.middlewares]
-      [http.middlewares.add-foo-prefix.addPrefix]
-        prefix = "/foo"
-    ```
-    
-    ```yaml tab="File (YAML)"
-    http:
-      middlewares:
-        add-foo-prefix:
-          addPrefix:
-            prefix: "/foo"
-    ```
-
-    Using the add-foo-prefix middleware from other providers:
-
-    ```yaml tab="Docker"
-    your-container: #
-      image: your-docker-image
-
-      labels:
-        # Attach add-foo-prefix@file middleware (declared in file)
-        - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
-    ```
-
-    ```yaml tab="Kubernetes"
-    apiVersion: traefik.containo.us/v1alpha1
-    kind: IngressRoute
-    metadata:
-      name: ingressroutestripprefix
-
-    spec:
-      entryPoints:
-        - web
-      routes:
-        - match: Host(`bar.com`)
-          kind: Rule
-        services:
-          - name: whoami
-            port: 80
-        middlewares:
-          - name: add-foo-prefix@file
-          # namespace: bar
-          # A namespace specification such as above is ignored
-          # when the cross-provider syntax is used.
-    ```
-
 ## Available Middlewares
 
 | Middleware                                | Purpose                                           | Area                        |

docs/content/middlewares/passtlsclientcert.md

@@ -16,7 +16,7 @@ Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 ```yaml tab="Docker"
 # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
-- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -29,6 +29,11 @@ spec:
     pem: true
 ```
 
+```yaml tab="Consul Catalog"
+# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header
+- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
@@ -38,7 +43,7 @@ spec:
 ```yaml tab="Rancher"
 # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
-- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```
 
 ```toml tab="File (TOML)"
@@ -62,23 +67,24 @@ http:
     ```yaml tab="Docker"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     labels:
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
-    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
     ```
     
     ```yaml tab="Kubernetes"
@@ -111,9 +117,8 @@ http:
             domainComponent: true
     ```
     
-    ```yaml tab="Rancher"
+    ```yaml tab="Consul Catalog"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
-    labels:
     - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
     - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
     - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
@@ -154,6 +159,28 @@ http:
       "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
     }
     ```
+    
+    ```yaml tab="Rancher"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    labels:
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+    ```
 
     ```toml tab="File (TOML)"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
@@ -218,8 +245,11 @@ PassTLSClientCert can add two headers to the request:
 - `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
 - `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
 
-!!! note
-    The headers are filled with escaped string so it can be safely placed inside a URL query.
+!!! info
+
+    * The headers are filled with escaped string so it can be safely placed inside a URL query.
+    * These options only work accordingly to the [MutualTLS configuration](../https/tls.md#client-authentication-mtls).
+    That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.
 
 In the following example, you can see a complete certificate. We will use each part of it to explain the middleware options.
 
@@ -235,7 +265,7 @@ In the following example, you can see a complete certificate. We will use each p
             Validity
                 Not Before: Dec  6 11:10:16 2018 GMT
                 Not After : Dec  5 11:10:16 2020 GMT
-            Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
+            Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
             Subject Public Key Info:
                 Public Key Algorithm: rsaEncryption
                     RSA Public-Key: (2048 bit)
@@ -272,7 +302,7 @@ In the following example, you can see a complete certificate. We will use each p
                     keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
     
                 X509v3 Subject Alternative Name: 
-                    DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
+                    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
         Signature Algorithm: sha1WithRSAEncryption
              76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
              16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
@@ -374,12 +404,12 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
     -----END CERTIFICATE-----
     ```
     
-!!! note "Extracted data"
+!!! info "Extracted data"
     
     The delimiters and `\n` will be removed.  
-    If there are more than one certificate, they are separated by a "`;`".
+    If there are more than one certificate, they are separated by a "`,`".
 
-!!! note "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
+!!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
 
     The header size limit of web servers is commonly between 4kb and 8kb.  
     You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).
@@ -392,12 +422,12 @@ The value of the header will be an escaped concatenation of all the selected cer
 The following example shows an unescaped result that uses all the available fields: 
 
 ```text
-Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
+Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```
 
-!!! note "Multiple certificates"
+!!! info "Multiple certificates"
 
-    If there are more than one certificate, they are separated by a `;`.
+    If there are more than one certificate, they are separated by a `,`.
 
 #### `info.notAfter`
 
@@ -413,7 +443,7 @@ The data are taken from the following certificate part:
 The escape `notAfter` info part will be like:
 
 ```text
-NA=1607166616
+NA="1607166616"
 ```
 
 #### `info.notBefore`
@@ -430,7 +460,7 @@ Validity
 The escape `notBefore` info part will be like:
 
 ```text
-NB=1544094616
+NB="1544094616"
 ```
 
 #### `info.sans`
@@ -441,19 +471,19 @@ The data are taken from the following certificate part:
 
 ```text
  X509v3 Subject Alternative Name: 
-    DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
+    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
 ```
 
 The escape SANs info part will be like:
 
 ```text
-SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
+SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```
 
-!!! note "multiple values"
+!!! info "multiple values"
 
     All the SANs data are separated by a `,`.
-    
+
 #### `info.subject`
 
 The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
@@ -461,7 +491,7 @@ The `info.subject` select the specific client certificate subject details you wa
 The data are taken from the following certificate part :
 
 ```text
-Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
+Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
 ```
 
 ##### `info.subject.country`
@@ -519,7 +549,7 @@ The data are taken from the subject part with the `CN` key.
 The escape common name info in the subject part will be like :
 
 ```text
-CN=*.cheese.com
+CN=*.example.com
 ```
 
 ##### `info.subject.serialNumber`

docs/content/middlewares/ratelimit.md

@@ -3,7 +3,7 @@
 To Control the Number of Requests Going to a Service
 {: .subtitle }
 
-The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows you define what is fair.
+The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows one to define what fair is.
 
 ## Configuration Example
 
@@ -11,8 +11,8 @@ The RateLimit middleware ensures that services will receive a _fair_ number of r
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 50 requests is allowed.
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```
 
 ```yaml tab="Kubernetes"
@@ -24,8 +24,15 @@ metadata:
   name: test-ratelimit
 spec:
   rateLimit:
-      average: 100
-      burst: 50
+    average: 100
+    burst: 50
+```
+
+```yaml tab="Consul Catalog"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```
 
 ```json tab="Marathon"
@@ -39,8 +46,8 @@ spec:
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 50 requests is allowed.
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```
 
 ```toml tab="File (TOML)"
@@ -67,22 +74,33 @@ http:
 
 ### `average`
 
-Average is the maximum rate, in requests/s, allowed for the given source.
-It defaults to 0, which means no rate limiting.
+`average` is the maximum rate, by default in requests by second, allowed for the given source.
+
+It defaults to `0`, which means no rate limiting.
+
+The rate is actually defined by dividing `average` by `period`.
+So for a rate below 1 req/s, one needs to define a `period` larger than a second.
 
 ```yaml tab="Docker"
+# 100 reqs/s
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```
 
 ```yaml tab="Kubernetes"
+# 100 reqs/s
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-ratelimit
 spec:
   rateLimit:
-      average: 100
+    average: 100
+```
+
+```yaml tab="Consul Catalog"
+# 100 reqs/s
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```
 
 ```json tab="Marathon"
@@ -93,16 +111,18 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```
 
 ```toml tab="File (TOML)"
+# 100 reqs/s
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]
     average = 100
 ```
 
 ```yaml tab="File (YAML)"
+# 100 reqs/s
 http:
   middlewares:
     test-ratelimit:
@@ -110,14 +130,82 @@ http:
         average: 100
 ```
 
+### `period`
+
+`period`, in combination with `average`, defines the actual maximum rate, such as:
+
+```go
+r = average / period
+```
+
+It defaults to `1` second.
+
+```yaml tab="Docker"
+# 6 reqs/minute
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```yaml tab="Kubernetes"
+# 6 reqs/minute
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    period: 1m
+    average: 6
+```
+
+```yaml tab="Consul Catalog"
+# 6 reqs/minute
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "6",
+  "traefik.http.middlewares.test-ratelimit.ratelimit.period": "1m",
+}
+```
+
+```yaml tab="Rancher"
+# 6 reqs/minute
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```toml tab="File (TOML)"
+# 6 reqs/minute
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 6
+    period = 1m
+```
+
+```yaml tab="File (YAML)"
+# 6 reqs/minute
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        average: 6
+        period: 1m
+```
+
 ### `burst`
 
-Burst is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
-It defaults to 1.
+`burst` is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
+
+It defaults to `1`.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```
 
 ```yaml tab="Kubernetes"
@@ -127,7 +215,11 @@ metadata:
   name: test-ratelimit
 spec:
   rateLimit:
-      burst: 100
+    burst: 100
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
 ```
 
 ```json tab="Marathon"
@@ -138,8 +230,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
-  		
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
 ```
 
 ```toml tab="File (TOML)"
@@ -173,7 +264,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is lesser than or equal to 0.
 
-!!! note "Example of Depth & X-Forwarded-For"
+!!! example "Example of Depth & X-Forwarded-For"
 
     If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
 
@@ -185,24 +276,9 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 
 ##### `ipStrategy.excludedIPs`
 
-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
-
-!!! important
-    If `depth` is specified, `excludedIPs` is ignored.
-
-!!! note "Example of ExcludedIPs & X-Forwarded-For"
-
-    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
-    |-----------------------------------------|-----------------------|--------------|
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
-
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```yaml tab="Kubernetes"
@@ -219,8 +295,7 @@ spec:
         - 192.168.1.7
 ```
 
-```yaml tab="Rancher"
-labels:
+```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
@@ -230,6 +305,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]
@@ -245,17 +325,31 @@ http:
         sourceCriterion:
           ipStrategy:
             excludedIPs:
-            - "127.0.0.1/32"
-            - "192.168.1.7"
+              - "127.0.0.1/32"
+              - "192.168.1.7"
 ```
 
+`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Example of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
 #### `sourceCriterion.requestHeaderName`
 
 Requests having the same value for the given header are grouped as coming from the same source.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```
 
 ```yaml tab="Kubernetes"
@@ -269,8 +363,7 @@ spec:
       requestHeaderName: username
 ```
 
-```yaml tab="Rancher"
-labels:
+```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```
 
@@ -280,6 +373,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]
@@ -302,7 +400,7 @@ Whether to consider the request host as the source.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -316,8 +414,7 @@ spec:
       requestHost: true
 ```
 
-```yaml tab="Rancher"
-labels:
+```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```
 
@@ -327,6 +424,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]
@@ -341,4 +443,4 @@ http:
       rateLimit:
         sourceCriterion:
           requestHost: true
-```
+```

docs/content/middlewares/redirectregex.md

@@ -15,8 +15,8 @@ RegexRedirect redirect a request from an url to another with regex matching and
 # Redirect with domain replacement
 # Note: all dollar signs need to be doubled for escaping.
 labels:
-- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
-- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```
 
 ```yaml tab="Kubernetes"
@@ -31,6 +31,13 @@ spec:
     replacement: http://mydomain/${1}
 ```
 
+```yaml tab="Consul Catalog"
+# Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
+- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-redirectregex.redirectregex.regex": "^http://localhost/(.*)",
@@ -42,8 +49,8 @@ spec:
 # Redirect with domain replacement
 # Note: all dollar signs need to be doubled for escaping.
 labels:
-- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
-- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```
 
 ```toml tab="File (TOML)"
@@ -85,4 +92,3 @@ The `regex` option is the regular expression to match and capture elements from
 ### `replacement`
 
 The `replacement` option defines how to modify the URL to have the new target URL.
- 

docs/content/middlewares/redirectscheme.md

@@ -7,14 +7,140 @@ Redirecting the Client to a Different Scheme/Port
 TODO: add schema
 -->
 
-RegexRedirect redirect request from a scheme to another.
+RedirectScheme redirect request from a scheme to another.
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
 # Redirect to https
 labels:
-- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+    permanent = true
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+```
+
+## Configuration Options
+
+### `permanent`
+
+Set the `permanent` option to `true` to apply a permanent redirection.
+
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    # ...
+    permanent: true
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    permanent = true
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        # ...
+        permanent: true
+```
+
+### `scheme`
+
+The `scheme` option defines the scheme of the new url.
+
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```
 
 ```yaml tab="Kubernetes"
@@ -28,6 +154,12 @@ spec:
     scheme: https
 ```
 
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
@@ -37,7 +169,7 @@ spec:
 ```yaml tab="Rancher"
 # Redirect to https
 labels:
-- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```
 
 ```toml tab="File (TOML)"
@@ -56,16 +188,66 @@ http:
         scheme: https
 ```
 
-## Configuration Options
-
-### `permanent`
-
-Set the `permanent` option to `true` to apply a permanent redirection.
-
-### `scheme`
-
-The `scheme` option defines the scheme of the new url.
-
 ### `port`
 
 The `port` option defines the port of the new url.
+
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    # ...
+    port: "443"
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.port": "443"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    port = 443
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        # ...
+        port: "443"
+```
+
+!!! info "Port in this configuration is a string, not a numeric value."

docs/content/middlewares/replacepath.md

@@ -14,7 +14,7 @@ Replace the path of the request url.
 ```yaml tab="Docker"
 # Replace the path by /foo
 labels:
-- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```
 
 ```yaml tab="Kubernetes"
@@ -28,6 +28,11 @@ spec:
     path: /foo
 ```
 
+```yaml tab="Consul Catalog"
+# Replace the path by /foo
+- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-replacepath.replacepath.path": "/foo"
@@ -37,7 +42,7 @@ spec:
 ```yaml tab="Rancher"
 # Replace the path by /foo
 labels:
-- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```
 
 ```toml tab="File (TOML)"

docs/content/middlewares/replacepathregex.md

@@ -14,8 +14,8 @@ The ReplaceRegex replace a path from an url to another with regex matching and r
 ```yaml tab="Docker"
 # Replace path with regex
 labels:
-- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
-- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$$1"
 ```
 
 ```yaml tab="Kubernetes"
@@ -30,6 +30,12 @@ spec:
     replacement: /bar/$1
 ```
 
+```yaml tab="Consul Catalog"
+# Replace path with regex
+- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex": "^/foo/(.*)",
@@ -40,8 +46,8 @@ spec:
 ```yaml tab="Rancher"
 # Replace path with regex
 labels:
-- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
-- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```
 
 ```toml tab="File (TOML)"

docs/content/middlewares/retry.md

@@ -15,7 +15,7 @@ To be clear, as soon as the server answers, the middleware stops retrying, regar
 ```yaml tab="Docker"
 # Retry to send request 4 times
 labels:
-- "traefik.http.middlewares.test-retry.retry.attempts=4"
+  - "traefik.http.middlewares.test-retry.retry.attempts=4"
 ```
 
 ```yaml tab="Kubernetes"
@@ -29,6 +29,11 @@ spec:
     attempts: 4
 ```
 
+```yaml tab="Consul Catalog"
+# Retry to send request 4 times
+- "traefik.http.middlewares.test-retry.retry.attempts=4"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-retry.retry.attempts": "4"
@@ -38,7 +43,7 @@ spec:
 ```yaml tab="Rancher"
 # Retry to send request 4 times
 labels:
-- "traefik.http.middlewares.test-retry.retry.attempts=4"
+  - "traefik.http.middlewares.test-retry.retry.attempts=4"
 ```
 
 ```toml tab="File (TOML)"
@@ -63,4 +68,4 @@ http:
 
 _mandatory_
 
-The `attempts` option defines how many times the request should be retried.
+The `attempts` option defines how many times the request should be retried.

docs/content/middlewares/stripprefix.md

@@ -14,7 +14,7 @@ Remove the specified prefixes from the URL path.
 ```yaml tab="Docker"
 # Strip prefix /foobar and /fiibar
 labels:
-- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
+  - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```
 
 ```yaml tab="Kubernetes"
@@ -26,8 +26,13 @@ metadata:
 spec:
   stripPrefix:
     prefixes:
-    - /foobar
-    - /fiibar
+      - /foobar
+      - /fiibar
+```
+
+```yaml tab="Consul Catalog"
+# Strip prefix /foobar and /fiibar
+- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```
 
 ```json tab="Marathon"
@@ -39,7 +44,7 @@ spec:
 ```yaml tab="Rancher"
 # Strip prefix /foobar and /fiibar
 labels:
-- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
+  - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```
 
 ```toml tab="File (TOML)"
@@ -56,8 +61,8 @@ http:
     test-stripprefix:
       stripPrefix:
         prefixes:
-        - "/foobar"
-        - "/fiibar"
+          - "/foobar"
+          - "/fiibar"
 ```
 
 ## Configuration Options
@@ -85,3 +90,85 @@ If your backend is serving assets (e.g., images or Javascript files), chances ar
 Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
 
 The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
+
+### `forceSlash`
+
+_Optional, Default=true_
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
+  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: example
+spec:
+  stripPrefix:
+    prefixes:
+      - "/foobar"
+    forceSlash: false
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
+  "traefik.http.middlewares.example.stripprefix.forceSlash": "false"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
+  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.example.stripPrefix]
+    prefixes = ["/foobar"]
+    forceSlash = false
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    example:
+      stripPrefix:
+        prefixes:
+          - "/foobar"
+        forceSlash: false
+```
+
+The `forceSlash` option makes sure that the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
+
+This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
+
+It's recommended to explicitly set `forceSlash` to `false`.
+
+??? info "Behavior examples"
+    
+    - `forceSlash=true`
+    
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | `/`    |
+    | `/foo`     | `/foo`          | `/`    |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | `/`    |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |
+    
+    - `forceSlash=false`
+    
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | empty  |
+    | `/foo`     | `/foo`          | empty  |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | empty  |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |

docs/content/middlewares/stripprefixregex.md

@@ -9,7 +9,7 @@ Remove the matching prefixes from the URL path.
 
 ```yaml tab="Docker"
 labels:
-- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
+  - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```
 
 ```yaml tab="Kubernetes"
@@ -20,7 +20,11 @@ metadata:
 spec:
   stripPrefixRegex:
     regex:
-    - "/foo/[a-z0-9]+/[0-9]+/"
+      - "/foo/[a-z0-9]+/[0-9]+/"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```
 
 ```json tab="Marathon"
@@ -31,7 +35,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
+  - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```
 
 ```toml tab="File (TOML)"
@@ -46,7 +50,7 @@ http:
     test-stripprefixregex:
       stripPrefixRegex:
         regex:
-        - "/foo/[a-z0-9]+/[0-9]+/"
+          - "/foo/[a-z0-9]+/[0-9]+/"
 ```
 
 ## Configuration Options

docs/content/migration/v2.md

@@ -0,0 +1,338 @@
+# Migration: Steps needed between the versions
+
+## v2.0 to v2.1
+
+### Kubernetes CRD
+
+In v2.1, a new Kubernetes CRD called `TraefikService` was added.
+While updating an installation to v2.1,
+one should apply that CRD, and update the existing `ClusterRole` definition to allow Traefik to use that CRD.
+
+To add that CRD and enhance the permissions, following definitions need to be applied to the cluster.
+
+```yaml tab="TraefikService"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+```
+
+```yaml tab="ClusterRole"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - tlsoptions
+    verbs:
+      - get
+      - list
+      - watch
+```
+
+After having both resources applied, Traefik will work properly.
+
+## v2.1 to v2.2
+
+### Headers middleware: accessControlAllowOrigin
+
+`accessControlAllowOrigin` is deprecated.
+This field will be removed in future 2.x releases.
+Please configure your allowed origins in `accessControlAllowOriginList` instead.
+
+### Kubernetes CRD
+
+In v2.2, new Kubernetes CRDs called `TLSStore` and `IngressRouteUDP` were added.
+While updating an installation to v2.2,
+one should apply that CRDs, and update the existing `ClusterRole` definition to allow Traefik to use that CRDs.
+
+To add that CRDs and enhance the permissions, following definitions need to be applied to the cluster.
+
+```yaml tab="TLSStore"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsstores.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSStore
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+
+```
+
+```yaml tab="IngressRouteUDP"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressrouteudps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteUDP
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+  scope: Namespaced
+
+```
+
+```yaml tab="ClusterRole"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+    verbs:
+      - get
+      - list
+      - watch
+
+```
+
+After having both resources applied, Traefik will work properly.
+
+### Kubernetes Ingress
+
+To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in the Ingress.
+
+#### Expose an Ingress on 80 and 443
+
+Define the default TLS configuration on the HTTPS entry point. 
+
+```yaml tab="Ingress"
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: example
+
+spec:
+  tls:
+  - secretName: myTlsSecret
+
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: "/foo"
+        backend:
+          serviceName: example-com
+          servicePort: 80
+```
+
+Entry points definition and enable Ingress provider:
+
+```yaml tab="File (YAML)"
+# Static configuration
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+    http:
+      tls: {}
+
+providers:
+  kubernetesIngress: {}
+```
+
+```toml tab="File (TOML)"
+# Static configuration
+
+[entryPoints.web]
+  address = ":80"
+
+[entryPoints.websecure]
+  address = ":443"
+  [entryPoints.websecure.http]
+    [entryPoints.websecure.http.tls]
+
+[providers.kubernetesIngress]
+```
+
+```bash tab="CLI"
+# Static configuration
+
+--entryPoints.web.address=:80
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.tls=true
+--providers.kubernetesIngress=true
+```
+
+#### Use TLS only on one Ingress
+
+Define the TLS restriction with annotations.
+
+```yaml tab="Ingress"
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: example-tls
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+
+spec:
+  tls:
+  - secretName: myTlsSecret
+
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: ""
+        backend:
+          serviceName: example-com
+          servicePort: 80
+```
+
+Entry points definition and enable Ingress provider:
+
+```yaml tab="File (YAML)"
+# Static configuration
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+
+providers:
+  kubernetesIngress: {}
+```
+
+```toml tab="File (TOML)"
+# Static configuration
+
+[entryPoints.web]
+  address = ":80"
+
+[entryPoints.websecure]
+  address = ":443"
+
+[providers.kubernetesIngress]
+```
+
+```bash tab="CLI"
+# Static configuration
+
+--entryPoints.web.address=:80
+--entryPoints.websecure.address=:443
+--providers.kubernetesIngress=true
+```
+
+## v2.2.2 to v2.2.5
+
+### InsecureSNI removal
+
+In `v2.2.2` we introduced a new flag (`insecureSNI`) which was available as a global option to disable domain fronting.
+Since `v2.2.5` this global option has been removed, and you should not use it anymore.
+
+### HostSNI rule matcher removal
+
+In `v2.2.2` we introduced a new rule matcher (`HostSNI`) for HTTP routers which was allowing to match the Server Name Indication at the router level.
+Since `v2.2.5` this rule has been removed for HTTP routers, and you should not use it anymore.
+
+## v2.2 to v2.3
+
+### X.509 CommonName Deprecation
+
+The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present, is now disabled by default.
+
+It means that if one is using https with your backend servers, and a certificate with only a CommonName,
+Traefik will not try to match the server name indication with the CommonName anymore.
+
+It can be temporarily re-enabled by adding the value `x509ignoreCN=0` to the `GODEBUG` environment variable.
+
+More information: https://golang.org/doc/go1.15#commonname
+
+### File Provider
+
+The file parser has been changed, since v2.3 the unknown options/fields in a dynamic configuration file are treated as errors.
+
+### IngressClass
+
+In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced.
+In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated. 

docs/content/observability/access-logs.md

@@ -32,10 +32,10 @@ By default, logs are written using the Common Log Format (CLF).
 To write logs in JSON, use `json` in the `format` option.
 If the given format is unsupported, the default (CLF) is used instead.
 
-!!! note "Common Log Format"
+!!! info "Common Log Format"
     
     ```html
-    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms 
+    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
     ```
 
 ### `bufferingSize`
@@ -61,7 +61,7 @@ accessLog:
 ```bash tab="CLI"
 # Configuring a buffer of 100 lines
 --accesslog=true
---accesslog.filepath="/path/to/access.log"
+--accesslog.filepath=/path/to/access.log
 --accesslog.bufferingsize=100
 ```
 
@@ -95,8 +95,8 @@ accessLog:
   format: json
   filters:    
     statusCodes:
-    - "200"
-    - "300-302"
+      - "200"
+      - "300-302"
     retryAttempts: true
     minDuration: "10ms"
 ```
@@ -104,16 +104,16 @@ accessLog:
 ```bash tab="CLI"
 # Configuring Multiple Filters
 --accesslog=true
---accesslog.filepath="/path/to/access.log"
---accesslog.format="json"
---accesslog.filters.statuscodes="200, 300-302"
+--accesslog.filepath=/path/to/access.log
+--accesslog.format=json
+--accesslog.filters.statuscodes=200,300-302
 --accesslog.filters.retryattempts
---accesslog.filters.minduration="10ms"
+--accesslog.filters.minduration=10ms
 ```
 
-### Limiting the Fields
+### Limiting the Fields/Including Headers
 
-You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.header` options
+You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.headers` options.
 
 Each field can be set to:
 
@@ -121,7 +121,7 @@ Each field can be set to:
 - `drop` to drop the value
 - `redact` to replace the value with "redacted"
 
-The `defaultMode` for `fields.header` is `drop`.
+The `defaultMode` for `fields.headers` is `drop`.
 
 ```toml tab="File (TOML)"
 # Limiting the Logs to Specific Fields
@@ -164,27 +164,27 @@ accessLog:
 ```bash tab="CLI"
 # Limiting the Logs to Specific Fields
 --accesslog=true
---accesslog.filepath="/path/to/access.log"
---accesslog.format="json"
---accesslog.fields.defaultmode="keep"
---accesslog.fields.names.ClientUsername="drop"
---accesslog.fields.headers.defaultmode="keep"
---accesslog.fields.headers.names.User-Agent="redact"
---accesslog.fields.headers.names.Authorization="drop"
---accesslog.fields.headers.names.Content-Type="keep"
+--accesslog.filepath=/path/to/access.log
+--accesslog.format=json
+--accesslog.fields.defaultmode=keep
+--accesslog.fields.names.ClientUsername=drop
+--accesslog.fields.headers.defaultmode=keep
+--accesslog.fields.headers.names.User-Agent=redact
+--accesslog.fields.headers.names.Authorization=drop
+--accesslog.fields.headers.names.Content-Type=keep
 ```
 
-??? list "Available Fields"
+??? info "Available Fields"
 
     | Field                   | Description                                                                                                                                                         |
     |-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
     | `StartUTC`              | The time at which request processing started.                                                                                                                       |
     | `StartLocal`            | The local time at which request processing started.                                                                                                                 |
-    | `Duration`              | The total time taken by processing the response, including the origin server's time but not the log writing time.                                                   |
-    | `FrontendName`          | The name of the Traefik frontend.                                                                                                                                   |
-    | `BackendName`           | The name of the Traefik backend.                                                                                                                                    |
-    | `BackendURL`            | The URL of the Traefik backend.                                                                                                                                     |
-    | `BackendAddr`           | The IP:port of the Traefik backend (extracted from `BackendURL`)                                                                                                    |
+    | `Duration`              | The total time taken (in nanoseconds) by processing the response, including the origin server's time but not the log writing time.                                  |
+    | `RouterName`            | The name of the Traefik  router.                                                                                                                                    |
+    | `ServiceName`           | The name of the Traefik backend.                                                                                                                                    |
+    | `ServiceURL`            | The URL of the Traefik backend.                                                                                                                                     |
+    | `ServiceAddr`           | The IP:port of the Traefik backend (extracted from `ServiceURL`)                                                                                                    |
     | `ClientAddr`            | The remote address in its original form (usually IP:port).                                                                                                          |
     | `ClientHost`            | The remote IP address from which the client request was received.                                                                                                   |
     | `ClientPort`            | The remote TCP port from which the client request was received.                                                                                                     |
@@ -195,6 +195,7 @@ accessLog:
     | `RequestMethod`         | The HTTP method.                                                                                                                                                    |
     | `RequestPath`           | The HTTP request URI, not including the scheme, host or port.                                                                                                       |
     | `RequestProtocol`       | The version of HTTP requested.                                                                                                                                      |
+    | `RequestScheme`         | The HTTP scheme requested `http` or `https`.                                                                                                                        |
     | `RequestLine`           | `RequestMethod` + `RequestPath` + `RequestProtocol`                                                                                                                 |
     | `RequestContentSize`    | The number of bytes in the request entity (a.k.a. body) sent by the client.                                                                                         |
     | `OriginDuration`        | The time taken by the origin server ('upstream') to return its response.                                                                                            |
@@ -214,5 +215,34 @@ accessLog:
 Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
 This allows the logs to be rotated and processed by an external program, such as `logrotate`.
 
-!!! note
+!!! warning
     This does not work on Windows due to the lack of USR signals.
+
+## Time Zones
+
+Traefik will timestamp each log line in UTC time by default.
+
+It is possible to configure the Traefik to timestamp in a specific timezone by ensuring the following configuration has been made in your environment:
+
+1. Provide time zone data to `/etc/localtime` or `/usr/share/zoneinfo` (based on your distribution) or set the environment variable TZ to the desired timezone
+2. Specify the field `StartLocal` by dropping the field named `StartUTC` (available on the default Common Log Format (CLF) as well as JSON)
+
+Example utilizing Docker Compose:
+
+```yaml
+version: "3.7"
+
+services:
+  traefik:
+    image: traefik:v2.2
+    environment:
+      - TZ=US/Alaska
+    command:
+      - --accesslog
+      - --accesslog.fields.names.StartUTC=drop
+      - --providers.docker
+    ports:
+      - 80:80
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+```

docs/content/observability/logs.md

@@ -30,7 +30,7 @@ log:
 
 ```bash tab="CLI"
 # Writing Logs to a File
---log.filePath="/path/to/traefik.log"
+--log.filePath=/path/to/traefik.log
 ```
 
 #### `format`
@@ -53,8 +53,8 @@ log:
 
 ```bash tab="CLI"
 # Writing Logs to a File, in JSON
---log.filePath="/path/to/traefik.log"
---log.format="json"
+--log.filePath=/path/to/traefik.log
+--log.format=json
 ```
 
 #### `level`
@@ -72,7 +72,7 @@ log:
 ```
 
 ```bash tab="CLI"
---log.level="DEBUG"
+--log.level=DEBUG
 ```
 
 ## Log Rotation
@@ -80,5 +80,5 @@ log:
 Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
 This allows the logs to be rotated and processed by an external program, such as `logrotate`.
 
-!!! note
+!!! warning
     This does not work on Windows due to the lack of USR signals.

docs/content/observability/metrics/datadog.md

@@ -35,7 +35,7 @@ metrics:
 ```
 
 ```bash tab="CLI"
---metrics.datadog.address="127.0.0.1:8125"
+--metrics.datadog.address=127.0.0.1:8125
 ```
 
 #### `addEntryPointsLabels`

docs/content/observability/metrics/influxdb.md

@@ -4,12 +4,12 @@ To enable the InfluxDB:
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb: {}
+  influxDB: {}
 ```
 
 ```bash tab="CLI"
@@ -24,18 +24,18 @@ Address instructs exporter to send metrics to influxdb at this address.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
     address = "localhost:8089"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
+  influxDB:
     address: localhost:8089
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.address="localhost:8089"
+--metrics.influxdb.address=localhost:8089
 ```
 
 #### `protocol`
@@ -46,18 +46,18 @@ InfluxDB's address protocol (udp or http).
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
     protocol = "udp"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
+  influxDB:
     protocol: udp
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.protocol="udp"
+--metrics.influxdb.protocol=udp
 ```
 
 #### `database`
@@ -68,18 +68,18 @@ InfluxDB database used when protocol is http.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
-    database = ""
+  [metrics.influxDB]
+    database = "db"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
-    database: ""
+  influxDB:
+    database: "db"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.database=""
+--metrics.influxdb.database=db
 ```
 
 #### `retentionPolicy`
@@ -90,18 +90,18 @@ InfluxDB retention policy used when protocol is http.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
-    retentionPolicy = ""
+  [metrics.influxDB]
+    retentionPolicy = "two_hours"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
-    retentionPolicy: ""
+  influxDB:
+    retentionPolicy: "two_hours"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.retentionPolicy=""
+--metrics.influxdb.retentionPolicy=two_hours
 ```
 
 #### `username`
@@ -112,18 +112,18 @@ InfluxDB username (only with http).
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
-    username = ""
+  [metrics.influxDB]
+    username = "john"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
-    username: ""
+  influxDB:
+    username: "john"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.username=""
+--metrics.influxdb.username=john
 ```
 
 #### `password`
@@ -134,18 +134,18 @@ InfluxDB password (only with http).
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
-    password = ""
+  [metrics.influxDB]
+    password = "secret"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
-    password: ""
+  influxDB:
+    password: "secret"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.password=""
+--metrics.influxdb.password=secret
 ```
 
 #### `addEntryPointsLabels`
@@ -156,13 +156,13 @@ Enable metrics on entry points.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
     addEntryPointsLabels = true
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
+  influxDB:
     addEntryPointsLabels: true
 ```
 
@@ -178,13 +178,13 @@ Enable metrics on services.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
     addServicesLabels = true
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
+  influxDB:
     addServicesLabels: true
 ```
 
@@ -200,13 +200,13 @@ The interval used by the exporter to push metrics to influxdb.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
     pushInterval = 10s
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
+  influxDB:
     pushInterval: 10s
 ```
 

docs/content/observability/metrics/prometheus.md

@@ -32,10 +32,10 @@ Buckets for latency metrics.
 metrics:
   prometheus:
     buckets:
-    - 0.1
-    - 0.3
-    - 1.2
-    - 5.0
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0
 ```
 
 ```bash tab="CLI"
@@ -113,6 +113,28 @@ metrics:
 ```
 
 ```bash tab="CLI"
---entryPoints.metrics.address=":8082"
---metrics.prometheus..entryPoint="metrics"
+--entryPoints.metrics.address=:8082
+--metrics.prometheus.entryPoint=metrics
+```
+
+#### `manualRouting`
+
+_Optional, Default=false_
+
+If `manualRouting` is `true`, it disables the default internal router in order to allow one to create a custom router for the `prometheus@internal` service.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    manualRouting = true
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  prometheus:
+    manualRouting: true
+```
+
+```bash tab="CLI"
+--metrics.prometheus.manualrouting=true
 ```

docs/content/observability/metrics/statsd.md

@@ -4,12 +4,12 @@ To enable the Statsd:
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.statsd]
+  [metrics.statsD]
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  statsd: {}
+  statsD: {}
 ```
 
 ```bash tab="CLI"
@@ -24,18 +24,18 @@ Address instructs exporter to send metrics to statsd at this address.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.statsd]
+  [metrics.statsD]
     address = "localhost:8125"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  statsd:
+  statsD:
     address: localhost:8125
 ```
 
 ```bash tab="CLI"
---metrics.statsd.address="localhost:8125"
+--metrics.statsd.address=localhost:8125
 ```
 
 #### `addEntryPointsLabels`
@@ -46,13 +46,13 @@ Enable metrics on entry points.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.statsd]
+  [metrics.statsD]
     addEntryPointsLabels = true
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  statsd:
+  statsD:
     addEntryPointsLabels: true
 ```
 
@@ -68,13 +68,13 @@ Enable metrics on services.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.statsd]
+  [metrics.statsD]
     addServicesLabels = true
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  statsd:
+  statsD:
     addServicesLabels: true
 ```
 
@@ -90,16 +90,38 @@ The interval used by the exporter to push metrics to statsD.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.statsd]
+  [metrics.statsD]
     pushInterval = 10s
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  statsd:
+  statsD:
     pushInterval: 10s
 ```
 
 ```bash tab="CLI"
 --metrics.statsd.pushInterval=10s
 ```
+
+#### `prefix`
+
+_Optional, Default="traefik"_
+
+The prefix to use for metrics collection.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+    prefix = "traefik"
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  statsD:
+    prefix: traefik
+```
+
+```bash tab="CLI"
+--metrics.statsd.prefix="traefik"
+```

docs/content/observability/tracing/datadog.md

@@ -35,7 +35,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.datadog.localAgentHostPort="127.0.0.1:8126"
+--tracing.datadog.localAgentHostPort=127.0.0.1:8126
 ```
 
 #### `debug`
@@ -79,7 +79,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.datadog.globalTag="sample"
+--tracing.datadog.globalTag=sample
 ```
 
 #### `prioritySampling`

docs/content/observability/tracing/elastic.md

@@ -0,0 +1,88 @@
+# Elastic
+
+To enable the Elastic:
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic: {}
+```
+
+```bash tab="CLI"
+--tracing.elastic=true
+```
+
+#### `serverURL`
+
+_Optional, Default="http://localhost:8200"_
+
+APM ServerURL is the URL of the Elastic APM server.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    serverURL = "http://apm:8200"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic:
+    serverURL: "http://apm:8200"
+```
+
+```bash tab="CLI"
+--tracing.elastic.serverurl="http://apm:8200"
+```
+
+#### `secretToken`
+
+_Optional, Default=""_
+
+APM Secret Token is the token used to connect to Elastic APM Server.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    secretToken = "mytoken"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic:
+    secretToken: "mytoken"
+```
+
+```bash tab="CLI"
+--tracing.elastic.secrettoken="mytoken"
+```
+
+#### `serviceEnvironment`
+
+_Optional, Default=""_
+
+APM Service Environment is the name of the environment Traefik is deployed in, e.g. `production` or `staging`.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    serviceEnvironment = "production"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic:
+    serviceEnvironment: "production"
+```
+
+```bash tab="CLI"
+--tracing.elastic.serviceenvironment="production"
+```
+
+### Further
+
+Additional configuration of Elastic APM Go agent can be done using environment variables.
+See [APM Go agent reference](https://www.elastic.co/guide/en/apm/agent/go/current/configuration.html).

docs/content/observability/tracing/haystack.md

@@ -35,29 +35,29 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.haystack.localAgentHost="127.0.0.1"
+--tracing.haystack.localAgentHost=127.0.0.1
 ```
 
 #### `localAgentPort`
 
-_Require, Default=42699_
+_Require, Default=35000_
 
 Local Agent port instructs reporter to send spans to the haystack-agent at this port.
 
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    localAgentPort = 42699
+    localAgentPort = 35000
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    localAgentPort: 42699
+    localAgentPort: 35000
 ```
 
 ```bash tab="CLI"
---tracing.haystack.localAgentPort=42699
+--tracing.haystack.localAgentPort=35000
 ```
 
 #### `globalTag`
@@ -79,7 +79,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.haystack.globalTag="sample:test"
+--tracing.haystack.globalTag=sample:test
 ```
 
 #### `traceIDHeaderName`
@@ -91,61 +91,61 @@ Specifies the header name that will be used to store the trace ID.
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    traceIDHeaderName = "sample"
+    traceIDHeaderName = "Trace-ID"
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    traceIDHeaderName: sample
+    traceIDHeaderName: Trace-ID
 ```
 
 ```bash tab="CLI"
---tracing.haystack.traceIDHeaderName="sample"
+--tracing.haystack.traceIDHeaderName=Trace-ID
 ```
 
 #### `parentIDHeaderName`
 
 _Optional, Default=empty_
 
+Specifies the header name that will be used to store the parent ID.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    parentIDHeaderName = "Parent-Message-ID"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    parentIDHeaderName: Parent-Message-ID
+```
+
+```bash tab="CLI"
+--tracing.haystack.parentIDHeaderName=Parent-Message-ID
+```
+
+#### `spanIDHeaderName`
+
+_Optional, Default=empty_
+
 Specifies the header name that will be used to store the span ID.
 
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    parentIDHeaderName = "sample"
+    spanIDHeaderName = "Message-ID"
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    parentIDHeaderName: "sample"
+    spanIDHeaderName: Message-ID
 ```
 
 ```bash tab="CLI"
---tracing.haystack.parentIDHeaderName="sample"
-```
-
-#### `spanIDHeaderName`
-
-_Optional, Default=empty_
-
-Apply shared tag in a form of Key:Value to all the traces.
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    spanIDHeaderName = "sample:test"
-```
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack:
-    spanIDHeaderName: "sample:test"
-```
-
-```bash tab="CLI"
---tracing.haystack.spanIDHeaderName=sample:test
+--tracing.haystack.spanIDHeaderName=Message-ID
 ```
 
 #### `baggagePrefixHeaderName`
@@ -168,5 +168,5 @@ tracing:
 
 
 ```bash tab="CLI"
---tracing.haystack.baggagePrefixHeaderName="sample"
+--tracing.haystack.baggagePrefixHeaderName=sample
 ```