Prepare release v2.1.2

Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>

.github/ISSUE_TEMPLATE.md

@@ -1,3 +1,7 @@
+<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
+
+### Do you want to request a *feature* or report a *bug*?
+
 <!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 
@@ -8,21 +12,12 @@ For end-user related support questions, please refer to one of the following:
 
 -->
 
-
-### Do you want to request a *feature* or report a *bug*?
-
-<!--
-If you intend to ask a support question: DO NOT FILE AN ISSUE.
--->
-
-### Did you try using a 1.7.x configuration for the version 2.0?
-
-- [ ] Yes
-- [ ] No
+Bug
 
 <!--
 
-If you just checked the "Yes" box, be aware that this is probably not a bug. The configurations between 1.X and 2.X are NOT compatible. Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+The configurations between 1.X and 2.X are NOT compatible.
+Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
 
 -->
 
@@ -30,7 +25,7 @@ If you just checked the "Yes" box, be aware that this is probably not a bug. The
 
 <!--
 
-HOW TO WRITE A GOOD ISSUE?
+HOW TO WRITE A GOOD BUG REPORT?
 
 - Respect the issue template as much as possible.
 - The title should be short and descriptive.
@@ -52,13 +47,12 @@ HOW TO WRITE A GOOD ISSUE?
 ### Output of `traefik version`: (_What version of Traefik are you using?_)
 
 <!--
+`latest` is not considered as a valid version.
+
 For the Traefik Docker image:
     docker run [IMAGE] version
     ex: docker run traefik version
 
-For the alpine Traefik Docker image:
-    docker run [IMAGE] traefik version
-    ex: docker run traefik traefik version
 -->
 
 ```
@@ -70,12 +64,13 @@ For the alpine Traefik Docker image:
 ```toml
 # (paste your configuration here)
 ```
+
 <!--
 Add more configuration information here.
 -->
 
 
-### If applicable, please paste the log output at DEBUG level (`--log.level=DEBUG` switch)
+### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
 
 ```
 (paste your output here)

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -3,6 +3,9 @@ name: Bug report
 about: Create a report to help us improve
 
 ---
+<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
+
+### Do you want to request a *feature* or report a *bug*?
 
 <!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
@@ -14,19 +17,12 @@ For end-user related support questions, please refer to one of the following:
 
 -->
 
-
-### Do you want to request a *feature* or report a *bug*?
-
 Bug
 
-### Did you try using a 1.7.x configuration for the version 2.0?
-
-- [ ] Yes
-- [ ] No
-
 <!--
 
-If you just checked the "Yes" box, be aware that this is probably not a bug. The configurations between 1.X and 2.X are NOT compatible. Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+The configurations between 1.X and 2.X are NOT compatible.
+Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
 
 -->
 
@@ -56,13 +52,12 @@ HOW TO WRITE A GOOD BUG REPORT?
 ### Output of `traefik version`: (_What version of Traefik are you using?_)
 
 <!--
+`latest` is not considered as a valid version.
+
 For the Traefik Docker image:
     docker run [IMAGE] version
     ex: docker run traefik version
 
-For the alpine Traefik Docker image:
-    docker run [IMAGE] traefik version
-    ex: docker run traefik traefik version
 -->
 
 ```

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -3,6 +3,9 @@ name: Feature request
 about: Suggest an idea for this project
 
 ---
+<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
+
+### Do you want to request a *feature* or report a *bug*?
 
 <!--
 DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
@@ -14,9 +17,6 @@ For end-user related support questions, please refer to one of the following:
 
 -->
 
-
-### Do you want to request a *feature* or report a *bug*?
-
 Feature
 
 ### What did you expect to see?

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,18 +1,19 @@
 <!--
 PLEASE READ THIS MESSAGE.
 
-HOW TO WRITE A GOOD PULL REQUEST?
+Documentation fixes or enhancements:
+- for Traefik v1: use branch v1.7
+- for Traefik v2: use branch v2.1
 
-- Make it small.
-- Do only one thing.
-- Avoid re-formatting.
-- Make sure the code builds.
-- Make sure all tests pass.
-- Add tests.
-- Write useful descriptions and titles.
-- Address review comments in terms of additional commits.
-- Do not amend/squash existing ones unless the PR is trivial.
-- Read the contributing guide: https://github.com/containous/traefik/blob/master/CONTRIBUTING.md.
+Bug fixes:
+- for Traefik v1: use branch v1.7
+- for Traefik v2: use branch v2.1
+
+Enhancements:
+- for Traefik v1: we only accept bug fixes
+- for Traefik v2: use branch master
+
+HOW TO WRITE A GOOD PULL REQUEST? https://docs.traefik.io/contributing/submitting-pull-requests/
 
 -->
 

.golangci.toml

@@ -1,6 +1,9 @@
 [run]
-  deadline = "10m"
+  timeout = "10m"
   skip-files = []
+  skip-dirs = [
+    "pkg/provider/kubernetes/crd/generated/",
+  ]
 
 [linters-settings]
 
@@ -40,9 +43,11 @@
     "scopelint",
     "gochecknoinits",
     "gochecknoglobals",
-#    "godox", # manage TODO FIXME ## wait for https://github.com/golangci/golangci-lint/issues/337
+    "godox",
+    "gocognit",
     "bodyclose", # Too many false-positive and panics.
-#    "stylecheck", # skip because report issues related to some generated files. ## wait for https://github.com/golangci/golangci-lint/issues/337
+    "wsl", # Too strict
+    "stylecheck", # skip because report issues related to some generated files.
   ]
 
 [issues]

.semaphoreci/vars

@@ -10,7 +10,7 @@ else
   export VERSION=''
 fi
 
-export CODENAME=montdor
+export CODENAME=cantal
 
 export N_MAKE_JOBS=2
 

.travis.yml

@@ -11,7 +11,7 @@ env:
   global:
     - REPO=$TRAVIS_REPO_SLUG
     - VERSION=$TRAVIS_TAG
-    - CODENAME=montdor
+    - CODENAME=cantal
     - GO111MODULE=on
 
 script:

CHANGELOG.md

@@ -1,3 +1,275 @@
+## [v2.1.2](https://github.com/containous/traefik/tree/v2.1.2) (2020-01-07)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.1...v2.1.2)
+
+**Bug fixes:**
+- **[authentication,middleware,tracing]** fix(tracing): makes sure tracing headers are being propagated when using forwardAuth ([#6072](https://github.com/containous/traefik/pull/6072) by [jcchavezs](https://github.com/jcchavezs))
+- **[cli]** fix: invalid label/flag parsing. ([#6028](https://github.com/containous/traefik/pull/6028) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Query consul catalog for service health separately ([#6046](https://github.com/containous/traefik/pull/6046) by [SantoDE](https://github.com/SantoDE))
+- **[k8s,k8s/crd]** Restore ExternalName https support for Kubernetes CRD ([#6037](https://github.com/containous/traefik/pull/6037) by [kpeiruza](https://github.com/kpeiruza))
+- **[k8s,k8s/crd]** Log the ignored namespace only when needed ([#6087](https://github.com/containous/traefik/pull/6087) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/ingress]** k8s Ingress: fix crash on rules with nil http ([#6121](https://github.com/containous/traefik/pull/6121) by [grimmy](https://github.com/grimmy))
+- **[logs]** Improves error message when a configuration file is empty. ([#6135](https://github.com/containous/traefik/pull/6135) by [ldez](https://github.com/ldez))
+- **[server]** Handle respondingTimeout and better shutdown tests. ([#6115](https://github.com/containous/traefik/pull/6115) by [juliens](https://github.com/juliens))
+- **[server]** Don't set user-agent to Go-http-client/1.1 ([#6030](https://github.com/containous/traefik/pull/6030) by [sh7dm](https://github.com/sh7dm))
+- **[tracing]** fix: Malformed x-b3-traceid Header ([#6079](https://github.com/containous/traefik/pull/6079) by [ldez](https://github.com/ldez))
+- **[webui]** fix: dashboard redirect loop ([#6078](https://github.com/containous/traefik/pull/6078) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Use consistent name in ACME documentation ([#6019](https://github.com/containous/traefik/pull/6019) by [ldez](https://github.com/ldez))
+- **[api,k8s/crd]** Add a documentation example for dashboard and api for kubernetes CRD ([#6022](https://github.com/containous/traefik/pull/6022) by [dduportal](https://github.com/dduportal))
+- **[cli]** Fix examples for the use of websecure via CLI ([#6116](https://github.com/containous/traefik/pull/6116) by [tiagoboeing](https://github.com/tiagoboeing))
+- **[k8s,k8s/crd]** Improve documentation about Kubernetes IngressRoute ([#6058](https://github.com/containous/traefik/pull/6058) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[middleware]** Improve sourceRange explanation for ipWhiteList ([#6070](https://github.com/containous/traefik/pull/6070) by [der-domi](https://github.com/der-domi))
+
+## [v2.1.1](https://github.com/containous/traefik/tree/v2.1.1) (2019-12-12)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.0...v2.1.1)
+
+**Bug fixes:**
+- **[logs,middleware,metrics]** CloseNotifier: return pointer instead of value ([#6010](https://github.com/containous/traefik/pull/6010) by [mpl](https://github.com/mpl))
+
+**Documentation:**
+- Add Migration Guide for Traefik v2.1 ([#6017](https://github.com/containous/traefik/pull/6017) by [SantoDE](https://github.com/SantoDE))
+
+## [v2.1.0](https://github.com/containous/traefik/tree/v2.1.0) (2019-12-10)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc1...v2.1.0)
+
+**Enhancements:**
+- **[consulcatalog]** Add consul catalog options: requireConsistent, stale, cache ([#5752](https://github.com/containous/traefik/pull/5752) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Add Consul Catalog provider ([#5395](https://github.com/containous/traefik/pull/5395) by [negasus](https://github.com/negasus))
+- **[k8s,k8s/crd,service]** Support for all services kinds (and sticky) in CRD ([#5711](https://github.com/containous/traefik/pull/5711) by [mpl](https://github.com/mpl))
+- **[metrics]** Added configurable prefix for statsd metrics collection ([#5336](https://github.com/containous/traefik/pull/5336) by [schulterklopfer](https://github.com/schulterklopfer))
+- **[middleware]** Conditional compression based on request Content-Type ([#5721](https://github.com/containous/traefik/pull/5721) by [ldez](https://github.com/ldez))
+- **[server]** Add internal provider ([#5815](https://github.com/containous/traefik/pull/5815) by [ldez](https://github.com/ldez))
+- **[tls]** Add support for MaxVersion in tls.Options ([#5650](https://github.com/containous/traefik/pull/5650) by [kmeekva](https://github.com/kmeekva))
+- **[tls]** Add tls option for Elliptic Curve Preferences ([#5466](https://github.com/containous/traefik/pull/5466) by [ksarink](https://github.com/ksarink))
+- **[tracing]** Update jaeger dependencies ([#5637](https://github.com/containous/traefik/pull/5637) by [mmatur](https://github.com/mmatur))
+
+**Bug fixes:**
+- **[api]** fix: debug endpoint when insecure API. ([#5937](https://github.com/containous/traefik/pull/5937) by [ldez](https://github.com/ldez))
+- **[cli]** fix: sub command help ([#5887](https://github.com/containous/traefik/pull/5887) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** fix: consul catalog constraints. ([#5913](https://github.com/containous/traefik/pull/5913) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Service registered with same id on Consul Catalog ([#5900](https://github.com/containous/traefik/pull/5900) by [mmatur](https://github.com/mmatur))
+- **[consulcatalog]** Fix empty address for registering service without IP ([#5826](https://github.com/containous/traefik/pull/5826) by [mmatur](https://github.com/mmatur))
+- **[logs,middleware,metrics]** detect CloseNotify capability in accesslog and metrics ([#5985](https://github.com/containous/traefik/pull/5985) by [mpl](https://github.com/mpl))
+- **[server]** fix: remove double call to server Close. ([#5960](https://github.com/containous/traefik/pull/5960) by [ldez](https://github.com/ldez))
+- **[webui]** Fix weighted service provider icon ([#5983](https://github.com/containous/traefik/pull/5983) by [sh7dm](https://github.com/sh7dm))
+- **[webui]** Fix http/tcp resources pagination ([#5986](https://github.com/containous/traefik/pull/5986) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Use valid condition in the service details panel UI ([#5984](https://github.com/containous/traefik/pull/5984) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[webui]** Web UI: Avoid polling on /api/entrypoints ([#5863](https://github.com/containous/traefik/pull/5863) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Web UI: Sync toolbar table state with url query params ([#5861](https://github.com/containous/traefik/pull/5861) by [matthieuh](https://github.com/matthieuh))
+
+**Documentation:**
+- **[consulcatalog]** fix: Consul Catalog documentation. ([#5725](https://github.com/containous/traefik/pull/5725) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Fix consul catalog documentation ([#5661](https://github.com/containous/traefik/pull/5661) by [mmatur](https://github.com/mmatur))
+- Prepare release v2.1.0-rc2 ([#5846](https://github.com/containous/traefik/pull/5846) by [ldez](https://github.com/ldez))
+- Prepare release v2.1.0-rc1 ([#5844](https://github.com/containous/traefik/pull/5844) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Several documentation fixes ([#5987](https://github.com/containous/traefik/pull/5987) by [ldez](https://github.com/ldez))
+- Prepare release v2.1.0-rc3 ([#5929](https://github.com/containous/traefik/pull/5929) by [ldez](https://github.com/ldez))
+
+**Misc:**
+- **[cli]** Add custom help function to command ([#5923](https://github.com/containous/traefik/pull/5923) by [Ullaakut](https://github.com/Ullaakut))
+- **[server]** fix: use MaxInt32. ([#5845](https://github.com/containous/traefik/pull/5845) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master ([#5841](https://github.com/containous/traefik/pull/5841) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5749](https://github.com/containous/traefik/pull/5749) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5619](https://github.com/containous/traefik/pull/5619) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5464](https://github.com/containous/traefik/pull/5464) by [ldez](https://github.com/ldez))
+- Merge v2.0.0 into master ([#5402](https://github.com/containous/traefik/pull/5402) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-rc3 into master ([#5354](https://github.com/containous/traefik/pull/5354) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-rc1 into master  ([#5253](https://github.com/containous/traefik/pull/5253) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into v2.1 ([#5977](https://github.com/containous/traefik/pull/5977) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into v2.1 ([#5931](https://github.com/containous/traefik/pull/5931) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into v2.1 ([#5928](https://github.com/containous/traefik/pull/5928) by [ldez](https://github.com/ldez))
+
+## [v2.0.7](https://github.com/containous/traefik/tree/v2.0.7) (2019-12-09)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.6...v2.0.7)
+
+**Bug fixes:**
+- **[logs,middleware]** Remove mirroring impact in accesslog ([#5967](https://github.com/containous/traefik/pull/5967) by [juliens](https://github.com/juliens))
+- **[middleware]** fix: PassClientTLSCert middleware separators and formatting ([#5921](https://github.com/containous/traefik/pull/5921) by [ldez](https://github.com/ldez))
+- **[server]** Do not stop to listen on tcp listeners on temporary errors  ([#5935](https://github.com/containous/traefik/pull/5935) by [skwair](https://github.com/skwair))
+
+**Documentation:**
+- **[acme,k8s/crd,k8s/ingress]** Document LE caveats with Kubernetes on v2 ([#5902](https://github.com/containous/traefik/pull/5902) by [dtomcej](https://github.com/dtomcej))
+- **[acme]** The Cloudflare hint for the GLOBAL API KEY for CF MAIL/API_KEY ([#5964](https://github.com/containous/traefik/pull/5964) by [EugenMayer](https://github.com/EugenMayer))
+- **[acme]** Improve documentation for ACME/Let's Encrypt ([#5819](https://github.com/containous/traefik/pull/5819) by [dduportal](https://github.com/dduportal))
+- **[file]** Improve documentation on file provider limitations with file system notifications ([#5939](https://github.com/containous/traefik/pull/5939) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Make trailing slash more prominent for the "secure dashboard setup" too ([#5963](https://github.com/containous/traefik/pull/5963) by [EugenMayer](https://github.com/EugenMayer))
+- Fix Docker example in "Strip and Rewrite Path Prefixes" in migration guide ([#5949](https://github.com/containous/traefik/pull/5949) by [q210](https://github.com/q210))
+- readme: Fix link to file backend/provider documentation ([#5945](https://github.com/containous/traefik/pull/5945) by [hartwork](https://github.com/hartwork))
+
+## [v2.1.0-rc3](https://github.com/containous/traefik/tree/v2.1.0-rc3) (2019-12-02)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.0-rc2...v2.1.0-rc3)
+
+**Bug fixes:**
+- **[cli]** fix: sub command help ([#5887](https://github.com/containous/traefik/pull/5887) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** fix: consul catalog constraints. ([#5913](https://github.com/containous/traefik/pull/5913) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Service registered with same id on Consul Catalog ([#5900](https://github.com/containous/traefik/pull/5900) by [mmatur](https://github.com/mmatur))
+- **[webui]** Web UI: Avoid polling on /api/entrypoints ([#5863](https://github.com/containous/traefik/pull/5863) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Web UI: Sync toolbar table state with url query params ([#5861](https://github.com/containous/traefik/pull/5861) by [matthieuh](https://github.com/matthieuh))
+
+**Misc:**
+- **[cli]** Add custom help function to command ([#5923](https://github.com/containous/traefik/pull/5923) by [Ullaakut](https://github.com/Ullaakut))
+
+## [v2.0.6](https://github.com/containous/traefik/tree/v2.0.6) (2019-12-02)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.5...v2.0.6)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to 3.2.0 ([#5839](https://github.com/containous/traefik/pull/5839) by [kolaente](https://github.com/kolaente))
+- **[cli,healthcheck]** Uses, if it exists, the ping entry point provided in the static configuration ([#5867](https://github.com/containous/traefik/pull/5867) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[healthcheck]** Healthcheck managed for all related services ([#5860](https://github.com/containous/traefik/pull/5860) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[logs,middleware]** Do not give responsewriter or its headers to asynchronous logging goroutine ([#5840](https://github.com/containous/traefik/pull/5840) by [mpl](https://github.com/mpl))
+- **[middleware]** X-Forwarded-Proto must not skip the redirection. ([#5836](https://github.com/containous/traefik/pull/5836) by [ldez](https://github.com/ldez))
+- **[middleware]** fix: location header rewrite. ([#5835](https://github.com/containous/traefik/pull/5835) by [ldez](https://github.com/ldez))
+- **[middleware]** Remove Request Headers CORS Preflight Requirement ([#5903](https://github.com/containous/traefik/pull/5903) by [dtomcej](https://github.com/dtomcej))
+- **[rancher]** Change service name in rancher provider to make webui service details view work ([#5895](https://github.com/containous/traefik/pull/5895) by [SantoDE](https://github.com/SantoDE))
+- **[tracing]** Fix extraction for zipkin tracing ([#5920](https://github.com/containous/traefik/pull/5920) by [jcchavezs](https://github.com/jcchavezs))
+- **[webui]** Web UI: Avoid unnecessary duplicated api calls ([#5884](https://github.com/containous/traefik/pull/5884) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Web UI: Avoid some router properties to overflow their container ([#5872](https://github.com/containous/traefik/pull/5872) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Web UI: Fix displayed tcp service details ([#5868](https://github.com/containous/traefik/pull/5868) by [matthieuh](https://github.com/matthieuh))
+
+**Documentation:**
+- **[acme]** doc: fix wrong acme information ([#5837](https://github.com/containous/traefik/pull/5837) by [ldez](https://github.com/ldez))
+- **[docker,docker/swarm]** Add Swarm section to the Docker Provider Documentation ([#5874](https://github.com/containous/traefik/pull/5874) by [dduportal](https://github.com/dduportal))
+- **[docker]** Update router entrypoint example ([#5766](https://github.com/containous/traefik/pull/5766) by [woto](https://github.com/woto))
+- **[k8s/helm]** Mention the experimental Helm Chart in the installation section of documentation ([#5879](https://github.com/containous/traefik/pull/5879) by [dduportal](https://github.com/dduportal))
+- doc: remove double quotes on CLI flags. ([#5862](https://github.com/containous/traefik/pull/5862) by [ldez](https://github.com/ldez))
+- Fixed spelling error ([#5834](https://github.com/containous/traefik/pull/5834) by [blakebuthod](https://github.com/blakebuthod))
+- Add back the security section from v1 ([#5832](https://github.com/containous/traefik/pull/5832) by [pascalandy](https://github.com/pascalandy))
+
+## [v2.1.0-rc2](https://github.com/containous/traefik/tree/v2.0.4) (2019-11-15)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc1...v2.1.0-rc2)
+
+Fixes int overflow.
+Same changelog as v2.1.0-rc1
+
+## [v2.1.0-rc1](https://github.com/containous/traefik/tree/v2.1.0-rc1) (2019-11-15)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc1...v2.1.0-rc1)
+
+**Enhancements:**
+- **[consulcatalog]** Add consul catalog options: requireConsistent, stale, cache ([#5752](https://github.com/containous/traefik/pull/5752) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Add Consul Catalog provider ([#5395](https://github.com/containous/traefik/pull/5395) by [negasus](https://github.com/negasus))
+- **[k8s,k8s/crd,service]** Support for all services kinds (and sticky) in CRD ([#5711](https://github.com/containous/traefik/pull/5711) by [mpl](https://github.com/mpl))
+- **[metrics]** Added configurable prefix for statsd metrics collection ([#5336](https://github.com/containous/traefik/pull/5336) by [schulterklopfer](https://github.com/schulterklopfer))
+- **[middleware]** Conditional compression based on request Content-Type ([#5721](https://github.com/containous/traefik/pull/5721) by [ldez](https://github.com/ldez))
+- **[server]** Add internal provider ([#5815](https://github.com/containous/traefik/pull/5815) by [ldez](https://github.com/ldez))
+- **[tls]** Add support for MaxVersion in tls.Options ([#5650](https://github.com/containous/traefik/pull/5650) by [kmeekva](https://github.com/kmeekva))
+- **[tls]** Add tls option for Elliptic Curve Preferences ([#5466](https://github.com/containous/traefik/pull/5466) by [ksarink](https://github.com/ksarink))
+- **[tracing]** Update jaeger dependencies ([#5637](https://github.com/containous/traefik/pull/5637) by [mmatur](https://github.com/mmatur))
+
+**Bug fixes:**
+- **[consulcatalog]** Fix empty address for registering service without IP ([#5826](https://github.com/containous/traefik/pull/5826) by [mmatur](https://github.com/mmatur))
+
+**Documentation:**
+- **[consulcatalog]** fix: Consul Catalog documentation. ([#5725](https://github.com/containous/traefik/pull/5725) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Fix consul catalog documentation ([#5661](https://github.com/containous/traefik/pull/5661) by [mmatur](https://github.com/mmatur))
+
+**Misc:**
+- Merge current v2.0 branch into master  ([#5749](https://github.com/containous/traefik/pull/5749) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5619](https://github.com/containous/traefik/pull/5619) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5464](https://github.com/containous/traefik/pull/5464) by [ldez](https://github.com/ldez))
+- Merge v2.0.0 into master ([#5402](https://github.com/containous/traefik/pull/5402) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-rc3 into master ([#5354](https://github.com/containous/traefik/pull/5354) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-rc1 into master  ([#5253](https://github.com/containous/traefik/pull/5253) by [ldez](https://github.com/ldez))
+
+## [v2.0.5](https://github.com/containous/traefik/tree/v2.0.5) (2019-11-14)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.4...v2.0.5)
+
+**Bug fixes:**
+- **[metrics]** fix: metric with services LB. ([#5759](https://github.com/containous/traefik/pull/5759) by [ldez](https://github.com/ldez))
+- **[middleware]** fix: stripPrefix middleware with empty resulting path. ([#5806](https://github.com/containous/traefik/pull/5806) by [ldez](https://github.com/ldez))
+- **[middleware]** Fix rate limiting and SSE ([#5737](https://github.com/containous/traefik/pull/5737) by [sylr](https://github.com/sylr))
+- **[tracing]** Upgrades zipkin library to avoid errors when using textMap. ([#5754](https://github.com/containous/traefik/pull/5754) by [jcchavezs](https://github.com/jcchavezs))
+
+**Documentation:**
+- **[acme,cluster]** Update ACME storage docs to remove reference to KV store in CE ([#5433](https://github.com/containous/traefik/pull/5433) by [bradjones1](https://github.com/bradjones1))
+- **[api]** docs: remove field api.entryPoint ([#5776](https://github.com/containous/traefik/pull/5776) by [waitingsong](https://github.com/waitingsong))
+- **[api]** Adds missed quotes in api.md ([#5787](https://github.com/containous/traefik/pull/5787) by [woto](https://github.com/woto))
+- **[docker/swarm]** Dashboard example with swarm ([#5795](https://github.com/containous/traefik/pull/5795) by [dduportal](https://github.com/dduportal))
+- **[docker]** Fix error in link description for priority ([#5746](https://github.com/containous/traefik/pull/5746) by [ASDFGamer](https://github.com/ASDFGamer))
+- **[k8s]** Wrong endpoint on the TLS secret example ([#5817](https://github.com/containous/traefik/pull/5817) by [yacinelazaar](https://github.com/yacinelazaar))
+- **[middleware,docker]** Double dollar on docker-compose config ([#5775](https://github.com/containous/traefik/pull/5775) by [clery](https://github.com/clery))
+- Fix quickstart link in README ([#5794](https://github.com/containous/traefik/pull/5794) by [mcky](https://github.com/mcky))
+- fix typo in v1 to v2 migration guide ([#5820](https://github.com/containous/traefik/pull/5820) by [fschl](https://github.com/fschl))
+- slashes ended up in bad place. ([#5798](https://github.com/containous/traefik/pull/5798) by [icepic](https://github.com/icepic))
+
+## [v2.0.4](https://github.com/containous/traefik/tree/v2.0.4) (2019-10-28)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.3...v2.0.4)
+
+Fixes releases system.
+Same changelog as v2.0.3.
+
+## [v2.0.3](https://github.com/containous/traefik/tree/v2.0.3) (2019-10-28)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.2...v2.0.3)
+
+**Bug fixes:**
+- **[acme,logs]** Use debug for log about skipping addition of cert ([#5641](https://github.com/containous/traefik/pull/5641) by [sylr](https://github.com/sylr))
+- **[file]** fix: add filename in the file provider logs. ([#5636](https://github.com/containous/traefik/pull/5636) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd,k8s/ingress]** Remove unnecessary reload of the configuration. ([#5707](https://github.com/containous/traefik/pull/5707) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd,k8s/ingress]** Fixing support for HTTPs backends with Kubernetes ExternalName services ([#5660](https://github.com/containous/traefik/pull/5660) by [kpeiruza](https://github.com/kpeiruza))
+- **[k8s,k8s/ingress]** Normalize service and router names for ingress. ([#5623](https://github.com/containous/traefik/pull/5623) by [ldez](https://github.com/ldez))
+- **[logs]** Set proxy protocol logger to DEBUG level ([#5712](https://github.com/containous/traefik/pull/5712) by [mmatur](https://github.com/mmatur))
+- **[middleware]** fix: add stacktrace when recover. ([#5654](https://github.com/containous/traefik/pull/5654) by [ldez](https://github.com/ldez))
+- **[tracing]** Let instana/go-sensor handle default agent host ([#5658](https://github.com/containous/traefik/pull/5658) by [sylr](https://github.com/sylr))
+- **[tracing]** fix: default tracing backend. ([#5717](https://github.com/containous/traefik/pull/5717) by [ldez](https://github.com/ldez))
+- fix: deep copy of passHostHeader on ServersLoadBalancer. ([#5720](https://github.com/containous/traefik/pull/5720) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Fix acme storage file docker mounting example ([#5633](https://github.com/containous/traefik/pull/5633) by [jansauer](https://github.com/jansauer))
+- **[acme]** fix incorrect DNS reference ([#5666](https://github.com/containous/traefik/pull/5666) by [oskapt](https://github.com/oskapt))
+- **[logs]** Clarify unit of duration field in access log ([#5664](https://github.com/containous/traefik/pull/5664) by [Sarke](https://github.com/Sarke))
+- **[middleware]** Fix Security Headers Doc ([#5706](https://github.com/containous/traefik/pull/5706) by [FlorianPerrot](https://github.com/FlorianPerrot))
+- **[middleware]** Migration guide: pathprefixstrip migration ([#5600](https://github.com/containous/traefik/pull/5600) by [dduportal](https://github.com/dduportal))
+- **[middleware]** fix ForwardAuth tls.skipverify examples ([#5683](https://github.com/containous/traefik/pull/5683) by [remche](https://github.com/remche))
+- **[rules]** Add documentation about backtick for rule definition. ([#5714](https://github.com/containous/traefik/pull/5714) by [ldez](https://github.com/ldez))
+- **[webui]** Improve documentation of the router rules for API and dashboard ([#5625](https://github.com/containous/traefik/pull/5625) by [dduportal](https://github.com/dduportal))
+- doc: @ is not authorized in names definition. ([#5734](https://github.com/containous/traefik/pull/5734) by [ldez](https://github.com/ldez))
+- Remove obsolete v2 remark from README ([#5669](https://github.com/containous/traefik/pull/5669) by [dragetd](https://github.com/dragetd))
+- Fix spelling mistake: "founded" -> "found" ([#5674](https://github.com/containous/traefik/pull/5674) by [ocanty](https://github.com/ocanty))
+- fix typo for stripPrefix in tab File (YAML) ([#5694](https://github.com/containous/traefik/pull/5694) by [nalakawula](https://github.com/nalakawula))
+- Add example for changing the port used by traefik to connect to a service ([#5224](https://github.com/containous/traefik/pull/5224) by [robertbaker](https://github.com/robertbaker))
+
+**Misc:**
+- **[logs,middleware]** Cherry pick v1.7 into v2.0 ([#5735](https://github.com/containous/traefik/pull/5735) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+## [v2.0.2](https://github.com/containous/traefik/tree/v2.0.2) (2019-10-09)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.1...v2.0.2)
+
+**Bug fixes:**
+- **[acme]** fix: ovh client int overflow. ([#5607](https://github.com/containous/traefik/pull/5607) by [ldez](https://github.com/ldez))
+- **[api,k8s,k8s/ingress]** fix: default router name for k8s ingress. ([#5612](https://github.com/containous/traefik/pull/5612) by [ldez](https://github.com/ldez))
+- **[file]** fix: default passHostHeader for file provider. ([#5516](https://github.com/containous/traefik/pull/5516) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd]** Fix typo in log ([#5590](https://github.com/containous/traefik/pull/5590) by [XciD](https://github.com/XciD))
+- **[middleware,metrics]** fix: panic with metrics recorder. ([#5536](https://github.com/containous/traefik/pull/5536) by [ldez](https://github.com/ldez))
+- **[webui]** Add a service sticky details vue component  ([#5579](https://github.com/containous/traefik/pull/5579) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- fix: return an error instead of panic. ([#5549](https://github.com/containous/traefik/pull/5549) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme,file]** Fix yaml domains example ([#5569](https://github.com/containous/traefik/pull/5569) by [SuperSandro2000](https://github.com/SuperSandro2000))
+- **[api,webui]** Clarifies how to configure and access the dashboard in the api & dashboard documentations ([#5523](https://github.com/containous/traefik/pull/5523) by [dduportal](https://github.com/dduportal))
+- **[api]** Add overview to API documentation ([#5539](https://github.com/containous/traefik/pull/5539) by [lnxbil](https://github.com/lnxbil))
+- **[cli]** typo in cli command ([#5586](https://github.com/containous/traefik/pull/5586) by [basraven](https://github.com/basraven))
+- **[cli]** Replace ambiguous cli help message wording ([#5233](https://github.com/containous/traefik/pull/5233) by [jansauer](https://github.com/jansauer))
+- **[docker]** Fixed typo in routing/providers/docker documentation ([#5520](https://github.com/containous/traefik/pull/5520) by [lyrixx](https://github.com/lyrixx))
+- **[docker]** $ needs escaping in docker-compose.yml ([#5528](https://github.com/containous/traefik/pull/5528) by [lnxbil](https://github.com/lnxbil))
+- **[file]** State clearly, that they are mutual exclusive ([#5527](https://github.com/containous/traefik/pull/5527) by [lnxbil](https://github.com/lnxbil))
+- **[healthcheck]** fix: typo in healthCheck examples ([#5575](https://github.com/containous/traefik/pull/5575) by [serpi90](https://github.com/serpi90))
+- **[k8s/crd]** Update 04-ingressroutes.yml ([#5585](https://github.com/containous/traefik/pull/5585) by [basraven](https://github.com/basraven))
+- **[k8s/crd]** Update apiVersion in documentation descriptor ([#5605](https://github.com/containous/traefik/pull/5605) by [pyaillet](https://github.com/pyaillet))
+- **[metrics]** doc: fix influxDB and statsD case in configuration page. ([#5531](https://github.com/containous/traefik/pull/5531) by [ldez](https://github.com/ldez))
+- **[middleware]** Update scope of services and middlewares ([#5584](https://github.com/containous/traefik/pull/5584) by [Thoorium](https://github.com/Thoorium))
+- **[middleware]** Typo in documentation ([#5558](https://github.com/containous/traefik/pull/5558) by [Constans](https://github.com/Constans))
+- **[middleware]** Fix misleading text ([#5540](https://github.com/containous/traefik/pull/5540) by [joassouza](https://github.com/joassouza))
+- **[tls]** document serversTransport ([#5529](https://github.com/containous/traefik/pull/5529) by [mpl](https://github.com/mpl))
+- **[tls]** TLS_RSA_WITH_AES_256_GCM_SHA384 is considered weak ([#5578](https://github.com/containous/traefik/pull/5578) by [Constans](https://github.com/Constans))
+- **[tls]** Improve ciphersuite examples ([#5594](https://github.com/containous/traefik/pull/5594) by [Constans](https://github.com/Constans))
+- Remove deprecated videos ([#5570](https://github.com/containous/traefik/pull/5570) by [emilevauge](https://github.com/emilevauge))
+- fix: remove extra backtick from routers docs ([#5572](https://github.com/containous/traefik/pull/5572) by [serpi90](https://github.com/serpi90))
+- document providersThrottleDuration ([#5519](https://github.com/containous/traefik/pull/5519) by [mpl](https://github.com/mpl))
+- Add a response forwarding section to the service documentation  ([#5517](https://github.com/containous/traefik/pull/5517) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Change instances of "dymanic" to "dynamic" ([#5504](https://github.com/containous/traefik/pull/5504) by [dat-gitto-kid](https://github.com/dat-gitto-kid))
+- Add the pass host header section to the services documentation ([#5500](https://github.com/containous/traefik/pull/5500) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- fix misspelling on documentation landing page ([#5613](https://github.com/containous/traefik/pull/5613) by [cthompson527](https://github.com/cthompson527))
+
 ## [v2.0.1](https://github.com/containous/traefik/tree/v2.0.1) (2019-09-26)
 [All Commits](https://github.com/containous/traefik/compare/v2.0.0...v2.0.1)
 
@@ -31,6 +303,24 @@
 - Add the router priority documentation ([#5481](https://github.com/containous/traefik/pull/5481) by [jbdoumenjou](https://github.com/jbdoumenjou))
 - Improve the Migration Guide ([#5391](https://github.com/containous/traefik/pull/5391) by [jbdoumenjou](https://github.com/jbdoumenjou))
 
+## [v1.7.18](https://github.com/containous/traefik/tree/v1.7.18) (2019-09-23)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.17...v1.7.18)
+
+**Bug fixes:**
+- **[go,security]** This version is compiled with [Go 1.12.10](https://groups.google.com/d/msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ), which fixes a vulnerability in previous versions. See the [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276) about it for more details.
+
+## [v1.7.17](https://github.com/containous/traefik/tree/v1.7.17) (2019-09-23)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.16...v1.7.17)
+
+**Bug fixes:**
+- **[logs,middleware]** Avoid closing stdout when the accesslog handler is closed ([#5459](https://github.com/containous/traefik/pull/5459) by [nrwiersma](https://github.com/nrwiersma))
+- **[middleware]** Actually send header and code during WriteHeader, if needed ([#5404](https://github.com/containous/traefik/pull/5404) by [mpl](https://github.com/mpl))
+
+**Documentation:**
+- **[k8s]** Add note clarifying client certificate header ([#5362](https://github.com/containous/traefik/pull/5362) by [bradjones1](https://github.com/bradjones1))
+- **[webui]** Update docs links. ([#5412](https://github.com/containous/traefik/pull/5412) by [ldez](https://github.com/ldez))
+- Update Traefik image version. ([#5399](https://github.com/containous/traefik/pull/5399) by [ldez](https://github.com/ldez))
+
 ## [v2.0.0](https://github.com/containous/traefik/tree/v2.0.0) (2019-09-16)
 [All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha1...v2.0.0)
 
@@ -375,6 +665,29 @@
 - fix a service with one server .yaml example ([#5373](https://github.com/containous/traefik/pull/5373) by [zaverden](https://github.com/zaverden))
 - fix: services configuration documentation. ([#5359](https://github.com/containous/traefik/pull/5359) by [ldez](https://github.com/ldez))
 
+## [v1.7.16](https://github.com/containous/traefik/tree/v1.7.16) (2019-09-13)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.15...v1.7.16)
+
+**Bug fixes:**
+- **[middleware,websocket]** implement Flusher and Hijacker for codeCatcher ([#5376](https://github.com/containous/traefik/pull/5376) by [mpl](https://github.com/mpl))
+
+## [v1.7.15](https://github.com/containous/traefik/tree/v1.7.15) (2019-09-12)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.14...v1.7.15)
+
+**Bug fixes:**
+- **[authentication,k8s/ingress]** Kubernetes support for Auth.HeaderField ([#5235](https://github.com/containous/traefik/pull/5235) by [ErikWegner](https://github.com/ErikWegner))
+- **[k8s,k8s/ingress]** Finish kubernetes throttling refactoring ([#5269](https://github.com/containous/traefik/pull/5269) by [mpl](https://github.com/mpl))
+- **[k8s]** Throttle Kubernetes config refresh ([#4716](https://github.com/containous/traefik/pull/4716) by [benweissmann](https://github.com/benweissmann))
+- **[k8s]** Fix wrong handling of insecure tls auth forward ingress annotation ([#5319](https://github.com/containous/traefik/pull/5319) by [majkrzak](https://github.com/majkrzak))
+- **[middleware]** error pages: do not buffer response when it's not an error ([#5285](https://github.com/containous/traefik/pull/5285) by [mpl](https://github.com/mpl))
+- **[tls]** Consider default cert domain in certificate store ([#5353](https://github.com/containous/traefik/pull/5353) by [nrwiersma](https://github.com/nrwiersma))
+- **[tls]** Add TLS minversion constraint ([#5356](https://github.com/containous/traefik/pull/5356) by [dtomcej](https://github.com/dtomcej))
+
+**Documentation:**
+- **[acme]** Update Acme doc - Vultr Wildcard & Root ([#5320](https://github.com/containous/traefik/pull/5320) by [ddymko](https://github.com/ddymko))
+- **[consulcatalog]** Typo in basic auth usersFile label consul-catalog ([#5230](https://github.com/containous/traefik/pull/5230) by [pitan](https://github.com/pitan))
+- **[logs]** Improve Access Logs Documentation page ([#5238](https://github.com/containous/traefik/pull/5238) by [dduportal](https://github.com/dduportal))
+
 ## [v2.0.0-rc3](https://github.com/containous/traefik/tree/v2.0.0-rc3) (2019-09-10)
 [All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc2...v2.0.0-rc3)
 

CONTRIBUTING.md

@@ -1,3 +1,4 @@
 # Contributing
 
-See <https://docs.traefik.io/v2.0/contributing/thank-you/>.
+- https://docs.traefik.io/contributing/submitting-pull-requests/
+- https://docs.traefik.io/contributing/submitting-issues/

Makefile

@@ -131,7 +131,7 @@ generate-crd:
 ## Create packages for the release
 release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(DOCKER_RUN_TRAEFIK_NOTTY) goreleaser release --skip-publish
+	$(DOCKER_RUN_TRAEFIK_NOTTY) goreleaser release --skip-publish --timeout="60m"
 	$(DOCKER_RUN_TRAEFIK_NOTTY) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \

README.md

@@ -33,7 +33,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo
 
 ---
 
-:warning: Please be aware that the old configurations for Traefik v1.X are NOT compatible with the v2.X config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/).
+:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/).
 
 ## Overview
 
@@ -73,11 +73,11 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - [Kubernetes](https://docs.traefik.io/providers/kubernetes-crd/)
 - [Marathon](https://docs.traefik.io/providers/marathon/)
 - [Rancher](https://docs.traefik.io/providers/rancher/) (Metadata)
-- [File](https://docs.traefik.io/configuration/backends/file)
+- [File](https://docs.traefik.io/providers/file/)
 
 ## Quickstart
 
-To get your hands on Traefik, you can use the [5-Minute Quickstart](http://docs.traefik.io/#the-traefik-quickstart-using-docker) in our documentation (you will need Docker).
+To get your hands on Traefik, you can use the [5-Minute Quickstart](https://docs.traefik.io/getting-started/quick-start/) in our documentation (you will need Docker).
 
 ## Web UI
 
@@ -87,10 +87,11 @@ You can access the simple HTML frontend of Traefik.
 
 ## Documentation
 
-You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
-A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
+You can find the complete documentation of Traefik v2 at [https://docs.traefik.io](https://docs.traefik.io).
 
-:warning: If you're testing out v2, please ensure you are using the [v2 documentation](https://docs.traefik.io/).
+If you are using Traefik v1, you can find the complete documentation at [https://docs.traefik.io/v1.7/](https://docs.traefik.io/v1.7/)
+
+A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
 ## Support
 
@@ -121,17 +122,7 @@ git clone https://github.com/containous/traefik
 
 ## Introductory Videos
 
-:warning: Please be aware that these videos are for v1.X. The old configurations for Traefik v1.X are NOT compatible with Traefik v2. If you're running v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/).
-
-Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at GopherCon 2017.
-You will learn Traefik basics in less than 10 minutes.
-
-[![Traefik GopherCon 2017](https://img.youtube.com/vi/RgudiksfL-k/0.jpg)](https://www.youtube.com/watch?v=RgudiksfL-k)
-
-Here is a talk given by [Ed Robinson](https://github.com/errm) at [ContainerCamp UK](https://container.camp) conference.
-You will learn fundamental Traefik features and see some demos with Kubernetes.
-
-[![Traefik ContainerCamp UK](https://img.youtube.com/vi/aFtpIShV60I/0.jpg)](https://www.youtube.com/watch?v=aFtpIShV60I)
+You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us)
 
 ## Maintainers
 

build.Dockerfile

@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.18.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.20.0
 
 # Download golangci-lint and misspell binary to bin folder in $GOPATH
 RUN GO111MODULE=off go get github.com/client9/misspell/cmd/misspell

cmd/healthcheck/healthcheck.go

@@ -15,7 +15,7 @@ import (
 func NewCmd(traefikConfiguration *static.Configuration, loaders []cli.ResourceLoader) *cli.Command {
 	return &cli.Command{
 		Name:          "healthcheck",
-		Description:   `Calls Traefik /ping to check the health of Traefik (the API must be enabled).`,
+		Description:   `Calls Traefik /ping endpoint (disabled by default) to check the health of Traefik.`,
 		Configuration: traefikConfiguration,
 		Run:           runCmd(traefikConfiguration),
 		Resources:     loaders,
@@ -51,9 +51,14 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 		return nil, errors.New("please enable `ping` to use health check")
 	}
 
-	pingEntryPoint, ok := staticConfiguration.EntryPoints["traefik"]
+	ep := staticConfiguration.Ping.EntryPoint
+	if ep == "" {
+		ep = "traefik"
+	}
+
+	pingEntryPoint, ok := staticConfiguration.EntryPoints[ep]
 	if !ok {
-		return nil, errors.New("missing `ping` entrypoint")
+		return nil, fmt.Errorf("ping: missing %s entry point", ep)
 	}
 
 	client := &http.Client{Timeout: 5 * time.Second}

cmd/traefik/traefik.go

@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	stdlog "log"
 	"net/http"
 	"os"
@@ -20,12 +19,17 @@ import (
 	"github.com/containous/traefik/v2/pkg/config/dynamic"
 	"github.com/containous/traefik/v2/pkg/config/static"
 	"github.com/containous/traefik/v2/pkg/log"
+	"github.com/containous/traefik/v2/pkg/metrics"
+	"github.com/containous/traefik/v2/pkg/middlewares/accesslog"
 	"github.com/containous/traefik/v2/pkg/provider/acme"
 	"github.com/containous/traefik/v2/pkg/provider/aggregator"
+	"github.com/containous/traefik/v2/pkg/provider/traefik"
 	"github.com/containous/traefik/v2/pkg/safe"
 	"github.com/containous/traefik/v2/pkg/server"
-	"github.com/containous/traefik/v2/pkg/server/router"
+	"github.com/containous/traefik/v2/pkg/server/middleware"
+	"github.com/containous/traefik/v2/pkg/server/service"
 	traefiktls "github.com/containous/traefik/v2/pkg/tls"
+	"github.com/containous/traefik/v2/pkg/types"
 	"github.com/containous/traefik/v2/pkg/version"
 	"github.com/coreos/go-systemd/daemon"
 	assetfs "github.com/elazarl/go-bindata-assetfs"
@@ -65,10 +69,10 @@ Complete documentation is available at https://traefik.io`,
 	err = cli.Execute(cmdTraefik)
 	if err != nil {
 		stdlog.Println(err)
-		os.Exit(1)
+		logrus.Exit(1)
 	}
 
-	os.Exit(0)
+	logrus.Exit(0)
 }
 
 func runCmd(staticConfiguration *static.Configuration) error {
@@ -77,7 +81,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
 	if err := roundrobin.SetDefaultWeight(0); err != nil {
-		log.WithoutContext().Errorf("Could not set roundrobin default weight: %v", err)
+		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
 	}
 
 	staticConfiguration.SetEffectiveConfiguration()
@@ -105,43 +109,11 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	stats(staticConfiguration)
 
-	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
-
-	tlsManager := traefiktls.NewManager()
-
-	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
-
-	serverEntryPointsTCP := make(server.TCPEntryPoints)
-	for entryPointName, config := range staticConfiguration.EntryPoints {
-		ctx := log.With(context.Background(), log.Str(log.EntryPointName, entryPointName))
-		serverEntryPointsTCP[entryPointName], err = server.NewTCPEntryPoint(ctx, config)
-		if err != nil {
-			return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
-		}
-		serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProviders)
+	svr, err := setupServer(staticConfiguration)
+	if err != nil {
+		return err
 	}
 
-	svr := server.NewServer(*staticConfiguration, providerAggregator, serverEntryPointsTCP, tlsManager)
-
-	resolverNames := map[string]struct{}{}
-
-	for _, p := range acmeProviders {
-		resolverNames[p.ResolverName] = struct{}{}
-		svr.AddListener(p.ListenConfiguration)
-	}
-
-	svr.AddListener(func(config dynamic.Configuration) {
-		for rtName, rt := range config.HTTP.Routers {
-			if rt.TLS == nil || rt.TLS.CertResolver == "" {
-				continue
-			}
-
-			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
-				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
-			}
-		}
-	})
-
 	ctx := cmd.ContextWithSignal(context.Background())
 
 	if staticConfiguration.Ping != nil {
@@ -168,7 +140,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 			for range tick {
 				resp, errHealthCheck := healthcheck.Do(*staticConfiguration)
 				if resp != nil {
-					resp.Body.Close()
+					_ = resp.Body.Close()
 				}
 
 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
@@ -184,10 +156,97 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	svr.Wait()
 	log.WithoutContext().Info("Shutting down")
-	logrus.Exit(0)
 	return nil
 }
 
+func setupServer(staticConfiguration *static.Configuration) (*server.Server, error) {
+	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
+
+	// adds internal provider
+	err := providerAggregator.AddProvider(traefik.New(*staticConfiguration))
+	if err != nil {
+		return nil, err
+	}
+
+	tlsManager := traefiktls.NewManager()
+
+	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
+
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx := context.Background()
+	routinesPool := safe.NewPool(ctx)
+
+	metricsRegistry := registerMetricClients(staticConfiguration.Metrics)
+	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry)
+	tcpRouterFactory := server.NewTCPRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder)
+
+	watcher := server.NewConfigurationWatcher(routinesPool, providerAggregator, time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration))
+
+	watcher.AddListener(func(conf dynamic.Configuration) {
+		ctx := context.Background()
+		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
+	})
+
+	watcher.AddListener(func(_ dynamic.Configuration) {
+		metricsRegistry.ConfigReloadsCounter().Add(1)
+		metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
+	})
+
+	watcher.AddListener(switchRouter(tcpRouterFactory, acmeProviders, serverEntryPointsTCP))
+
+	watcher.AddListener(func(conf dynamic.Configuration) {
+		if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
+			var eps []string
+			for key := range serverEntryPointsTCP {
+				eps = append(eps, key)
+			}
+
+			metrics.OnConfigurationUpdate(conf, eps)
+		}
+	})
+
+	resolverNames := map[string]struct{}{}
+	for _, p := range acmeProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		watcher.AddListener(p.ListenConfiguration)
+	}
+
+	watcher.AddListener(func(config dynamic.Configuration) {
+		for rtName, rt := range config.HTTP.Routers {
+			if rt.TLS == nil || rt.TLS.CertResolver == "" {
+				continue
+			}
+
+			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
+				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+			}
+		}
+	})
+
+	return server.NewServer(routinesPool, serverEntryPointsTCP, watcher, chainBuilder, accessLog), nil
+}
+
+func switchRouter(tcpRouterFactory *server.TCPRouterFactory, acmeProviders []*acme.Provider, serverEntryPointsTCP server.TCPEntryPoints) func(conf dynamic.Configuration) {
+	return func(conf dynamic.Configuration) {
+		routers := tcpRouterFactory.CreateTCPRouters(conf)
+		for entryPointName, rt := range routers {
+			for _, p := range acmeProviders {
+				if p != nil && p.HTTPChallenge != nil && p.HTTPChallenge.EntryPoint == entryPointName {
+					rt.HTTPHandler(p.CreateHandler(rt.GetHTTPHandler()))
+					break
+				}
+			}
+		}
+		serverEntryPointsTCP.Switch(routers)
+	}
+}
+
 // initACMEProvider creates an acme provider from the ACME part of globalConfiguration
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
 	challengeStore := acme.NewLocalChallengeStore()
@@ -222,6 +281,60 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 	return resolvers
 }
 
+func registerMetricClients(metricsConfig *types.Metrics) metrics.Registry {
+	if metricsConfig == nil {
+		return metrics.NewVoidRegistry()
+	}
+
+	var registries []metrics.Registry
+
+	if metricsConfig.Prometheus != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
+		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
+		if prometheusRegister != nil {
+			registries = append(registries, prometheusRegister)
+			log.FromContext(ctx).Debug("Configured Prometheus metrics")
+		}
+	}
+
+	if metricsConfig.Datadog != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
+		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
+		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
+			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
+	}
+
+	if metricsConfig.StatsD != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
+		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
+		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
+			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
+	}
+
+	if metricsConfig.InfluxDB != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
+		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
+		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
+			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
+	}
+
+	return metrics.NewMultiRegistry(registries)
+}
+
+func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
+	if conf == nil {
+		return nil
+	}
+
+	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
+	if err != nil {
+		log.WithoutContext().Warnf("Unable to create access logger : %v", err)
+		return nil
+	}
+
+	return accessLoggerMiddleware
+}
+
 func configureLogging(staticConfiguration *static.Configuration) {
 	// configure default log flags
 	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)

docs/.markdownlint.json

@@ -7,5 +7,6 @@
     "MD026": false,
     "MD033": false,
     "MD034": false,
-    "MD036": false
+    "MD036": false,
+    "MD046": false
 }

docs/check.Dockerfile

@@ -1,9 +1,6 @@
 
-FROM alpine:3.9 as alpine
+FROM alpine:3.10 as alpine
 
-# The "build-dependencies" virtual package provides build tools for html-proofer installation.
-# It compile ruby-nokogiri, because alpine native version is always out of date
-# This virtual package is cleaned at the end.
 RUN apk --no-cache --no-progress add \
     libcurl \
     ruby \
@@ -11,21 +8,21 @@ RUN apk --no-cache --no-progress add \
     ruby-etc \
     ruby-ffi \
     ruby-json \
-  && apk add --no-cache --virtual build-dependencies \
-    build-base \
-    libcurl \
-    libxml2-dev \
-    libxslt-dev \
-    ruby-dev \
-  && gem install --no-document html-proofer -v 3.10.2 \
-  && apk del build-dependencies
+    ruby-nokogiri
+RUN gem install html-proofer --version 3.13.0 --no-document -- --use-system-libraries
 
 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \
     git \
     nodejs \
-    npm \
-  && npm install markdownlint@0.12.0 markdownlint-cli@0.13.0 --global
+    npm
+
+# To handle 'not get uid/gid'
+RUN npm config set unsafe-perm true
+
+RUN npm install --global \
+    markdownlint@0.17.2 \
+    markdownlint-cli@0.19.0
 
 # Finally the shell tools we need for later
 # tini helps to terminate properly all the parallelized tasks when sending CTRL-C

docs/content/contributing/building-testing.md

@@ -62,6 +62,7 @@ Requirements:
 
 - `go` v1.13+
 - environment variable `GO111MODULE=on`
+- [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
 
 !!! tip "Source Directory"
 
@@ -97,30 +98,32 @@ Requirements:
 #### Build Traefik
 
 Once you've set up your go environment and cloned the source repository, you can build Traefik.
-Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process).
+
+Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).
 
 ```bash
 cd ~/go/src/github.com/containous/traefik
 
 # Get go-bindata. (Important: the ellipses are required.)
 GO111MODULE=off go get github.com/containous/go-bindata/...
+```
 
-# Let's build
+```bash
+# Generate UI static files
+rm -rf static/ autogen/; make generate-webui
 
-# generate
-# (required to merge non-code components into the final binary, such as the web dashboard and the provider's templates)
+# required to merge non-code components into the final binary,
+# such as the web dashboard/UI
 go generate
+```
 
+```bash
 # Standard go build
 go build ./cmd/traefik
 ```
 
 You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
 
-### Updating the templates
-
-If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.
-
 ## Testing
 
 ### Method 1: `Docker` and `make`

docs/content/contributing/submitting-security-issues.md

@@ -0,0 +1,16 @@
+# Security
+
+## Security Advisories
+
+We strongly advise you to join our mailing list to be aware of the latest announcements from our security team.
+You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+
+## CVE
+
+Reported vulnerabilities can be found on 
+[cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
+
+## Report a Vulnerability
+
+We want to keep Traefik safe for everyone.
+If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).

docs/content/getting-started/configuration-overview.md

@@ -16,8 +16,8 @@ The _dynamic configuration_ contains everything that defines how the requests ar
 This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.    
 
 !!! warning "Incompatible Configuration"
-    Please be aware that the old configurations for Traefik v1.X are NOT compatible with the v2.X config as of now.
-    If you're testing out v2, please ensure you are using a v2 configuration.
+    Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now.
+    If you are running v2, please ensure you are using a v2 configuration.
 
 ## The Dynamic Configuration 
 

docs/content/getting-started/install-traefik.md

@@ -3,6 +3,7 @@
 You can install Traefik with the following flavors:
 
 * [Use the official Docker image](./#use-the-official-docker-image)
+* [(Experimental) Use the Helm Chart](./#use-the-helm-chart)
 * [Use the binary distribution](./#use-the-binary-distribution)
 * [Compile your binary from the sources](./#compile-your-binary-from-the-sources)
 
@@ -24,6 +25,70 @@ For more details, go to the [Docker provider documentation](../providers/docker.
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
     * All the orchestrator using docker images could fetch the official Traefik docker image.
 
+## Use the Helm Chart
+
+!!! warning "Experimental Helm Chart"
+    
+    Please note that the Helm Chart for Traefik v2 is still experimental.
+    
+    The Traefik Stable Chart from 
+    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://docs.traefik.io/v1.7).
+
+Traefik can be installed in Kubernetes using the v2.0 Helm chart from <https://github.com/containous/traefik-helm-chart>.
+
+Ensure that the following requirements are met:
+
+* Kubernetes 1.14+
+* Helm version 2.x is [installed](https://v2.helm.sh/docs/using_helm/) and initialized with Tiller
+
+Retrieve the latest chart version from the repository:
+
+```bash
+# Retrieve Chart from the repository
+git clone https://github.com/containous/traefik-helm-chart
+```
+
+And install it with the `helm` command line:
+
+```bash
+helm install ./traefik-helm-chart
+```
+
+!!! tip "Helm Features"
+    
+    All [Helm features](https://v2.helm.sh/docs/using_helm/#using-helm) are supported.
+    For instance, installing the chart in a dedicated namespace:
+
+    ```bash tab="Install in a Dedicated Namespace"
+    # Install in the namespace "traefik-v2"
+    helm install --namespace=traefik-v2 \
+        ./traefik-helm-chart
+    ```
+
+??? example "Installing with Custom Values"
+    
+    You can customize the installation by specifying custom values,
+    as with [any helm chart](https://v2.helm.sh/docs/using_helm/#customizing-the-chart-before-installing).
+    {: #helm-custom-values }
+    
+    The values are not (yet) documented, but are self-explanatory:
+    you can look at the [default `values.yaml`](https://github.com/containous/traefik-helm-chart/blob/master/values.yaml) file to explore possibilities.
+    
+    Example of installation with logging set to `DEBUG`:
+    
+    ```bash tab="Using Helm CLI"
+    helm install --namespace=traefik-v2 \
+        --set="logs.loglevel=DEBUG" \
+        ./traefik-helm-chart
+    ```
+    
+    ```yml tab="With a custom values file"
+    # File custom-values.yml
+    ## Install with "helm install --values=./custom-values.yml ./traefik-helm-chart
+    logs:
+        loglevel: DEBUG
+    ```
+
 ## Use the Binary Distribution
 
 Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page.

docs/content/https/.markdownlint.json

@@ -0,0 +1,4 @@
+{
+    "extends": "../../.markdownlint.json",
+    "MD041": false
+}

docs/content/https/acme.md

@@ -8,6 +8,45 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
 !!! warning "Let's Encrypt and Rate Limiting"
     Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
 
+    Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
+    when experimenting to avoid hitting this limit too fast.
+    
+## Certificate Resolvers
+
+Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration), 
+which are responsible for retrieving certificates from an ACME server.
+
+Then, each ["router"](../routing/routers/index.md) is configured to enable TLS,
+and is associated to a certificate resolver through the [`tls.certresolver` configuration option](../routing/routers/index.md#certresolver).
+
+Certificates are requested for domain names retrieved from the router's [dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration).
+
+You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).
+
+## Domain Definition
+
+Certificate resolvers request certificates for a set of the domain names 
+inferred from routers, with the following logic:
+
+- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
+  then the certificate resolver uses the `main` (and optionally `sans`) option of `tls.domains` to know the domain names for this router.
+
+- If no [`tls.domains`](../routing/routers/index.md#domains) option is set, 
+  then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule), 
+  by checking the `Host()` matchers. 
+  Please note that [multiple `Host()` matchers can be used](../routing/routers/index.md#certresolver)) for specifying multiple domain names for this router.
+
+Please note that:
+
+- When multiple domain names are inferred from a given router,
+  only **one** certificate is requested with the first domain name as the main domain,
+  and the other domains as ["SANs" (Subject Alternative Name)](https://en.wikipedia.org/wiki/Subject_Alternative_Name).
+
+- As [ACME V2 supports "wildcard domains"](#wildcard-domains),
+  any router can provide a [wildcard domain](https://en.wikipedia.org/wiki/Wildcard_certificate) name, as "main" domain or as "SAN" domain.
+
+Please check the [configuration examples below](#configuration-examples) for more details.
+
 ## Configuration Examples
 
 ??? example "Enabling ACME"
@@ -20,10 +59,10 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
       [entryPoints.web-secure]
         address = ":443"
     
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.le.acme]
       email = "your-email@your-domain.org"
       storage = "acme.json"
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.le.acme.httpChallenge]
         # used during the challenge
         entryPoint = "web"
     ```
@@ -47,13 +86,13 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
     ```
     
     ```bash tab="CLI"
-    --entryPoints.web.address=":80"
-    --entryPoints.websecure.address=":443"
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
     # ...
-    --certificatesResolvers.sample.acme.email="your-email@your-domain.org"
-    --certificatesResolvers.sample.acme.storage="acme.json"
+    --certificatesResolvers.le.acme.email=your-email@your-domain.org
+    --certificatesResolvers.le.acme.storage=acme.json
     # used during the challenge
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --certificatesResolvers.le.acme.httpChallenge.entryPoint=web
     ```
 
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
@@ -75,6 +114,26 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
     --8<-- "content/https/ref-acme.txt"
     ```
 
+??? example "Single Domain from Router's Rule Example"
+    
+    * A certificate for the domain `company.com` is requested:
+
+    --8<-- "content/https/include-acme-single-domain-example.md"
+
+??? example "Multiple Domains from Router's Rule Example"
+ 
+    * A certificate for the domains `company.com` (main) and `blog.company.org`
+      is requested:
+    
+    --8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
+    
+??? example "Multiple Domains from Router's `tls.domain` Example"
+
+    * A certificate for the domains `company.com` (main) and `*.company.org` (SAN)
+      is requested:
+      
+    --8<-- "content/https/include-acme-multiple-domains-example.md"
+
 ## Automatic Renewals
 
 Traefik automatically tracks the expiry date of ACME certificates it generates.
@@ -84,6 +143,13 @@ If there are less than 30 days remaining before the certificate expires, Traefik
 !!! info ""
     Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
 
+## Using LetsEncrypt with Kubernetes
+
+When using LetsEncrypt with kubernetes, there are some known caveats with both the [ingress](../providers/kubernetes-ingress.md) and [crd](../providers/kubernetes-crd.md) providers.
+
+!!! info ""
+    If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.
+
 ## The Different ACME Challenges
 
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
@@ -98,9 +164,9 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 ??? example "Configuring the `tlsChallenge`"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.le.acme]
       # ...
-      [certificatesResolvers.sample.acme.tlsChallenge]
+      [certificatesResolvers.le.acme.tlsChallenge]
     ```
 
     ```yaml tab="File (YAML)"
@@ -113,7 +179,7 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.tlsChallenge=true
+    --certificatesResolvers.le.acme.tlsChallenge=true
     ```
 
 ### `httpChallenge`
@@ -121,7 +187,7 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
 
 As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
+when using the `HTTP-01` challenge, `certificatesResolvers.le.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
 
 ??? example "Using an EntryPoint Called http for the `httpChallenge`"
 
@@ -133,9 +199,9 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
       [entryPoints.web-secure]
         address = ":443"
     
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.le.acme]
       # ...
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.le.acme.httpChallenge]
         entryPoint = "web"
     ```
 
@@ -156,10 +222,10 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
     ```
     
     ```bash tab="CLI"
-    --entryPoints.web.address=":80"
-    --entryPoints.websecure.address=":443"
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
     # ...
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --certificatesResolvers.le.acme.httpChallenge.entryPoint=web
     ```
 
 !!! info ""
@@ -172,9 +238,9 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 ??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.le.acme]
       # ...
-      [certificatesResolvers.sample.acme.dnsChallenge]
+      [certificatesResolvers.le.acme.dnsChallenge]
         provider = "digitalocean"
         delayBeforeCheck = 0
     # ...
@@ -193,8 +259,8 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
-    --certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+    --certificatesResolvers.le.acme.dnsChallenge.provider=digitalocean
+    --certificatesResolvers.le.acme.dnsChallenge.delayBeforeCheck=0
     # ...
     ```
 
@@ -215,11 +281,12 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
 | [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
 | [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
+| [Autodns](https://www.internetx.com/domains/autodns/)       | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
 | [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
 | [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
 | [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
-| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` - The `Global API Key` needs to be used, not the `Origin CA Key`                                               | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
+| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
 | [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
 | [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
 | [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
@@ -247,6 +314,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
 | [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
 | [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4)     |
+| [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
 | manual                                                      | -              | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
 | [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
@@ -277,6 +345,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 [^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application)
 [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
 [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
+[^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
 
 !!! info "`delayBeforeCheck`"
     By default, the `provider` verifies the TXT record _before_ letting ACME verify.
@@ -288,9 +357,9 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 Use custom DNS servers to resolve the FQDN authority.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.le.acme]
   # ...
-  [certificatesResolvers.sample.acme.dnsChallenge]
+  [certificatesResolvers.le.acme.dnsChallenge]
     # ...
     resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
 ```
@@ -309,7 +378,7 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.dnsChallenge.resolvers:="1.1.1.1:53,8.8.8.8:53"
+--certificatesResolvers.le.acme.dnsChallenge.resolvers:=1.1.1.1:53,8.8.8.8:53
 ```
 
 #### Wildcard Domains
@@ -317,12 +386,14 @@ certificatesResolvers:
 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
 As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
 
-## `caServer`
+## More Configuration
+
+### `caServer`
 
 ??? example "Using the Let's Encrypt staging server"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.le.acme]
       # ...
       caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
       # ...
@@ -339,16 +410,16 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
 
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+    --certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
     # ...
     ```
 
-## `storage`
+### `storage`
 
 The `storage` option sets the location where your ACME certificates are saved to.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.le.acme]
   # ...
   storage = "acme.json"
   # ...
@@ -365,7 +436,7 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.storage=acme.json
+--certificatesResolvers.le.acme.storage=acme.json
 # ...
 ```
 
@@ -373,14 +444,14 @@ The value can refer to some kinds of storage:
 
 - a JSON file
 
-### In a File
+#### In a File
 
 ACME certificates can be stored in a JSON file that needs to have a `600` file mode .
 
 In Docker you can mount either the JSON file, or the folder containing it:
 
 ```bash
-docker run -v "/my/host/acme.json:acme.json" traefik
+docker run -v "/my/host/acme.json:/acme.json" traefik
 ```
 
 ```bash
@@ -388,7 +459,7 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 ```
 
 !!! warning
-    For concurrency reason, this file cannot be shared across multiple instances of Traefik. Use a key value store entry instead.
+    For concurrency reason, this file cannot be shared across multiple instances of Traefik.
 
 ## Fallback
 

docs/content/https/include-acme-multiple-domains-example.md

@@ -0,0 +1,88 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.domains[0].main=company.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=le
+    - traefik.http.routers.blog.tls.domains[0].main=company.org
+    - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+```
+
+```yaml tab="Kubernetes"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`company.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certResolver: le
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "le",
+  "traefik.http.routers.blog.tls.domains[0].main": "company.com",
+  "traefik.http.routers.blog.tls.domains[0].sans": "*.company.com",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.domains[0].main=company.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "Host(`company.com`) && Path(`/blog`)"
+    [http.routers.blog.tls]
+      certResolver = "le" # From static configuration
+      [[http.routers.blog.tls.domains]]
+        main = "company.org"
+        sans = ["*.company.org"]
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`company.com`) && Path(`/blog`)"
+      tls:
+        certResolver: le
+        domains:
+          - main: "company.org"
+            sans:
+              - "*.company.org"
+```

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=le
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: (Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls: {}
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "le",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
+    [http.routers.blog.tls]
+      certResolver = "le" # From static configuration
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
+      tls:
+        certResolver: le
+```

docs/content/https/include-acme-single-domain-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=le
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`company.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls: {}
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "le",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+```
+
+```toml tab="Single Domain"
+## Dynamic configuration
+[http.routers]
+    [http.routers.blog]
+    rule = "Host(`company.com`) && Path(`/blog`)"
+    [http.routers.blog.tls]
+        certResolver = "le" # From static configuration
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`company.com`) && Path(`/blog`)"
+      tls:
+        certResolver: le
+```

docs/content/https/ref-acme.toml

@@ -35,13 +35,13 @@
   #
   # Optional (but recommended)
   #
-  [certificatesResolvers.sample.acme.tlsChallenge]
+  [certificatesResolvers.le.acme.tlsChallenge]
 
   # Use a HTTP-01 ACME challenge.
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.httpChallenge]
+  # [certificatesResolvers.le.acme.httpChallenge]
 
     # EntryPoint to use for the HTTP-01 challenges.
     #
@@ -54,7 +54,7 @@
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.dnsChallenge]
+  # [certificatesResolvers.le.acme.dnsChallenge]
 
     # DNS provider used.
     #

docs/content/https/ref-acme.txt

@@ -4,13 +4,13 @@
 #
 # Required
 #
---certificatesResolvers.sample.acme.email="test@traefik.io"
+--certificatesResolvers.le.acme.email=test@traefik.io
 
 # File or key used for certificates storage.
 #
 # Required
 #
---certificatesResolvers.sample.acme.storage="acme.json"
+--certificatesResolvers.le.acme.storage=acme.json
 
 # CA server to use.
 # Uncomment the line to use Let's Encrypt's staging server,
@@ -19,7 +19,7 @@
 # Optional
 # Default: "https://acme-v02.api.letsencrypt.org/directory"
 #
---certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
 
 # KeyType to use.
 #
@@ -28,38 +28,38 @@
 #
 # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
 #
---certificatesResolvers.sample.acme.keyType=RSA4096
+--certificatesResolvers.le.acme.keyType=RSA4096
 
 # Use a TLS-ALPN-01 ACME challenge.
 #
 # Optional (but recommended)
 #
---certificatesResolvers.sample.acme.tlsChallenge=true
+--certificatesResolvers.le.acme.tlsChallenge=true
 
 # Use a HTTP-01 ACME challenge.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.httpChallenge=true
+--certificatesResolvers.le.acme.httpChallenge=true
 
 # EntryPoint to use for the HTTP-01 challenges.
 #
 # Required
 #
---certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+--certificatesResolvers.le.acme.httpChallenge.entryPoint=web
 
 # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
 # Note: mandatory for wildcard certificate generation.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.dnsChallenge=true
+--certificatesResolvers.le.acme.dnsChallenge=true
 
 # DNS provider used.
 #
 # Required
 #
---certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+--certificatesResolvers.le.acme.dnsChallenge.provider=digitalocean
 
 # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
 # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
@@ -68,14 +68,14 @@
 # Optional
 # Default: 0
 #
---certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+--certificatesResolvers.le.acme.dnsChallenge.delayBeforeCheck=0
 
 # Use following DNS servers to resolve the FQDN authority.
 #
 # Optional
 # Default: empty
 #
---certificatesResolvers.sample.acme.dnsChallenge.resolvers="1.1.1.1:53,8.8.8.8:53"
+--certificatesResolvers.le.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 
 # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
 #
@@ -85,4 +85,4 @@
 # Optional
 # Default: false
 #
---certificatesResolvers.sample.acme.dnsChallenge.disablePropagationCheck=true
+--certificatesResolvers.le.acme.dnsChallenge.disablePropagationCheck=true

docs/content/https/ref-acme.yaml

@@ -1,5 +1,5 @@
 certificatesResolvers:
-  sample:
+  le:
     # Enable ACME (Let's Encrypt): automatic SSL.
     acme:
 

docs/content/https/tls.md

@@ -40,7 +40,7 @@ tls:
 
     In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
     It is the only available method to configure the certificates (as well as the options and the stores).
-    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](../routing/providers/kubernetes-crd.md#tls). 
+    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
 
 ## Certificates Stores
 
@@ -181,6 +181,57 @@ spec:
   minVersion: VersionTLS13
 ```
 
+### Maximum TLS Version
+
+We discourages the use of this setting to disable TLS1.3.
+
+The right approach is to update the clients to support TLS1.3.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    maxVersion = "VersionTLS13"
+
+  [tls.options.maxtls12]
+    maxVersion = "VersionTLS12"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      maxVersion: VersionTLS13
+
+    maxtls12:
+      maxVersion: VersionTLS12
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS13
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: maxtls12
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS12
+```
+
 ### Cipher Suites
 
 See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
@@ -191,8 +242,7 @@ See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more informat
 [tls.options]
   [tls.options.default]
     cipherSuites = [
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-      "TLS_RSA_WITH_AES_256_GCM_SHA384"
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
     ]
 ```
 
@@ -204,7 +254,6 @@ tls:
     default:
       cipherSuites:
         - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-        - TLS_RSA_WITH_AES_256_GCM_SHA384
 ```
 
 ```yaml tab="Kubernetes"
@@ -217,7 +266,6 @@ metadata:
 spec:
   cipherSuites:
     - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-    - TLS_RSA_WITH_AES_256_GCM_SHA384
 ```
 
 !!! important "TLS 1.3"
@@ -226,6 +274,46 @@ spec:
     With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).
     <https://golang.org/doc/go1.12#tls_1_3>
 
+### Curve Preferences
+
+This option allows to set the preferred elliptic curves in a specific order.
+
+The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used.
+
+See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    curvePreferences = ["CurveP521", "CurveP384"]
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  curvePreferences:
+    - CurveP521
+    - CurveP384
+```
+
 ### Strict SNI Checking
 
 With strict SNI checking, Traefik won't allow connections from clients connections

docs/content/index.md

@@ -20,4 +20,4 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
 
 !!! info
 
-    If you're a businness running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. 
+    If you're a business running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://info.containo.us/commercial-services) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. 

docs/content/middlewares/addprefix.md

@@ -26,6 +26,11 @@ spec:
     prefix: /foo
 ```
 
+```yaml tab="Consul Catalog"
+# Prefixing with /foo
+- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.add-foo.addprefix.prefix": "/foo"
@@ -58,4 +63,5 @@ http:
 
 ### `prefix`
 
-`prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`).
+`prefix` is the string to add before the current path in the requested URL.
+It should include the leading slash (`/`).

docs/content/middlewares/basicauth.md

@@ -30,6 +30,10 @@ spec:
     secret: secretName
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
@@ -115,6 +119,11 @@ data:
     aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
 ```
 
+```yaml tab="Consul Catalog"
+# Declaring the user list
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
@@ -186,6 +195,10 @@ data:
     aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.usersfile": "/path/to/my/usersfile"
@@ -237,6 +250,10 @@ spec:
     realm: MyRealm
 ```
 
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.realm": "MyRealm"
@@ -282,6 +299,10 @@ spec:
     headerField: X-WebAuth-User
 ```
 
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.my-auth.basicauth.headerField": "X-WebAuth-User"
@@ -322,6 +343,10 @@ spec:
     removeHeader: true
 ```
 
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.removeheader": "true"

docs/content/middlewares/buffering.md

@@ -30,6 +30,11 @@ spec:
     maxRequestBodyBytes: 2000000
 ```
 
+```yaml tab="Consul Catalog"
+# Sets the maximum request body to 2Mb
+- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
@@ -81,6 +86,10 @@ spec:
     maxRequestBodyBytes: 2000000
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
@@ -125,6 +134,10 @@ spec:
     memRequestBodyBytes: 2000000
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.limit.buffering.memRequestBodyBytes": "2000000"
@@ -171,6 +184,10 @@ spec:
     maxResponseBodyBytes: 2000000
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes": "2000000"
@@ -215,6 +232,10 @@ spec:
     memResponseBodyBytes: 2000000
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.limit.buffering.memResponseBodyBytes": "2000000"
@@ -261,6 +282,10 @@ You can have the Buffering middleware replay the request with the help of the `r
         retryExpression: "IsNetworkError() && Attempts() < 2"
     ```
     
+    ```yaml tab="Consul Catalog"
+    - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
+    ```
+        
     ```json tab="Marathon"
     "labels": {
       "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"

docs/content/middlewares/chain.md

@@ -83,6 +83,17 @@ spec:
     - 127.0.0.1/32
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.routers.router1.service=service1"
+- "traefik.http.routers.router1.middlewares=secured"
+- "traefik.http.routers.router1.rule=Host(`mydomain`)"
+- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+- "http.services.service1.loadbalancer.server.port=80"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.routers.router1.service": "service1",

docs/content/middlewares/circuitbreaker.md

@@ -45,6 +45,11 @@ spec:
     expression: LatencyAtQuantileMS(50.0) > 100
 ```
 
+```yaml tab="Consul Catalog"
+# Latency Check
+- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.latency-check.circuitbreaker.expression": "LatencyAtQuantileMS(50.0) > 100"

docs/content/middlewares/compress.md

@@ -25,6 +25,11 @@ spec:
   compress: {}
 ```
 
+```yaml tab="Consul Catalog"
+# Enable gzip compression
+- "traefik.http.middlewares.test-compress.compress=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-compress.compress": "true"
@@ -58,3 +63,59 @@ http:
     * The response body is larger than `1400` bytes.
     * The `Accept-Encoding` request header contains `gzip`.
     * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
+
+## Configuration Options
+
+### `excludedContentTypes`
+
+`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests to before compressing.
+
+The requests with content types defined in `excludedContentTypes` are not compressed.
+
+Content types are compared in a case-insensitive, whitespace-ignored manner.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    excludedContentTypes:
+      - text/event-stream
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress.excludedcontenttypes": "text/event-stream"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    excludedContentTypes = ["text/event-stream"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        excludedContentTypes:
+          - text/event-stream
+```

docs/content/middlewares/digestauth.md

@@ -26,6 +26,11 @@ spec:
     secret: userssecret
 ```
 
+```yaml tab="Consul Catalog"
+# Declaring the user list
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
@@ -100,6 +105,10 @@ data:
     dGVzdDp0cmFlZmlrOmEyNjg4ZTAzMWVkYjRiZTZhMzc5N2YzODgyNjU1YzA1CnRlc3QyOnRyYWVmaWs6NTE4ODQ1ODAwZjllMmJmYjFmMWY3NDBlYzI0ZjA3NGUKCg==
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
@@ -168,6 +177,10 @@ data:
     aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
@@ -219,6 +232,10 @@ spec:
     realm: MyRealm
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
@@ -264,9 +281,8 @@ spec:
     headerField: X-WebAuth-User
 ```
 
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```
 
 ```json tab="Marathon"
@@ -275,6 +291,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares.my-auth.digestAuth]
   # ...
@@ -309,6 +330,10 @@ spec:
     removeHeader: true
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"

docs/content/middlewares/errorpages.md

@@ -35,6 +35,13 @@ spec:
       port: 80
 ```
 
+```yaml tab="Consul Catalog"
+# Dynamic Custom Error Page for 5XX Status Code
+- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
+- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
+- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-errorpage.errors.status": "500-599",

docs/content/middlewares/forwardauth.md

@@ -28,6 +28,11 @@ spec:
     address: https://authserver.com/auth
 ```
 
+```yaml tab="Consul Catalog"
+# Forward authentication to authserver.com
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
@@ -77,6 +82,10 @@ spec:
     address: https://authserver.com/auth 
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
@@ -122,6 +131,10 @@ spec:
     trustForwardHeader: true
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
@@ -171,6 +184,10 @@ spec:
       - X-Secret
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret"
@@ -235,6 +252,10 @@ data:
   ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt"
@@ -290,6 +311,10 @@ spec:
       caOptional: true
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true"
@@ -352,6 +377,11 @@ data:
   tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
@@ -421,6 +451,11 @@ data:
   tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
@@ -474,7 +509,12 @@ metadata:
 spec:
   forwardAuth:
     address: https://authserver.com/auth
-    insecureSkipVerify: true
+    tls:
+      insecureSkipVerify: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
 ```
 
 ```json tab="Marathon"
@@ -492,7 +532,8 @@ labels:
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
     address = "https://authserver.com/auth"
-    insecureSkipVerify: true
+    [http.middlewares.test-auth.forwardAuth.tls]
+      insecureSkipVerify: true
 ```
 
 ```yaml tab="File (YAML)"
@@ -501,5 +542,6 @@ http:
     test-auth:
       forwardAuth:
         address: "https://authserver.com/auth"
-        insecureSkipVerify: true
+        tls:
+          insecureSkipVerify: true
 ```

docs/content/middlewares/headers.md

@@ -32,6 +32,11 @@ spec:
       X-Custom-Response-Header: "value"
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
@@ -91,6 +96,10 @@ spec:
       X-Custom-Response-Header: "" # Removes
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
@@ -146,6 +155,11 @@ spec:
     sslRedirect: "true"
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.framedeny=true"
+- "traefik.http.middlewares.testheader.headers.sslredirect=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.framedeny": "true",
@@ -162,8 +176,8 @@ labels:
 ```toml tab="File (TOML)"    
 [http.middlewares]
   [http.middlewares.testHeader.headers]
-    FrameDeny = true
-    SSLRedirect = true
+    frameDeny = true
+    sslRedirect = true
 ```
 
 ```yaml tab="File (YAML)"  
@@ -171,8 +185,8 @@ http:
   middlewares:
     testHeader:
       headers:
-        FrameDeny: true
-        SSLRedirect: true
+        frameDeny: true
+        sslRedirect: true
 ```
 
 ### CORS Headers
@@ -204,6 +218,13 @@ spec:
     addVaryHeader: "true"
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+- "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+- "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+- "traefik.http.middlewares.testheader.headers.addvaryheader=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
@@ -235,7 +256,7 @@ http:
   middlewares:
     testHeader:
       headers:
-        accessControlAllowMethod:
+        accessControlAllowMethods:
           - GET
           - OPTIONS
           - PUT

docs/content/middlewares/inflightreq.md

@@ -24,6 +24,11 @@ spec:
     amount: 10
 ```
 
+```yaml tab="Consul Catalog"
+# Limiting to 10 simultaneous connections
+- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
@@ -74,6 +79,11 @@ spec:
     amount: 10
 ```
 
+```yaml tab="Consul Catalog"
+# Limiting to 10 simultaneous connections
+- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
@@ -146,9 +156,8 @@ spec:
         depth: 2
 ```
 
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
 ```
 
 ```json tab="Marathon"
@@ -157,6 +166,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-inflightreq.inflightreq]
@@ -209,6 +223,10 @@ spec:
         - 192.168.1.7
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
@@ -259,9 +277,8 @@ spec:
       requestHeaderName: username
 ```
 
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
 
 ```json tab="Marathon"
@@ -270,6 +287,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-inflightreq.inflightreq]
@@ -306,9 +328,8 @@ spec:
       requestHost: true
 ```
 
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+```yaml tab="Cosul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
 
 ```json tab="Marathon"
@@ -317,6 +338,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-inflightreq.inflightreq]

docs/content/middlewares/ipwhitelist.md

@@ -27,6 +27,11 @@ spec:
       - 192.168.1.7
 ```
 
+```yaml tab="Consul Catalog"
+# Accepts request from defined IP
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
@@ -61,7 +66,7 @@ http:
 
 ### `sourceRange`
 
-The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
+The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
 
 ### `ipStrategy`
 
@@ -95,11 +100,10 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
           depth: 2
     ```
     
-    ```yaml tab="Rancher"
+    ```yaml tab="Consul Catalog"
     # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    labels:
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
     ```
     
     ```json tab="Marathon"
@@ -109,6 +113,13 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
     }
     ```
     
+    ```yaml tab="Rancher"
+    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
+    labels:
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+    ```
+    
     ```toml tab="File (TOML)"
     # Whitelisting Based on `X-Forwarded-For` with `depth=2`
     [http.middlewares]
@@ -168,10 +179,9 @@ spec:
         - 192.168.1.7
 ```
 
-```yaml tab="Rancher"
+```yaml tab="Consul Catalog"
 # Exclude from `X-Forwarded-For`
-labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```json tab="Marathon"
@@ -180,6 +190,12 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+# Exclude from `X-Forwarded-For`
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```toml tab="File (TOML)"
 # Exclude from `X-Forwarded-For`
 [http.middlewares]

docs/content/middlewares/overview.md

@@ -63,6 +63,13 @@ spec:
       - name: stripprefix
 ```
 
+```yaml tab="Consul Catalog"
+# Create a middleware named `foo-add-prefix`
+- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+# Apply the middleware named `foo-add-prefix` to the router named `router1`
+- "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
@@ -183,14 +190,14 @@ and therefore this specification would be ignored even if present.
       routes:
         - match: Host(`bar.com`)
           kind: Rule
-        services:
-          - name: whoami
-            port: 80
-        middlewares:
-          - name: add-foo-prefix@file
-          # namespace: bar
-          # A namespace specification such as above is ignored
-          # when the cross-provider syntax is used.
+          services:
+            - name: whoami
+              port: 80
+          middlewares:
+            - name: add-foo-prefix@file
+            # namespace: bar
+            # A namespace specification such as above is ignored
+            # when the cross-provider syntax is used.
     ```
 
 ## Available Middlewares

docs/content/middlewares/passtlsclientcert.md

@@ -29,6 +29,11 @@ spec:
     pem: true
 ```
 
+```yaml tab="Consul Catalog"
+# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header
+- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
@@ -111,26 +116,25 @@ http:
             domainComponent: true
     ```
     
-    ```yaml tab="Rancher"
+    ```yaml tab="Consul Catalog"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
-    labels:
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
     ```
         
     ```json tab="Marathon"
@@ -154,6 +158,28 @@ http:
       "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
     }
     ```
+    
+    ```yaml tab="Rancher"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    labels:
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+    ```
 
     ```toml tab="File (TOML)"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
@@ -219,7 +245,10 @@ PassTLSClientCert can add two headers to the request:
 - `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
 
 !!! info
-    The headers are filled with escaped string so it can be safely placed inside a URL query.
+
+    * The headers are filled with escaped string so it can be safely placed inside a URL query.
+    * These options only work accordingly to the [MutualTLS configuration](../https/tls.md#client-authentication-mtls).
+    That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.
 
 In the following example, you can see a complete certificate. We will use each part of it to explain the middleware options.
 
@@ -377,7 +406,7 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
 !!! info "Extracted data"
     
     The delimiters and `\n` will be removed.  
-    If there are more than one certificate, they are separated by a "`;`".
+    If there are more than one certificate, they are separated by a "`,`".
 
 !!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
 
@@ -392,12 +421,12 @@ The value of the header will be an escaped concatenation of all the selected cer
 The following example shows an unescaped result that uses all the available fields: 
 
 ```text
-Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
+Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
 ```
 
 !!! info "Multiple certificates"
 
-    If there are more than one certificate, they are separated by a `;`.
+    If there are more than one certificate, they are separated by a `,`.
 
 #### `info.notAfter`
 
@@ -413,7 +442,7 @@ The data are taken from the following certificate part:
 The escape `notAfter` info part will be like:
 
 ```text
-NA=1607166616
+NA="1607166616"
 ```
 
 #### `info.notBefore`
@@ -430,7 +459,7 @@ Validity
 The escape `notBefore` info part will be like:
 
 ```text
-NB=1544094616
+NB="1544094616"
 ```
 
 #### `info.sans`
@@ -447,7 +476,7 @@ The data are taken from the following certificate part:
 The escape SANs info part will be like:
 
 ```text
-SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
+SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
 ```
 
 !!! info "multiple values"

docs/content/middlewares/ratelimit.md

@@ -28,6 +28,13 @@ spec:
       burst: 50
 ```
 
+```yaml tab="Consul Catalog"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
@@ -85,6 +92,10 @@ spec:
       average: 100
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
@@ -130,6 +141,10 @@ spec:
       burst: 100
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "100",
@@ -138,8 +153,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
-  		
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
 ```
 
 ```toml tab="File (TOML)"
@@ -204,9 +218,8 @@ spec:
         - 192.168.1.7
 ```
 
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```json tab="Marathon"
@@ -215,6 +228,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]
@@ -268,9 +286,8 @@ spec:
       requestHeaderName: username
 ```
 
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```
 
 ```json tab="Marathon"
@@ -279,6 +296,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]
@@ -315,9 +337,8 @@ spec:
       requestHost: true
 ```
 
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```
 
 ```json tab="Marathon"
@@ -326,6 +347,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]

docs/content/middlewares/redirectregex.md

@@ -31,6 +31,13 @@ spec:
     replacement: http://mydomain/${1}
 ```
 
+```yaml tab="Consul Catalog"
+# Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
+- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-redirectregex.redirectregex.regex": "^http://localhost/(.*)",

docs/content/middlewares/redirectscheme.md

@@ -7,7 +7,7 @@ Redirecting the Client to a Different Scheme/Port
 TODO: add schema
 -->
 
-RegexRedirect redirect request from a scheme to another.
+RedirectScheme redirect request from a scheme to another.
 
 ## Configuration Examples
 
@@ -28,6 +28,12 @@ spec:
     scheme: https
 ```
 
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"

docs/content/middlewares/replacepath.md

@@ -28,6 +28,11 @@ spec:
     path: /foo
 ```
 
+```yaml tab="Consul Catalog"
+# Replace the path by /foo
+- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-replacepath.replacepath.path": "/foo"

docs/content/middlewares/replacepathregex.md

@@ -15,7 +15,7 @@ The ReplaceRegex replace a path from an url to another with regex matching and r
 # Replace path with regex
 labels:
   - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
-  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$$1"
 ```
 
 ```yaml tab="Kubernetes"
@@ -30,6 +30,12 @@ spec:
     replacement: /bar/$1
 ```
 
+```yaml tab="Consul Catalog"
+# Replace path with regex
+- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex": "^/foo/(.*)",

docs/content/middlewares/retry.md

@@ -29,6 +29,11 @@ spec:
     attempts: 4
 ```
 
+```yaml tab="Consul Catalog"
+# Retry to send request 4 times
+- "traefik.http.middlewares.test-retry.retry.attempts=4"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-retry.retry.attempts": "4"

docs/content/middlewares/stripprefix.md

@@ -30,6 +30,11 @@ spec:
       - /fiibar
 ```
 
+```yaml tab="Consul Catalog"
+# Strip prefix /foobar and /fiibar
+- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar,/fiibar"
@@ -85,3 +90,85 @@ If your backend is serving assets (e.g., images or Javascript files), chances ar
 Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
 
 The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
+
+### `forceSlash`
+
+_Optional, Default=true_
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
+  - "traefik.http.middlewares.example.stripprefix.forceslash=false"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: example
+spec:
+  stripPrefix:
+    prefixes:
+      - "/foobar"
+    forceSlash: false
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
+  "traefik.http.middlewares.example.stripprefix.forceslash": "false"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
+  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.example.stripPrefix]
+    prefixes = ["/foobar"]
+    forceSlash = false
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    example:
+      stripPrefix:
+        prefixes:
+          - "/foobar"
+        forceSlash: false
+```
+
+The `forceSlash` option makes sure that the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
+
+This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
+
+It's recommended to explicitly set `forceSlash` to `false`.
+
+??? info "Behavior examples"
+    
+    - `forceSlash=true`
+    
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | `/`    |
+    | `/foo`     | `/foo`          | `/`    |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | `/`    |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |
+    
+    - `forceSlash=false`
+    
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | empty  |
+    | `/foo`     | `/foo`          | empty  |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | empty  |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |

docs/content/middlewares/stripprefixregex.md

@@ -23,6 +23,10 @@ spec:
       - "/foo/[a-z0-9]+/[0-9]+/"
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex": "/foo/[a-z0-9]+/[0-9]+/"

docs/content/migration/v1-to-v2.md

@@ -3,13 +3,13 @@
 How to Migrate from Traefik v1 to Traefik v2.
 {: .subtitle }
 
-The version 2 of Traefik introduces a number of breaking changes, 
+The version 2 of Traefik introduces a number of breaking changes,
 which require one to update their configuration when they migrate from v1 to v2.
-The goal of this page is to recapitulate all of these changes, and in particular to give examples, 
+The goal of this page is to recapitulate all of these changes, and in particular to give examples,
 feature by feature, of how the configuration looked like in v1, and how it now looks like in v2.
 
 !!! info "Migration Helper"
-    
+
     We created a tool to help during the migration: [traefik-migration-tool](https://github.com/containous/traefik-migration-tool)
 
     This tool allows to:
@@ -32,11 +32,11 @@ Then any router can refer to an instance of the wanted middleware.
 !!! example "One frontend with basic auth and one backend, become one router, one service, and one basic auth middleware."
 
     !!! info "v1"
-    
+
     ```yaml tab="Docker"
     labels:
       - "traefik.frontend.rule=Host:test.localhost;PathPrefix:/test"
-      - "traefik.frontend.auth.basic.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+      - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
     ```
 
     ```yaml tab="K8s Ingress"
@@ -92,19 +92,19 @@ Then any router can refer to an instance of the wanted middleware.
         [backends.backend1.loadBalancer]
           method = "wrr"
     ```
-    
+
     !!! info "v2"
-    
+
     ```yaml tab="Docker"
     labels:
       - "traefik.http.routers.router0.rule=Host(`bar.com`) && PathPrefix(`/test`)"
       - "traefik.http.routers.router0.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+      - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
     ```
 
     ```yaml tab="K8s IngressRoute"
-    # The definitions below require the definitions for the Middleware and IngressRoute kinds.  
-    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    # The definitions below require the definitions for the Middleware and IngressRoute kinds.
+    # https://docs.traefik.io/v2.1/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
@@ -155,7 +155,7 @@ Then any router can refer to an instance of the wanted middleware.
     [http.middlewares]
       [http.middlewares.auth.basicAuth]
         users = [
-          "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+          "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
           "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
         ]
     ```
@@ -184,7 +184,7 @@ Then any router can refer to an instance of the wanted middleware.
               - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
     ```
 
-## TLS configuration is now dynamic, per router.
+## TLS Configuration Is Now Dynamic, per Router.
 
 TLS parameters used to be specified in the static configuration, as an entryPoint field.
 With Traefik v2, a new dynamic TLS section at the root contains all the desired TLS configurations.
@@ -204,19 +204,23 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
           minVersion = "VersionTLS12"
           cipherSuites = [
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_RSA_WITH_AES_256_GCM_SHA384"
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            ]
           [[entryPoints.web-secure.tls.certificates]]
             certFile = "path/to/my.cert"
             keyFile = "path/to/my.key"
     ```
-    
+
     ```bash tab="CLI"
-    --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384'
+    --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
     ```
-    
+
     !!! info "v2"
-    
+
     ```toml tab="File (TOML)"
     # dynamic configuration
     [http.routers]
@@ -238,11 +242,15 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       [tls.options.myTLSOptions]
         minVersion = "VersionTLS13"
         cipherSuites = [
-              "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-              "TLS_RSA_WITH_AES_256_GCM_SHA384"
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             ]
     ```
-    
+
     ```yaml tab="File (YAML)"
     http:
       routers:
@@ -261,13 +269,16 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
         myTLSOptions:
           minVersion: VersionTLS13
           cipherSuites:
-            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-            - TLS_RSA_WITH_AES_256_GCM_SHA384
+	        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+	        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+	        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+	        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+	        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     ```
-    
+
     ```yaml tab="K8s IngressRoute"
-    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.  
-    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
+    # https://docs.traefik.io/v2.1/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: TLSOption
     metadata:
@@ -277,8 +288,11 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
     spec:
       minVersion: VersionTLS13
       cipherSuites:
-        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-        - TLS_RSA_WITH_AES_256_GCM_SHA384
+	    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+	    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+	    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+	    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+	    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     
     ---
     apiVersion: traefik.containo.us/v1alpha1
@@ -296,11 +310,11 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
             - name: whoami
               port: 80
       tls:
-        options: 
+        options:
           name: mytlsoption
           namespace: default
     ```
-    
+
     ```yaml tab="Docker"
     labels:
       # myTLSOptions must be defined by another provider, in this instance in the File Provider.
@@ -308,7 +322,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       - "traefik.http.routers.router0.tls.options=myTLSOptions@file"
     ```
 
-## HTTP to HTTPS Redirection is now configured on Routers
+## HTTP to HTTPS Redirection Is Now Configured on Routers
 
 Previously on Traefik v1, the redirection was applied on an entry point or on a frontend.
 With Traefik v2 it is applied on a [Router](../routing/routers/index.md). 
@@ -336,14 +350,14 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
             certFile = "examples/traefik.crt"
             keyFile = "examples/traefik.key"
     ```
-    
+
     ```bash tab="CLI"
     --entrypoints=Name:web Address::80 Redirect.EntryPoint:web-secure
     --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key'
     ```
-    
+
     !!! info "v2"
-    
+
     ```yaml tab="Docker"
     labels:
     - traefik.http.routers.web.rule=Host(`foo.com`)
@@ -413,7 +427,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     ##---------------------##
     
     ## dynamic configuration
-    # dymanic-conf.toml
+    # dynamic-conf.toml
     
     [http.routers]
       [http.routers.router0]
@@ -440,9 +454,9 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     
     [[tls.certificates]]
       certFile = "/path/to/domain.cert"
-      keyFile = "/path/to/domain.key"    
+      keyFile = "/path/to/domain.key"
     ```
-    
+
     ```yaml tab="File (YAML)"
     ## static configuration
     # traefik.yml
@@ -457,7 +471,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     ##---------------------##
     
     ## dynamic configuration
-    # dymanic-conf.yml
+    # dynamic-conf.yml
     
     http:
       routers:
@@ -492,7 +506,139 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
       certificates:
         - certFile: /app/certs/server/server.pem
           keyFile: /app/certs/server/server.pem
-    ``` 
+    ```
+
+## Strip and Rewrite Path Prefixes
+
+With the new core notions of v2 (introduced earlier in the section
+["Frontends and Backends Are Dead... Long Live Routers, Middlewares, and Services"](#frontends-and-backends-are-dead-long-live-routers-middlewares-and-services)),
+transforming the URL path prefix of incoming requests is configured with [middlewares](../../middlewares/overview/),
+after the routing step with [router rule `PathPrefix`](https://docs.traefik.io/v2.0/routing/routers/#rule).
+
+Use Case: Incoming requests to `http://company.org/admin` are forwarded to the webapplication "admin",
+with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, you must:
+
+* First, configure a router named `admin` with a rule matching at least the path prefix with the `PathPrefix` keyword,
+* Then, define a middleware of type [`stripprefix`](../../middlewares/stripprefix/), which remove the prefix `/admin`, associated to the router `admin`.
+
+!!! example "Strip Path Prefix When Forwarding to Backend"
+
+    !!! info "v1"
+
+    ```yaml tab="Docker"
+    labels:
+      - "traefik.frontend.rule=Host:company.org;PathPrefixStrip:/admin"
+    ```
+
+    ```yaml tab="Kubernetes Ingress"
+    apiVersion: networking.k8s.io/v1beta1
+    kind: Ingress
+    metadata:
+      name: traefik
+      annotations:
+        kubernetes.io/ingress.class: traefik
+        traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip
+    spec:
+      rules:
+      - host: company.org
+        http:
+          paths:
+          - path: /admin
+            backend:
+              serviceName: admin-svc
+              servicePort: admin
+    ```
+
+    ```toml tab="File (TOML)"
+    [frontends.admin]
+      [frontends.admin.routes.admin_1]
+      rule = "Host:company.org;PathPrefixStrip:/admin"
+    ```
+
+    !!! info "v2"
+
+    ```yaml tab="Docker"
+    labels:
+      - "traefik.http.routers.admin.rule=Host(`company.org`) && PathPrefix(`/admin`)"
+      - "traefik.http.routers.admin.middlewares=admin-stripprefix"
+      - "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
+    ```
+
+    ```yaml tab="Kubernetes IngressRoute"
+    ---
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: http-redirect-ingressRoute
+      namespace: admin-web
+    spec:
+      entryPoints:
+        - web
+      routes:
+        - match: Host(`company.org`) && PathPrefix(`/admin`)
+          kind: Rule
+          services:
+            - name: admin-svc
+              port: admin
+          middlewares:
+            - name: admin-stripprefix
+    ---
+    kind: Middleware
+    metadata:
+      name: admin-stripprefix
+    spec:
+      stripPrefix:
+        prefixes:
+          - /admin
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    # dynamic-conf.toml
+
+    [http.routers.router1]
+        rule = "Host(`company.org`) && PathPrefix(`/admin`)"
+        service = "admin-svc"
+        entrypoints = ["web"]
+        middlewares = ["admin-stripprefix"]
+
+    [http.middlewares]
+      [http.middlewares.admin-stripprefix.stripPrefix]
+      prefixes = ["/admin"]
+    
+    # ...
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic Configuration
+    # dynamic-conf.yml
+
+    # As YAML Configuration File
+    http:
+      routers:
+        admin:
+          service: admin-svc
+          middlewares:
+            - "admin-stripprefix"
+          rule: "Host(`company.org`) && PathPrefix(`/admin`)"
+
+      middlewares:
+        admin-stripprefix:
+          stripPrefix:
+            prefixes: 
+            - "/admin"
+
+    # ...
+    ```
+
+??? question "What About Other Path Transformations?"
+
+    Instead of removing the path prefix with the [`stripprefix` middleware](../../middlewares/stripprefix/), you can also:
+
+    * Add a path prefix with the [`addprefix` middleware](../../middlewares/addprefix/)
+    * Replace the complete path of the request with the [`replacepath` middleware](../../middlewares/replacepath/)
+    * ReplaceRewrite path using Regexp with the [`replacepathregex` middleware](../../middlewares/replacepathregex/)
+    * And a lot more on the [`middlewares` page](../../middlewares/overview/)
 
 ## ACME (LetsEncrypt)
 
@@ -522,7 +668,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
       [acme.httpChallenge]
         entryPoint = "web"
     ```
-    
+
     ```bash tab="CLI"
     --defaultentrypoints=web-secure,web
     --entryPoints=Name:web Address::80 Redirect.EntryPoint:web-secure
@@ -533,9 +679,9 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     --acme.onHostRule=true
     --acme.httpchallenge.entrypoint=http
     ```
-    
+
     !!! info "v2"
-    
+
     ```toml tab="File (TOML)"
     # static configuration
     [entryPoints]
@@ -552,7 +698,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
         # used during the challenge
         entryPoint = "web"
     ```
-    
+
     ```yaml tab="File (YAML)"
     entryPoints:
       web:
@@ -569,14 +715,14 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
           httpChallenge:
             # used during the challenge
             entryPoint: web
-    ``` 
-    
+    ```
+
     ```bash tab="CLI"
-    --entryPoints.web.address=":80"
-    --entryPoints.websecure.address=":443"
-    --certificatesResolvers.sample.acme.email: your-email@your-domain.org
-    --certificatesResolvers.sample.acme.storage: acme.json
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint: web
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
+    --certificatesResolvers.sample.acme.email=your-email@your-domain.org
+    --certificatesResolvers.sample.acme.storage=acme.json
+    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
     ```
 
 ## Traefik Logs
@@ -587,7 +733,7 @@ There is no more log configuration at the root level.
 !!! example "Simple log configuration"
 
     !!! info "v1"
-    
+
     ```toml tab="File (TOML)"
     # static configuration
     logLevel = "DEBUG"
@@ -596,15 +742,15 @@ There is no more log configuration at the root level.
       filePath = "/path/to/traefik.log"
       format   = "json"
     ```
-    
+
     ```bash tab="CLI"
-    --logLevel="DEBUG"
-    --traefikLog.filePath="/path/to/traefik.log"
-    --traefikLog.format="json"
+    --logLevel=DEBUG
+    --traefikLog.filePath=/path/to/traefik.log
+    --traefikLog.format=json
     ```
-    
+
     !!! info "v2"
-    
+
     ```toml tab="File (TOML)"
     # static configuration
     [log]
@@ -612,29 +758,29 @@ There is no more log configuration at the root level.
       filePath = "/path/to/log-file.log"
       format = "json"
     ```
-    
+
     ```yaml tab="File (YAML)"
     # static configuration
     log:
       level: DEBUG
       filePath: /path/to/log-file.log
       format: json
-    ``` 
-    
+    ```
+
     ```bash tab="CLI"
-    --log.level="DEBUG"
-    --log.filePath="/path/to/traefik.log"
-    --log.format="json"
+    --log.level=DEBUG
+    --log.filePath=/path/to/traefik.log
+    --log.format=json
     ```
 
 ## Tracing
 
 Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is gone, you just have to set your [tracing configuration](../observability/tracing/overview.md).
-	
+
 !!! example "Simple Jaeger tracing configuration"
 
     !!! info "v1"
-    
+
     ```toml tab="File (TOML)"
     # static configuration
     [tracing]
@@ -646,18 +792,18 @@ Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is
         samplingType = "const"
         localAgentHostPort = "12.0.0.1:6831"
     ```
-    
+
     ```bash tab="CLI"
-    --tracing.backend="jaeger"
-    --tracing.servicename="tracing"
-    --tracing.jaeger.localagenthostport="12.0.0.1:6831"
-    --tracing.jaeger.samplingparam="1.0"
-    --tracing.jaeger.samplingserverurl="http://12.0.0.1:5778/sampling"
-    --tracing.jaeger.samplingtype="const" 
+    --tracing.backend=jaeger
+    --tracing.servicename=tracing
+    --tracing.jaeger.localagenthostport=12.0.0.1:6831
+    --tracing.jaeger.samplingparam=1.0
+    --tracing.jaeger.samplingserverurl=http://12.0.0.1:5778/sampling
+    --tracing.jaeger.samplingtype=const
     ```
-    
+
     !!! info "v2"
-    
+
     ```toml tab="File (TOML)"
     # static configuration
     [tracing]
@@ -668,7 +814,7 @@ Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is
         samplingType = "const"
         localAgentHostPort = "12.0.0.1:6831"
     ```
-    
+
     ```yaml tab="File (YAML)"
     # static configuration
     tracing:
@@ -678,46 +824,46 @@ Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is
         samplingServerURL: 'http://12.0.0.1:5778/sampling'
         samplingType: const
         localAgentHostPort: '12.0.0.1:6831'
-    ``` 
-    
+    ```
+
     ```bash tab="CLI"
-    --tracing.servicename="tracing"
-    --tracing.jaeger.localagenthostport="12.0.0.1:6831"
-    --tracing.jaeger.samplingparam="1.0"
-    --tracing.jaeger.samplingserverurl="http://12.0.0.1:5778/sampling"
-    --tracing.jaeger.samplingtype="const"
+    --tracing.servicename=tracing
+    --tracing.jaeger.localagenthostport=12.0.0.1:6831
+    --tracing.jaeger.samplingparam=1.0
+    --tracing.jaeger.samplingserverurl=http://12.0.0.1:5778/sampling
+    --tracing.jaeger.samplingtype=const
     ```
 
 ## Metrics
 
 The v2 retains metrics tools and allows metrics to be configured for the entrypoints and/or services.
-For a basic configuration, the [metrics configuration](../observability/metrics/overview.md) remains the same.     
+For a basic configuration, the [metrics configuration](../observability/metrics/overview.md) remains the same.
 
 !!! example "Simple Prometheus metrics configuration"
 
     !!! info "v1"
-    
+
     ```toml tab="File (TOML)"
     # static configuration
     [metrics.prometheus]
       buckets = [0.1,0.3,1.2,5.0]
       entryPoint = "traefik"
     ```
-    
+
     ```bash tab="CLI"
     --metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
-    --metrics.prometheus.entrypoint="traefik"
+    --metrics.prometheus.entrypoint=traefik
     ```
-    
+
     !!! info "v2"
-    
+
     ```toml tab="File (TOML)"
     # static configuration
     [metrics.prometheus]
       buckets = [0.1,0.3,1.2,5.0]
       entryPoint = "metrics"
     ```
-    
+
     ```yaml tab="File (YAML)"
     # static configuration
     metrics:
@@ -728,22 +874,22 @@ For a basic configuration, the [metrics configuration](../observability/metrics/
           - 1.2
           - 5
         entryPoint: metrics
-    ``` 
-    
-    ```bash tab="CLI"
-    --metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
-    --metrics.prometheus.entrypoint="metrics"
     ```
 
-## No more root level key/values
+    ```bash tab="CLI"
+    --metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
+    --metrics.prometheus.entrypoint=metrics
+    ```
+
+## No More Root Level Key/Values
 
 To avoid any source of confusion, there are no more configuration at the root level.
 Each root item has been moved to a related section or removed.
 
 !!! example "From root to dedicated section"
- 
+
     !!! info "v1"
- 
+
     ```toml tab="File (TOML)"
     # static configuration
     checkNewVersion = false
@@ -758,23 +904,23 @@ Each root item has been moved to a related section or removed.
     defaultEntryPoints = ["web", "web-secure"]
     keepTrailingSlash = false
     ```
-    
+
     ```bash tab="CLI"
     --checknewversion=false
     --sendanonymoususage=true
-    --loglevel="DEBUG"
+    --loglevel=DEBUG
     --insecureskipverify=true
-    --rootcas="/mycert.cert"
+    --rootcas=/mycert.cert
     --maxidleconnsperhost=200
-    --providersthrottleduration="2s"
+    --providersthrottleduration=2s
     --allowminweightzero=true
     --debug=true
-    --defaultentrypoints="web","web-secure"
+    --defaultentrypoints=web,web-secure
     --keeptrailingslash=true
     ```
-    
+
     !!! info "v2"
-    
+
     ```toml tab="File (TOML)"
     # static configuration
     [global]
@@ -790,9 +936,9 @@ Each root item has been moved to a related section or removed.
       maxIdleConnsPerHost = 42
     
     [providers]
-      providersThrottleDuration = 42    
+      providersThrottleDuration = 42
     ```
-    
+
     ```yaml tab="File (YAML)"
     # static configuration
     global:
@@ -810,34 +956,34 @@ Each root item has been moved to a related section or removed.
     
     providers:
       providersThrottleDuration: 42
-    ``` 
-    
+    ```
+
     ```bash tab="CLI"
     --global.checknewversion=true
     --global.sendanonymoususage=true
-    --log.level="DEBUG"
+    --log.level=DEBUG
     --serverstransport.insecureskipverify=true
-    --serverstransport.rootcas="/mycert.cert"
+    --serverstransport.rootcas=/mycert.cert
     --serverstransport.maxidleconnsperhost=42
     --providers.providersthrottleduration=42
     ```
-    
+
 ## Dashboard
 
-You need to activate the [API](../operations/dashboard.md#enabling-the-dashboard) to access the dashboard.
+You need to activate the API to access the [dashboard](../operations/dashboard.md).
 As the dashboard access is now secured by default you can either:
 
 * define a  [specific router](../operations/api.md#configuration) with the `api@internal` service and one authentication middleware like the following example
-* or use the [unsecure](../operations/api.md#insecure) option of the API
+* or use the [insecure](../operations/api.md#insecure) option of the API
 
 !!! info "Dashboard with k8s and dedicated router"
 
     As `api@internal` is not a Kubernetes service, you have to use the file provider or the `insecure` API option.
-    
+
 !!! example "Activate and access the dashboard"
 
     !!! info "v1"
-    
+
     ```toml tab="File (TOML)"
     ## static configuration
     # traefik.toml
@@ -854,14 +1000,14 @@ As the dashboard access is now secured by default you can either:
     [api]
       entryPoint = "web-secure"
     ```
-    
+
     ```bash tab="CLI"
     --entryPoints='Name:web-secure Address::443 TLS Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
     --api
     ```
-    
+
     !!! info "v2"
-    
+
     ```yaml tab="Docker"
     # dynamic configuration
     labels:
@@ -870,7 +1016,7 @@ As the dashboard access is now secured by default you can either:
       - "traefik.http.routers.api.service=api@internal"
       - "traefik.http.routers.api.middlewares=myAuth"
       - "traefik.http.routers.api.tls"
-      - "traefik.http.middlewares.myAuth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+      - "traefik.http.middlewares.myAuth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
     ```
 
     ```toml tab="File (TOML)"
@@ -883,12 +1029,12 @@ As the dashboard access is now secured by default you can either:
     [api]
     
     [providers.file]
-        filename = "/dymanic-conf.toml"
+      directory = "/path/to/dynamic/config"
     
     ##---------------------##
     
     ## dynamic configuration
-    # dymanic-conf.toml
+    # /path/to/dynamic/config/dynamic-conf.toml
     
     [http.routers.api]
       rule = "Host(`traefik.docker.localhost`)"
@@ -902,7 +1048,7 @@ As the dashboard access is now secured by default you can either:
         "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
       ]
     ```
-    
+
     ```yaml tab="File (YAML)"
     ## static configuration
     # traefik.yaml
@@ -915,12 +1061,12 @@ As the dashboard access is now secured by default you can either:
     
     providers:
       file:
-        filename: /dymanic-conf.yaml
+        directory: /path/to/dynamic/config
    
     ##---------------------##
     
     ## dynamic configuration
-    # dymanic-conf.yaml
+    # /path/to/dynamic/config/dynamic-conf.yaml
     
      http:
       routers:
@@ -938,8 +1084,8 @@ As the dashboard access is now secured by default you can either:
           basicAuth:
             users:
               - 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
-    ``` 
-    
+    ```
+
 ## Providers
 
 Supported [providers](../providers/overview.md), for now:
@@ -947,7 +1093,7 @@ Supported [providers](../providers/overview.md), for now:
 * [ ] Azure Service Fabric
 * [ ] BoltDB
 * [ ] Consul
-* [ ] Consul Catalog
+* [x] Consul Catalog
 * [x] Docker
 * [ ] DynamoDB
 * [ ] ECS
@@ -962,7 +1108,7 @@ Supported [providers](../providers/overview.md), for now:
 * [x] Rest
 * [ ] Zookeeper
 
-## Some Tips You Should Known
+## Some Tips You Should Know
 
 * Different sources of static configuration (file, CLI flags, ...) cannot be [mixed](../getting-started/configuration-overview.md#the-static-configuration).
 * Now, configuration elements can be referenced between different providers by using the provider namespace notation: `@<provider>`.

docs/content/migration/v2.md

@@ -0,0 +1,99 @@
+# Migration: Steps needed between the versions
+
+## v2.0 to v2.1
+
+In v2.1, a new CRD called `TraefikService` was added. While updating an installation to v2.1,
+it is required to apply that CRD before as well as enhance the existing `ClusterRole` definition to allow Traefik to use that CRD.
+
+To add that CRD and enhance the permissions, following definitions need to be applied to the cluster.
+
+```yaml tab="TraefikService"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+```
+
+```yaml tab="ClusterRole"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - ingressroutes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - ingressroutetcps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - tlsoptions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - traefikservices
+    verbs:
+      - get
+      - list
+      - watch
+```
+
+After having both resources applied, Traefik will work properly.

docs/content/observability/access-logs.md

@@ -61,7 +61,7 @@ accessLog:
 ```bash tab="CLI"
 # Configuring a buffer of 100 lines
 --accesslog=true
---accesslog.filepath="/path/to/access.log"
+--accesslog.filepath=/path/to/access.log
 --accesslog.bufferingsize=100
 ```
 
@@ -104,11 +104,11 @@ accessLog:
 ```bash tab="CLI"
 # Configuring Multiple Filters
 --accesslog=true
---accesslog.filepath="/path/to/access.log"
---accesslog.format="json"
---accesslog.filters.statuscodes="200, 300-302"
+--accesslog.filepath=/path/to/access.log
+--accesslog.format=json
+--accesslog.filters.statuscodes=200,300-302
 --accesslog.filters.retryattempts
---accesslog.filters.minduration="10ms"
+--accesslog.filters.minduration=10ms
 ```
 
 ### Limiting the Fields
@@ -164,14 +164,14 @@ accessLog:
 ```bash tab="CLI"
 # Limiting the Logs to Specific Fields
 --accesslog=true
---accesslog.filepath="/path/to/access.log"
---accesslog.format="json"
---accesslog.fields.defaultmode="keep"
---accesslog.fields.names.ClientUsername="drop"
---accesslog.fields.headers.defaultmode="keep"
---accesslog.fields.headers.names.User-Agent="redact"
---accesslog.fields.headers.names.Authorization="drop"
---accesslog.fields.headers.names.Content-Type="keep"
+--accesslog.filepath=/path/to/access.log
+--accesslog.format=json
+--accesslog.fields.defaultmode=keep
+--accesslog.fields.names.ClientUsername=drop
+--accesslog.fields.headers.defaultmode=keep
+--accesslog.fields.headers.names.User-Agent=redact
+--accesslog.fields.headers.names.Authorization=drop
+--accesslog.fields.headers.names.Content-Type=keep
 ```
 
 ??? info "Available Fields"
@@ -180,7 +180,7 @@ accessLog:
     |-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
     | `StartUTC`              | The time at which request processing started.                                                                                                                       |
     | `StartLocal`            | The local time at which request processing started.                                                                                                                 |
-    | `Duration`              | The total time taken by processing the response, including the origin server's time but not the log writing time.                                                   |
+    | `Duration`              | The total time taken (in nanoseconds) by processing the response, including the origin server's time but not the log writing time.                                  |
     | `FrontendName`          | The name of the Traefik frontend.                                                                                                                                   |
     | `BackendName`           | The name of the Traefik backend.                                                                                                                                    |
     | `BackendURL`            | The URL of the Traefik backend.                                                                                                                                     |

docs/content/observability/logs.md

@@ -30,7 +30,7 @@ log:
 
 ```bash tab="CLI"
 # Writing Logs to a File
---log.filePath="/path/to/traefik.log"
+--log.filePath=/path/to/traefik.log
 ```
 
 #### `format`
@@ -53,8 +53,8 @@ log:
 
 ```bash tab="CLI"
 # Writing Logs to a File, in JSON
---log.filePath="/path/to/traefik.log"
---log.format="json"
+--log.filePath=/path/to/traefik.log
+--log.format=json
 ```
 
 #### `level`
@@ -72,7 +72,7 @@ log:
 ```
 
 ```bash tab="CLI"
---log.level="DEBUG"
+--log.level=DEBUG
 ```
 
 ## Log Rotation

docs/content/observability/metrics/datadog.md

@@ -35,7 +35,7 @@ metrics:
 ```
 
 ```bash tab="CLI"
---metrics.datadog.address="127.0.0.1:8125"
+--metrics.datadog.address=127.0.0.1:8125
 ```
 
 #### `addEntryPointsLabels`

docs/content/observability/metrics/influxdb.md

@@ -4,12 +4,12 @@ To enable the InfluxDB:
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb: {}
+  influxDB: {}
 ```
 
 ```bash tab="CLI"
@@ -24,18 +24,18 @@ Address instructs exporter to send metrics to influxdb at this address.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
     address = "localhost:8089"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
+  influxDB:
     address: localhost:8089
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.address="localhost:8089"
+--metrics.influxdb.address=localhost:8089
 ```
 
 #### `protocol`
@@ -46,18 +46,18 @@ InfluxDB's address protocol (udp or http).
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
     protocol = "udp"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
+  influxDB:
     protocol: udp
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.protocol="udp"
+--metrics.influxdb.protocol=udp
 ```
 
 #### `database`
@@ -68,18 +68,18 @@ InfluxDB database used when protocol is http.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
-    database = ""
+  [metrics.influxDB]
+    database = "db"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
-    database: ""
+  influxDB:
+    database: "db"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.database=""
+--metrics.influxdb.database=db
 ```
 
 #### `retentionPolicy`
@@ -90,18 +90,18 @@ InfluxDB retention policy used when protocol is http.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
-    retentionPolicy = ""
+  [metrics.influxDB]
+    retentionPolicy = "two_hours"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
-    retentionPolicy: ""
+  influxDB:
+    retentionPolicy: "two_hours"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.retentionPolicy=""
+--metrics.influxdb.retentionPolicy=two_hours
 ```
 
 #### `username`
@@ -112,18 +112,18 @@ InfluxDB username (only with http).
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
-    username = ""
+  [metrics.influxDB]
+    username = "john"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
-    username: ""
+  influxDB:
+    username: "john"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.username=""
+--metrics.influxdb.username=john
 ```
 
 #### `password`
@@ -134,18 +134,18 @@ InfluxDB password (only with http).
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
-    password = ""
+  [metrics.influxDB]
+    password = "secret"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
-    password: ""
+  influxDB:
+    password: "secret"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.password=""
+--metrics.influxdb.password=secret
 ```
 
 #### `addEntryPointsLabels`
@@ -156,13 +156,13 @@ Enable metrics on entry points.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
     addEntryPointsLabels = true
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
+  influxDB:
     addEntryPointsLabels: true
 ```
 
@@ -178,13 +178,13 @@ Enable metrics on services.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
     addServicesLabels = true
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
+  influxDB:
     addServicesLabels: true
 ```
 
@@ -200,13 +200,13 @@ The interval used by the exporter to push metrics to influxdb.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.influxdb]
+  [metrics.influxDB]
     pushInterval = 10s
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  influxdb:
+  influxDB:
     pushInterval: 10s
 ```
 

docs/content/observability/metrics/prometheus.md

@@ -113,6 +113,28 @@ metrics:
 ```
 
 ```bash tab="CLI"
---entryPoints.metrics.address=":8082"
---metrics.prometheus..entryPoint="metrics"
+--entryPoints.metrics.address=:8082
+--metrics.prometheus.entryPoint=metrics
+```
+
+#### `manualRouting`
+
+_Optional, Default=false_
+
+If `manualRouting` is `true`, it disables the default internal router in order to allow one to create a custom router for the `prometheus@internal` service.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    manualRouting = true
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  prometheus:
+    manualRouting: true
+```
+
+```bash tab="CLI"
+--metrics.prometheus.manualrouting=true
 ```

docs/content/observability/metrics/statsd.md

@@ -4,12 +4,12 @@ To enable the Statsd:
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.statsd]
+  [metrics.statsD]
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  statsd: {}
+  statsD: {}
 ```
 
 ```bash tab="CLI"
@@ -24,18 +24,18 @@ Address instructs exporter to send metrics to statsd at this address.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.statsd]
+  [metrics.statsD]
     address = "localhost:8125"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  statsd:
+  statsD:
     address: localhost:8125
 ```
 
 ```bash tab="CLI"
---metrics.statsd.address="localhost:8125"
+--metrics.statsd.address=localhost:8125
 ```
 
 #### `addEntryPointsLabels`
@@ -46,13 +46,13 @@ Enable metrics on entry points.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.statsd]
+  [metrics.statsD]
     addEntryPointsLabels = true
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  statsd:
+  statsD:
     addEntryPointsLabels: true
 ```
 
@@ -68,13 +68,13 @@ Enable metrics on services.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.statsd]
+  [metrics.statsD]
     addServicesLabels = true
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  statsd:
+  statsD:
     addServicesLabels: true
 ```
 
@@ -90,16 +90,38 @@ The interval used by the exporter to push metrics to statsD.
 
 ```toml tab="File (TOML)"
 [metrics]
-  [metrics.statsd]
+  [metrics.statsD]
     pushInterval = 10s
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
-  statsd:
+  statsD:
     pushInterval: 10s
 ```
 
 ```bash tab="CLI"
 --metrics.statsd.pushInterval=10s
 ```
+
+#### `prefix`
+
+_Optional, Default="traefik"_
+
+The prefix to use for metrics collection.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+    prefix = "traefik"
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  statsD:
+    prefix: traefik
+```
+
+```bash tab="CLI"
+--metrics.statsd.prefix="traefik"
+```

docs/content/observability/tracing/datadog.md

@@ -35,7 +35,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.datadog.localAgentHostPort="127.0.0.1:8126"
+--tracing.datadog.localAgentHostPort=127.0.0.1:8126
 ```
 
 #### `debug`
@@ -79,7 +79,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.datadog.globalTag="sample"
+--tracing.datadog.globalTag=sample
 ```
 
 #### `prioritySampling`

docs/content/observability/tracing/haystack.md

@@ -35,7 +35,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.haystack.localAgentHost="127.0.0.1"
+--tracing.haystack.localAgentHost=127.0.0.1
 ```
 
 #### `localAgentPort`
@@ -79,7 +79,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.haystack.globalTag="sample:test"
+--tracing.haystack.globalTag=sample:test
 ```
 
 #### `traceIDHeaderName`
@@ -101,7 +101,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.haystack.traceIDHeaderName="sample"
+--tracing.haystack.traceIDHeaderName=sample
 ```
 
 #### `parentIDHeaderName`
@@ -123,7 +123,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.haystack.parentIDHeaderName="sample"
+--tracing.haystack.parentIDHeaderName=sample
 ```
 
 #### `spanIDHeaderName`
@@ -168,5 +168,5 @@ tracing:
 
 
 ```bash tab="CLI"
---tracing.haystack.baggagePrefixHeaderName="sample"
+--tracing.haystack.baggagePrefixHeaderName=sample
 ```

docs/content/observability/tracing/instana.md

@@ -35,7 +35,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.instana.localAgentHost="127.0.0.1"
+--tracing.instana.localAgentHost=127.0.0.1
 ```
 
 #### `localAgentPort`
@@ -86,5 +86,5 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.instana.logLevel="info"
+--tracing.instana.logLevel=info
 ```

docs/content/observability/tracing/jaeger.md

@@ -39,7 +39,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.samplingServerURL="http://localhost:5778/sampling"
+--tracing.jaeger.samplingServerURL=http://localhost:5778/sampling
 ```
 
 #### `samplingType`
@@ -61,7 +61,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.samplingType="const"
+--tracing.jaeger.samplingType=const
 ```
 
 #### `samplingParam`
@@ -89,7 +89,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.samplingParam="1.0"
+--tracing.jaeger.samplingParam=1.0
 ```
 
 #### `localAgentHostPort`
@@ -111,7 +111,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.localAgentHostPort="127.0.0.1:6831"
+--tracing.jaeger.localAgentHostPort=127.0.0.1:6831
 ```
 
 #### `gen128Bit`
@@ -159,7 +159,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.propagation="jaeger"
+--tracing.jaeger.propagation=jaeger
 ```
 
 #### `traceContextHeaderName`
@@ -182,7 +182,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.traceContextHeaderName="uber-trace-id"
+--tracing.jaeger.traceContextHeaderName=uber-trace-id
 ```
 
 ### `collector`
@@ -206,7 +206,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.collector.endpoint="http://127.0.0.1:14268/api/traces?format=jaeger.thrift"
+--tracing.jaeger.collector.endpoint=http://127.0.0.1:14268/api/traces?format=jaeger.thrift
 ```
 
 #### `user`
@@ -229,7 +229,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.collector.user="my-user"
+--tracing.jaeger.collector.user=my-user
 ```
 
 #### `password`
@@ -252,5 +252,5 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.collector.password="my-password"
+--tracing.jaeger.collector.password=my-password
 ```

docs/content/observability/tracing/overview.md

@@ -52,7 +52,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.serviceName="traefik"
+--tracing.serviceName=traefik
 ```
 
 #### `spanNameLimit`

docs/content/observability/tracing/zipkin.md

@@ -35,7 +35,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.zipkin.httpEndpoint="http://localhost:9411/api/v2/spans"
+--tracing.zipkin.httpEndpoint=http://localhost:9411/api/v2/spans
 ```
 
 #### `sameSpan`
@@ -101,5 +101,5 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.zipkin.sampleRate="0.2"
+--tracing.zipkin.sampleRate=0.2
 ```

docs/content/operations/.markdownlint.json

@@ -0,0 +1,5 @@
+{
+    "extends": "../../.markdownlint.json",
+    "MD041": false,
+    "MD046": false
+}

docs/content/operations/api.md

@@ -14,7 +14,7 @@ In production, it should be at least secured by authentication and authorization
 A good sane default (non exhaustive) set of recommendations
 would be to apply the following protection mechanisms:
 
-* At the transport level:  
+* At the transport level:
   NOT publicly exposing the API's port,
   keeping it restricted to internal networks
   (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
@@ -23,13 +23,16 @@ would be to apply the following protection mechanisms:
 
 If you enable the API, a new special `service` named `api@internal` is created and can then be referenced in a router.
 
-To enable the API handler:
+To enable the API handler, use the following option on the
+[static configuration](../getting-started/configuration-overview.md#the-static-configuration):
 
 ```toml tab="File (TOML)"
+# Static Configuration
 [api]
 ```
 
 ```yaml tab="File (YAML)"
+# Static Configuration
 api: {}
 ```
 
@@ -37,62 +40,32 @@ api: {}
 --api=true
 ```
 
-And then you will be able to reference it like this:
+And then define a routing configuration on Traefik itself with the
+[dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration):
 
-```yaml tab="Docker"
-labels:
-  - "traefik.http.routers.api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
-  - "traefik.http.routers.api.service=api@internal"
-  - "traefik.http.routers.api.middlewares=auth"
-  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-```
+--8<-- "content/operations/include-api-examples.md"
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.routers.api.rule": "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
-  "traefik.http.routers.api.service": "api@internal"
-  "traefik.http.routers.api.middlewares": "auth"
-  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-}
-```
+??? warning "The router's [rule](../../routing/routers#rule) must catch requests for the URI path `/api`"
+    Using an "Host" rule is recommended, by catching all the incoming traffic on this host domain to the API.
+    However, you can also use "path prefix" rule or any combination or rules.
 
-```yaml tab="Rancher"
-# Declaring the user list
-labels:
-  - "traefik.http.routers.api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
-  - "traefik.http.routers.api.service=api@internal"
-  - "traefik.http.routers.api.middlewares=auth"
-  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-```
+    ```bash tab="Host Rule"
+    # Matches http://traefik.domain.com, http://traefik.domain.com/api
+    # or http://traefik.domain.com/hello
+    rule = "Host(`traefik.domain.com`)"
+    ```
 
-```toml tab="File (TOML)"
-[http.routers.my-api]
-    rule="PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
-    service="api@internal"
-    middlewares=["auth"]
+    ```bash tab="Path Prefix Rule"
+    # Matches http://api.traefik.domain.com/api or http://domain.com/api
+    # but does not match http://api.traefik.domain.com/hello
+    rule = "PathPrefix(`/api`)"
+    ```
 
-[http.middlewares.auth.basicAuth]
-    users = [
-      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
-      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-    ]
-```
-
-```yaml tab="File (YAML)"
-http:
-  routers:
-    api:
-      rule: PathPrefix(`/api`) || PathPrefix(`/dashboard`)
-      service: api@internal
-      middlewares:
-        - auth
-  middlewares:
-    auth:
-      basicAuth:
-        users:
-          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
-          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-```
+    ```bash tab="Combination of Rules"
+    # Matches http://traefik.domain.com/api or http://traefik.domain.com/dashboard
+    # but does not match http://traefik.domain.com/hello
+    rule = "Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+    ```
 
 ### `insecure`
 
@@ -135,6 +108,9 @@ api:
 --api.dashboard=true
 ```
 
+!!! warning "With Dashboard enabled, the router [rule](../../routing/routers#rule) must catch requests for both `/api` and `/dashboard`"
+    Please check the [Dashboard documentation](./dashboard.md#dashboard-router-rule) to learn more about this and to get examples.
+
 ### `debug`
 
 _Optional, Default=false_
@@ -159,24 +135,25 @@ api:
 
 All the following endpoints must be accessed with a `GET` HTTP request.
 
-| Path                           | Description                                                                               |
-|--------------------------------|-------------------------------------------------------------------------------------------|
-| `/api/http/routers`            | Lists all the HTTP routers information.                                                   |
-| `/api/http/routers/{name}`     | Returns the information of the HTTP router specified by `name`.                           |
-| `/api/http/services`           | Lists all the HTTP services information.                                                  |
-| `/api/http/services/{name}`    | Returns the information of the HTTP service specified by `name`.                          |
-| `/api/http/middlewares`        | Lists all the HTTP middlewares information.                                               |
-| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`.                       |
-| `/api/tcp/routers`             | Lists all the TCP routers information.                                                    |
-| `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                            |
-| `/api/tcp/services`            | Lists all the TCP services information.                                                   |
-| `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                           |
-| `/api/entrypoints`             | Lists all the entry points information.                                                   |
-| `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                           |
-| `/api/version`                 | Returns information about Traefik version.                                                |
-| `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                        |
-| `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.     |
-| `/debug/pprof/cmdline`         | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation. |
-| `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation. |
-| `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.   |
-| `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.     |
+| Path                           | Description                                                                                 |
+|--------------------------------|---------------------------------------------------------------------------------------------|
+| `/api/http/routers`            | Lists all the HTTP routers information.                                                     |
+| `/api/http/routers/{name}`     | Returns the information of the HTTP router specified by `name`.                             |
+| `/api/http/services`           | Lists all the HTTP services information.                                                    |
+| `/api/http/services/{name}`    | Returns the information of the HTTP service specified by `name`.                            |
+| `/api/http/middlewares`        | Lists all the HTTP middlewares information.                                                 |
+| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`.                         |
+| `/api/tcp/routers`             | Lists all the TCP routers information.                                                      |
+| `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                              |
+| `/api/tcp/services`            | Lists all the TCP services information.                                                     |
+| `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                             |
+| `/api/entrypoints`             | Lists all the entry points information.                                                     |
+| `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                             |
+| `/api/overview`                | Returns statistic information about http and tcp as well as enabled features and providers. |
+| `/api/version`                 | Returns information about Traefik version.                                                  |
+| `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                          |
+| `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.       |
+| `/debug/pprof/cmdline`         | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation.   |
+| `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation.   |
+| `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.     |
+| `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.       |

docs/content/operations/dashboard.md

@@ -3,24 +3,33 @@
 See What's Going On
 {: .subtitle }
 
-The dashboard is the central place that shows you the current active routes handled by Traefik. 
+The dashboard is the central place that shows you the current active routes handled by Traefik.
 
 <figure>
     <img src="../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
     <figcaption>The dashboard in action</figcaption>
 </figure>
 
-By default, the dashboard is available on `/dashboard` on port `:8080`.
-There is also a redirect of `/` to `/dashboard`, but one should not rely on that property as it is bound to change,
-and it might make for confusing routing rules anyway.
+The dashboard is available at the same location as the [API](./api.md) but on the path `/dashboard/` by default.
 
-!!! info "Did You Know?"
-    It is possible to customize the dashboard endpoint. 
-    To learn how, refer to the [API documentation](./api.md)
-    
-## Enabling the Dashboard
+!!! warning "The trailing slash `/` in `/dashboard/` is mandatory"
 
-To enable the dashboard, you need to enable [Traefik's API](./api.md).
+There are 2 ways to configure and access the dashboard:
+
+- [Secure mode (Recommended)](#secure-mode)
+- [Insecure mode](#insecure-mode)
+
+!!! note ""
+    There is also a redirect of the path `/` to the path `/dashboard/`,
+    but one should not rely on that property as it is bound to change,
+    and it might make for confusing routing rules anyway.
+
+## Secure Mode
+
+This is the **recommended** method.
+
+Start by enabling the dashboard by using the following option from [Traefik's API](./api.md)
+on the [static configuration](../getting-started/configuration-overview.md#the-static-configuration):
 
 ```toml tab="File (TOML)"
 [api]
@@ -51,12 +60,66 @@ api:
 --api.dashboard=true
 ```
 
-!!! important "API/Dashboard Security" 
-    
-    To secure your dashboard, the use of a `service` named `api@internal` is mandatory and requires the definition of a router using one or more security [middlewares](../middlewares/overview.md)
-    like authentication ([basicAuth](../middlewares/basicauth.md) , [digestAuth](../middlewares/digestauth.md), [forwardAuth](../middlewares/forwardauth.md)) or [whitelisting](../middlewares/ipwhitelist.md).  
-    More information about `api@internal` can be found in the [API documentation](./api.md#configuration)
+Then define a routing configuration on Traefik itself,
+with a router attached to the service `api@internal` in the
+[dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration),
+to allow defining:
 
-!!! info "Did You Know?"
-    The API provides more features than the Dashboard. 
-    To learn more about it, refer to the [API documentation](./api.md)
+- One or more security features through [middlewares](../middlewares/overview.md)
+  like authentication ([basicAuth](../middlewares/basicauth.md) , [digestAuth](../middlewares/digestauth.md),
+  [forwardAuth](../middlewares/forwardauth.md)) or [whitelisting](../middlewares/ipwhitelist.md).
+
+- A [router rule](#dashboard-router-rule) for accessing the dashboard,
+  through Traefik itself (sometimes referred as "Traefik-ception").
+
+??? example "Dashboard Dynamic Configuration Examples"
+    --8<-- "content/operations/include-api-examples.md"
+
+### Dashboard Router Rule
+
+As underlined in the [documentation for the `api.dashboard` option](./api.md#dashboard),
+the [router rule](../routing/routers/index.md#rule) defined for Traefik must match
+the path prefixes `/api` and `/dashboard`.
+
+We recommend to use a "Host Based rule" as ```Host(`traefik.domain.com`)``` to match everything on the host domain,
+or to make sure that the defined rule captures both prefixes:
+
+```bash tab="Host Rule"
+# The dashboard can be accessed on http://traefik.domain.com/dashboard/
+rule = "Host(`traefik.domain.com`)"
+```
+
+```bash tab="Path Prefix Rule"
+# The dashboard can be accessed on http://domain.com/dashboard/ or http://traefik.domain.com/dashboard/
+rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+```
+
+```bash tab="Combination of Rules"
+# The dashboard can be accessed on http://traefik.domain.com/dashboard/
+rule = "Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+```
+
+## Insecure Mode
+
+This mode is not recommended because it does not allow the use of security features.
+
+To enable the "insecure mode", use the following options from [Traefik's API](./api.md#insecure):
+
+```toml tab="File (TOML)"
+[api]
+  dashboard = true
+  insecure = true
+```
+
+```yaml tab="File (YAML)"
+api:
+  dashboard: true
+  insecure: true
+```
+
+```bash tab="CLI"
+--api.dashboard=true --api.insecure=true
+```
+
+You can now access the dashboard on the port `8080` of the Traefik instance,
+at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).

docs/content/operations/include-api-examples.md

@@ -0,0 +1,99 @@
+```yaml tab="Docker"
+# Dynamic Configuration
+labels:
+  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+  - "traefik.http.routers.api.service=api@internal"
+  - "traefik.http.routers.api.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="Docker (Swarm)"
+# Dynamic Configuration
+deploy:
+  labels:
+    - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+    - "traefik.http.routers.api.service=api@internal"
+    - "traefik.http.routers.api.middlewares=auth"
+    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+    # Dummy service for Swarm port detection. The port can be any valid integer value.
+    - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
+```
+
+```yaml tab="Kubernetes CRD"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+spec:
+  routes:
+  - match: Host(`traefik.domain.com`)
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+spec:
+  basicAuth:
+    secret: secretName # Kubernetes secret named "secretName"
+```
+
+```yaml tab="Consul Catalog"
+# Dynamic Configuration
+- "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+- "traefik.http.routers.api.service=api@internal"
+- "traefik.http.routers.api.middlewares=auth"
+- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.routers.api.rule": "Host(`traefik.domain.com`)",
+  "traefik.http.routers.api.service": "api@internal",
+  "traefik.http.routers.api.middlewares": "auth",
+  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Dynamic Configuration
+labels:
+  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+  - "traefik.http.routers.api.service=api@internal"
+  - "traefik.http.routers.api.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Dynamic Configuration
+[http.routers.my-api]
+  rule = "Host(`traefik.domain.com`)"
+  service = "api@internal"
+  middlewares = ["auth"]
+
+[http.middlewares.auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```
+
+```yaml tab="File (YAML)"
+# Dynamic Configuration
+http:
+  routers:
+    api:
+      rule: Host(`traefik.domain.com`)
+      service: api@internal
+      middlewares:
+        - auth
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```

docs/content/operations/ping.md

@@ -29,6 +29,9 @@ You can customize the `entryPoint` where the `/ping` is active with the `entryPo
 |---------|---------------|-----------------------------------------------------------------------------------------------------|
 | `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
 
+!!! note
+    The `cli` comes with a [`healthcheck`](./cli.md#healthcheck) command which can be used for calling this endpoint.
+
 ### `entryPoint`
 
 Enabling /ping on a dedicated EntryPoint.
@@ -52,6 +55,26 @@ ping:
 ```
 
 ```bash tab="CLI"
---entryPoints.ping.address=":8082"
---ping.entryPoint="ping"
+--entryPoints.ping.address=:8082
+--ping.entryPoint=ping
+```
+
+### `manualRouting`
+
+_Optional, Default=false_
+
+If `manualRouting` is `true`, it disables the default internal router in order to allow one to create a custom router for the `ping@internal` service.
+
+```toml tab="File (TOML)"
+[ping]
+  manualRouting = true
+```
+
+```yaml tab="File (YAML)"
+ping:
+  manualRouting: true
+```
+
+```bash tab="CLI"
+--ping.manualrouting=true
 ```

docs/content/providers/consul-catalog.md

@@ -0,0 +1,603 @@
+# Traefik & Consul Catalog
+
+A Story of Tags, Services & Instances
+{: .subtitle }
+
+![Consul Catalog](../assets/img/providers/consul.png)
+
+Attach tags to your services and let Traefik do the rest!
+
+## Configuration Examples
+
+??? example "Configuring Consul Catalog & Deploying / Exposing Services"
+
+    Enabling the consul catalog provider
+
+    ```toml tab="File (TOML)"
+    [providers.consulCatalog]
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      consulCatalog: {}
+    ```
+    
+    ```bash tab="CLI"
+    --providers.consulcatalog=true
+    ```
+
+    Attaching tags to services
+
+    ```yaml
+    - traefik.http.services.my-service.rule=Host(`mydomain.com`)
+    ```
+
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/consul-catalog.md).
+
+## Provider Configuration
+
+### `refreshInterval`
+
+_Optional, Default=15s_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  refreshInterval = "30s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    refreshInterval: 30s
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.refreshInterval=30s
+# ...
+```
+
+Defines the polling interval.
+
+### `prefix`
+
+_required, Default="traefik"_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  prefix = "test"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    prefix: test
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.prefix=test
+# ...
+```
+
+The prefix for Consul Catalog tags defining traefik labels.
+
+### `requireConsistent`
+
+_Optional, Default=false_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  requireConsistent = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    requireConsistent: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.requireConsistent=true
+# ...
+```
+
+Forces the read to be fully consistent.
+
+### `stale`
+
+_Optional, Default=false_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  stale = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    stale: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.stale=true
+# ...
+```
+
+Use stale consistency for catalog reads.
+
+### `cache`
+
+_Optional, Default=false_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  cache = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    cache: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.cache=true
+# ...
+```
+
+Use local agent caching for catalog reads.
+
+### `endpoint`
+
+Defines the Consul server endpoint.
+
+#### `address`
+
+_Optional, Default="http://127.0.0.1:8500"_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    address = "http://127.0.0.1:8500"
+    # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      address: http://127.0.0.1:8500
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.address=http://127.0.0.1:8500
+# ...
+```
+
+Defines the address of the Consul server.
+
+#### `scheme`
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    scheme = "https"
+    # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      scheme: https
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.scheme=https
+# ...
+```
+
+Defines the URI scheme for the Consul server.
+
+#### `datacenter`
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    datacenter = "test"
+    # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      datacenter: test
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.datacenter=test
+# ...
+```
+
+Defines the Data center to use.
+If not provided, the default agent data center is used.
+
+#### `token`
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    token = "test"
+    # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      token: test
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.token=test
+# ...
+```
+
+Token is used to provide a per-request ACL token which overrides the agent's default token.
+
+#### `endpointWaitTime`
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    endpointWaitTime = "15s"
+    # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      endpointWaitTime: 15s
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.endpointwaittime=15s
+# ...
+```
+
+WaitTime limits how long a Watch will block.
+If not provided, the agent default values will be used
+
+#### `httpAuth`
+
+_Optional_
+
+Used to authenticate http client with HTTP Basic Authentication.
+
+##### `username`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.httpAuth]
+  username = "test"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      httpAuth:
+        username: test
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.httpauth.username=test
+```
+
+Username to use for HTTP Basic Authentication
+
+##### `password`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.httpAuth]
+  password = "test"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      httpAuth:
+        password: test
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.httpauth.password=test
+```
+
+Password to use for HTTP Basic Authentication
+
+#### `tls`
+
+_Optional_
+
+Defines TLS options for Consul server endpoint.
+
+##### `ca`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.tls.ca=path/to/ca.crt
+```
+
+`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
+
+##### `caOptional`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      tls:
+        caOptional: true
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.tls.caoptional=true
+```
+
+Policy followed for the secured connection with TLS Client Authentication to Consul.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+##### `cert`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.tls.cert=path/to/foo.cert
+--providers.consulcatalog.endpoint.tls.key=path/to/foo.key
+```
+
+`cert` is the path to the public certificate for Consul communication.
+If this is set then you need to also set `key.
+
+##### `key`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.tls.cert=path/to/foo.cert
+--providers.consulcatalog.endpoint.tls.key=path/to/foo.key
+```
+
+`key` is the path to the private key for Consul communication.
+If this is set then you need to also set `cert`.
+
+##### `insecureSkipVerify`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      tls:
+        insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.tls.insecureskipverify=true
+```
+
+If `insecureSkipVerify` is `true`, TLS for the connection to Consul server accepts any certificate presented by the server and any host name in that certificate.
+
+### `exposedByDefault`
+
+_Optional, Default=true_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  exposedByDefault = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    exposedByDefault: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.exposedByDefault=false
+# ...
+```
+
+Expose Consul Catalog services by default in Traefik.
+If set to false, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
+
+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
+### `defaultRule`
+
+_Optional, Default=```Host(`{{ normalize .Name }}`)```_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+# ...
+```
+
+The default host rule for all services.
+
+For a given service if no routing rule was defined by a tag, it is defined by this defaultRule instead.
+It must be a valid [Go template](https://golang.org/pkg/text/template/),
+augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
+The service name can be accessed as the `Name` identifier,
+and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
+
+The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
+
+### `constraints`
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  constraints = "Tag(`a.tag.name`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    constraints: "Tag(`a.tag.name`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.constraints="Tag(`a.tag.name`)"
+# ...
+```
+
+Constraints is an expression that Traefik matches against the service's tags to determine whether to create any route for that service.
+That is to say, if none of the service's tags match the expression, no route for that service is created.
+If the expression is empty, all detected services are included.
+
+The expression syntax is based on the `Tag("tag")`, and `TagRegex("tag")` functions,
+as well as the usual boolean logic, as shown in examples below.
+
+??? example "Constraints Expression Examples"
+
+    ```toml
+    # Includes only services having the tag `a.tag.name=foo`
+    constraints = "Tag(`a.tag.name=foo`)"
+    ```
+    
+    ```toml
+    # Excludes services having any tag `a.tag.name=foo`
+    constraints = "!Tag(`a.tag.name=foo`)"
+    ```
+    
+    ```toml
+    # With logical AND.
+    constraints = "Tag(`a.tag.name`) && Tag(`another.tag.name`)"
+    ```
+    
+    ```toml
+    # With logical OR.
+    constraints = "Tag(`a.tag.name`) || Tag(`another.tag.name`)"
+    ```
+    
+    ```toml
+    # With logical AND and OR, with precedence set by parentheses.
+    constraints = "Tag(`a.tag.name`) && (Tag(`another.tag.name`) || Tag(`yet.another.tag.name`))"
+    ```
+    
+    ```toml
+    # Includes only services having a tag matching the `a\.tag\.t.+` regular expression.
+    constraints = "TagRegex(`a\.tag\.t.+`)"
+    ```
+
+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

docs/content/providers/docker.md

@@ -7,6 +7,9 @@ A Story of Labels & Containers
 
 Attach labels to your containers and let Traefik do the rest!
 
+Traefik works with both [Docker (standalone) Engine](https://docs.docker.com/engine/)
+and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
+
 !!! tip "The Quick Start Uses Docker"
     If you haven't already, maybe you'd like to go through the [quick start](../getting-started/quick-start.md) that uses the docker provider!
 
@@ -64,7 +67,7 @@ Attach labels to your containers and let Traefik do the rest!
     ```
     
     ```bash tab="CLI"
-    --providers.docker.endpoint="tcp://127.0.0.1:2375"
+    --providers.docker.endpoint=tcp://127.0.0.1:2375
     --providers.docker.swarmMode=true
     ```
 
@@ -80,15 +83,136 @@ Attach labels to your containers and let Traefik do the rest!
             - traefik.http.services.my-container-service.loadbalancer.server.port=8080
     ```
 
-    !!! important "Labels in Docker Swarm Mode"
-        While in Swarm Mode, Traefik uses labels found on services, not on individual containers.
-        
-        Therefore, if you use a compose file with Swarm Mode, labels should be defined in the `deploy` part of your service.
-        This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
-
 ## Routing Configuration
 
-See the dedicated section in [routing](../routing/providers/docker.md).
+When using Docker as a [provider](https://docs.traefik.io/providers/overview/),
+Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
+
+See the list of labels in the dedicated [routing](../routing/providers/docker.md) section.
+
+### Routing Configuration with Labels
+
+By default, Traefik watches for [container level labels](https://docs.docker.com/config/labels-custom-metadata/) on a standalone Docker Engine.
+
+When using Docker Compose, labels are specified by the directive
+[`labels`](https://docs.docker.com/compose/compose-file/#labels) from the
+["services" objects](https://docs.docker.com/compose/compose-file/#service-configuration-reference).
+
+!!! tip "Not Only Docker"
+    Please note that any tool like Nomad, Terraform, Ansible, etc.
+    that is able to define a Docker container with labels can work
+    with Traefik & the Docker provider.
+
+### Port Detection
+
+Traefik retrieves the private IP and port of containers from the Docker API.
+
+Ports detection works as follows:
+
+- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) only one port,
+  then Traefik uses this port for private communication.
+- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) multiple ports,
+  or does not expose any port, then you must manually specify which port Traefik should use for communication 
+  by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
+  (Read more on this label in the dedicated section in [routing](../routing/providers/docker.md#port)).
+
+### Docker API Access
+
+Traefik requires access to the docker socket to get its dynamic configuration.
+
+You can specify which Docker API Endpoint to use with the directive [`endpoint`](#endpoint).
+
+!!! warning "Security Note"
+
+    Accessing the Docker API without any restriction is a security concern:
+    If Traefik is attacked, then the attacker might get access to the underlying host.
+    {: #security-note }
+    
+    As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)):
+
+    !!! quote
+        [...] only **trusted** users should be allowed to control your Docker daemon [...]
+
+    ??? success "Solutions"
+
+        Expose the Docker socket over TCP, instead of the default Unix socket file.
+        It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
+
+        - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
+        - Authorize and filter requests to restrict possible actions with [the TecnativaDocker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy).
+        - Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
+        - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
+        - Accounting at container level, by exposing the socket on a another container than Traefik's.
+          With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
+        - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
+
+    ??? info "More Resources and Examples"
+        - ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c)
+        - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.containo.us/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
+        - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
+        - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
+        - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
+        - [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
+        - [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174)
+        - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
+        - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
+        - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
+
+## Docker Swarm Mode
+
+To enable Docker Swarm (instead of standalone Docker) as a configuration provider,
+set the [`swarmMode`](#swarmmode) directive to `true`.
+
+### Routing Configuration with Labels
+
+While in Swarm Mode, Traefik uses labels found on services, not on individual containers.
+
+Therefore, if you use a compose file with Swarm Mode, labels should be defined in the
+[`deploy`](https://docs.docker.com/compose/compose-file/#labels-1) part of your service.
+
+This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file)).
+
+### Port Detection
+
+Docker Swarm does not provide any [port detection](#port-detection) information to Traefik.
+
+Therefore you **must** specify the port to use for communication by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
+(Check the reference for this label in the [routing section for Docker](../routing/providers/docker.md#port)).
+
+### Docker API Access
+
+Docker Swarm Mode follows the same rules as Docker [API Access](#docker-api-access).
+
+As the Swarm API is only exposed on the [manager nodes](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#manager-nodes), you should schedule Traefik on the Swarm manager nodes by default,
+by deploying Traefik with a [constraint](https://success.docker.com/article/using-contraints-and-labels-to-control-the-placement-of-containers) on the node's "role":
+
+```shell tab="With Docker CLI"
+docker service create \
+  --constraint=node.role==manager \
+  #... \
+```
+
+```yml tab="With Docker Compose"
+version: '3'
+
+services:
+  traefik:
+    # ...
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+```
+
+!!! tip "Scheduling Traefik on Worker Nodes"
+    
+    Following the guidelines given in the previous section ["Docker API Access"](#docker-api-access),
+    if you expose the Docker API through TCP, then Traefik can be scheduled on any node if the TCP
+    socket is reachable.
+    
+    Please consider the security implications by reading the [Security Note](#security-note).
+    
+    A good example can be found on [Bret Fisher's repository](https://github.com/BretFisher/dogvscat/blob/master/stack-proxy-global.yml#L124).
 
 ## Provider Configuration
 
@@ -108,51 +232,10 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.docker.endpoint="unix:///var/run/docker.sock"
+--providers.docker.endpoint=unix:///var/run/docker.sock
 ```
 
-Traefik requires access to the docker socket to get its dynamic configuration.
-
-??? warning "Security Notes"
-
-    Depending on your context, accessing the Docker API without any restriction can be a security concern: If Traefik is attacked, then the attacker might get access to the Docker (or Swarm Mode) backend.
-
-    As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)):
-
-    `[...] only **trusted** users should be allowed to control your Docker daemon [...]`
-
-    !!! tip "Improved Security"
-
-        [TraefikEE](https://containo.us/traefikee) solves this problem by separating the control plane (connected to Docker) and the data plane (handling the requests).
-
-    ??? info "Resources about Docker's Security"
-
-        - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
-        - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html)
-        - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
-        - [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
-
-??? tip "Security Compensation"
-
-    Expose the Docker socket over TCP, instead of the default Unix socket file.
-    It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
-
-    - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
-    - Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
-    - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
-    - Accounting at container level, by exposing the socket on a another container than Traefik's.
-      With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
-    - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
-
-    ??? info "Additional Resources"
-
-        - [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174)
-        - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
-        - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
-        - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
-
-!!! info "Traefik & Swarm Mode"
-    To let Traefik access the Docker Socket of the Swarm manager, it is mandatory to schedule Traefik on the Swarm manager nodes.
+See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API Access](#docker-api-access_1) for more information.
 
 ??? example "Using the docker.sock"
 
@@ -186,7 +269,7 @@ Traefik requires access to the docker socket to get its dynamic configuration.
     ```
     
     ```bash tab="CLI"
-    --providers.docker.endpoint="unix:///var/run/docker.sock"
+    --providers.docker.endpoint=unix:///var/run/docker.sock
     # ...
     ```
 
@@ -311,7 +394,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.docker.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+--providers.docker.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
 # ...
 ```
 
@@ -343,7 +426,7 @@ providers:
 # ...
 ```
 
-Activates the Swarm Mode.
+Activates the Swarm Mode (instead of standalone Docker).
 
 ### `swarmModeRefreshSeconds`
 
@@ -375,19 +458,19 @@ _Optional, Default=""_
 
 ```toml tab="File (TOML)"
 [providers.docker]
-  constraints = "Label(`a.label.name`, `foo`)"
+  constraints = "Label(`a.label.name`,`foo`)"
   # ...
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   docker:
-    constraints: "Label(`a.label.name`, `foo`)"
+    constraints: "Label(`a.label.name`,`foo`)"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.docker.constraints="Label(`a.label.name`, `foo`)"
+--providers.docker.constraints=Label(`a.label.name`,`foo`)
 # ...
 ```
 

docs/content/providers/file.md

@@ -4,7 +4,7 @@ Good Old Configuration File
 {: .subtitle } 
 
 The file provider lets you define the [dynamic configuration](./overview.md) in a TOML or YAML file.
-You can write these configuration elements:
+You can write one of these mutually exclusive configuration elements:
 
 * In [a dedicated file](#filename)
 * In [several dedicated files](#directory)
@@ -23,17 +23,17 @@ You can write these configuration elements:
     
     ```toml tab="File (TOML)"
     [providers.file]
-      filename = "/my/path/to/dynamic-conf.toml"
+      directory = "/path/to/dynamic/conf"
     ```
     
     ```yaml tab="File (YAML)"
     providers:
       file:
-        filename: "/my/path/to/dynamic-conf.yml"
+        directory: "/path/to/dynamic/conf"
     ```
     
     ```bash tab="CLI"
-    --providers.file.filename=/my/path/to/dynamic_conf.toml
+    --providers.file.directory=/path/to/dynamic/conf
     ```
     
     Declaring Routers, Middlewares & Services:
@@ -100,6 +100,22 @@ You can write these configuration elements:
 
 If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../reference/dynamic-configuration/file.md) references and the [static configuration](../reference/static-configuration/overview.md).
 
+!!! warning "Limitations"
+
+    With the file provider, Traefik listens for file system notifications to update the dynamic configuration.
+    
+    If you use a mounted/bound file system in your orchestrator (like docker or kubernetes), the way the files are linked may be a source of errors.
+    If the link between the file systems is broken, when a source file/directory is changed/renamed, nothing will be reported to the linked file/directory, so the file system notifications will be neither triggered nor caught. 
+    
+    For example, in docker, if the host file is renamed, the link to the mounted file will be broken and the container's file will not be updated.
+    To avoid this kind of issue, a good practice is to:
+        
+    * set the Traefik [**directory**](#directory) configuration with the parent directory
+    * mount/bind the parent directory
+
+    As it is very difficult to listen to all file system notifications, Traefik use [fsnotify](https://github.com/fsnotify/fsnotify).
+    If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.
+    
 ### `filename`
 
 Defines the path of the configuration file.
@@ -148,19 +164,19 @@ It works with both the `filename` and the `directory` options.
 ```toml tab="File (TOML)"
 [providers]
   [providers.file]
-    filename = "dynamic_conf.toml"
+    directory = "/path/to/dynamic/conf"
     watch = true
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   file:
-    filename: dynamic_conf.yml
+    directory: /path/to/dynamic/conf
     watch: true
 ```
 
 ```bash tab="CLI"
---providers.file.filename=dynamic_conf.toml
+--providers.file.directory=/my/path/to/dynamic/conf
 --providers.file.watch=true
 ```
 

docs/content/providers/kubernetes-crd.md

@@ -8,9 +8,60 @@ Traefik used to support Kubernetes only through the [Kubernetes Ingress provider
 However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
 we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
 
+## Configuration Requirements
+
+!!! tip "All Steps for a Successful Deployment"
+
+    * Add/update **all** the Traefik resources [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions)
+    * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources
+    * Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment 
+        * Enable the kubernetesCRD provider
+        * Apply the needed kubernetesCRD provider [configuration](#provider-configuration)
+    * Add all needed traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
+ 
+??? example "Initializing Resource Definition and RBAC"
+
+    ```yaml tab="Traefik Resource Definition"
+    # All resources definition must be declared
+    --8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
+    ```
+
+    ```yaml tab="RBAC for Traefik CRD"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
+    ```
+
 ## Resource Configuration
 
-See the dedicated section in [routing](../routing/providers/kubernetes-crd.md).
+When using KubernetesCRD as a provider,
+Traefik uses [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to retrieve its routing configuration.
+Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are:
+
+* The usage of `name` **and** `namespace` to refer to another Kubernetes resource.
+* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensible data like:
+    * TLS certificate.
+    * Authentication data.
+* The structure of the configuration.
+* The obligation to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).
+
+The Traefik CRD are building blocks which you can assemble according to your needs.
+See the list of CRDs in the dedicated [routing section](../routing/providers/kubernetes-crd.md).
+
+## LetsEncrypt Support with the Custom Resource Definition Provider
+
+By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
+For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
+
+When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
+Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+
+If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+
+If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot interface directly with the CRDs _yet_, but this is being worked on by our team.
+A workaround it to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
+Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once created, Cert-Manager will keep the certificate renewed.
 
 ## Provider Configuration
 
@@ -32,7 +83,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.endpoint="http://localhost:8080"
+--providers.kubernetescrd.endpoint=http://localhost:8080
 ```
 
 The Kubernetes server endpoint as URL.
@@ -66,7 +117,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.token="mytoken"
+--providers.kubernetescrd.token=mytoken
 ```
 
 Bearer token used for the Kubernetes client configuration.
@@ -89,7 +140,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.certauthfilepath="/my/ca.crt"
+--providers.kubernetescrd.certauthfilepath=/my/ca.crt
 ```
 
 Path to the certificate authority file.
@@ -115,7 +166,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.namespaces="default,production"
+--providers.kubernetescrd.namespaces=default,production
 ```
 
 Array of namespaces to watch.
@@ -164,7 +215,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.ingressclass="traefik-internal"
+--providers.kubernetescrd.ingressclass=traefik-internal
 ```
 
 Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
@@ -190,7 +241,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.throttleDuration="10s"
+--providers.kubernetescrd.throttleDuration=10s
 ```
 
 ## Further

docs/content/providers/kubernetes-ingress.md

@@ -47,6 +47,20 @@ spec:
               servicePort: 80
 ```
 
+## LetsEncrypt Support with the Ingress Provider
+
+By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
+For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
+
+When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
+Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+
+If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+
+If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+
 ## Provider Configuration
 
 ### `endpoint`
@@ -67,7 +81,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.endpoint="http://localhost:8080"
+--providers.kubernetesingress.endpoint=http://localhost:8080
 ```
 
 The Kubernetes server endpoint as URL, which is only used when the behavior based on environment variables described below does not apply.
@@ -99,7 +113,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.token="mytoken"
+--providers.kubernetesingress.token=mytoken
 ```
 
 Bearer token used for the Kubernetes client configuration.
@@ -122,7 +136,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.certauthfilepath="/my/ca.crt"
+--providers.kubernetesingress.certauthfilepath=/my/ca.crt
 ```
 
 Path to the certificate authority file.
@@ -171,7 +185,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.namespaces="default,production"
+--providers.kubernetesingress.namespaces=default,production
 ```
 
 Array of namespaces to watch.
@@ -220,7 +234,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressclass="traefik-internal"
+--providers.kubernetesingress.ingressclass=traefik-internal
 ```
 
 Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
@@ -249,7 +263,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.hostname="foo.com"
+--providers.kubernetesingress.ingressendpoint.hostname=foo.com
 ```
 
 Hostname used for Kubernetes Ingress endpoints.
@@ -273,7 +287,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.ip="1.2.3.4"
+--providers.kubernetesingress.ingressendpoint.ip=1.2.3.4
 ```
 
 IP used for Kubernetes Ingress endpoints.
@@ -297,7 +311,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.publishedservice="foo-service"
+--providers.kubernetesingress.ingressendpoint.publishedservice=foo-service
 ```
 
 Published Kubernetes Service to copy status from.
@@ -320,7 +334,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.throttleDuration="10s"
+--providers.kubernetesingress.throttleDuration=10s
 ```
 
 ## Further

docs/content/providers/marathon.md

@@ -74,8 +74,8 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.basic.httpbasicauthuser="foo"
---providers.marathon.basic.httpbasicpassword="bar"
+--providers.marathon.basic.httpbasicauthuser=foo
+--providers.marathon.basic.httpbasicpassword=bar
 ```
 
 Enables Marathon basic authentication.
@@ -98,7 +98,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.dcosToken="xxxxxx"
+--providers.marathon.dcosToken=xxxxxx
 ```
 
 DCOSToken for DCOS environment.
@@ -123,7 +123,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+--providers.marathon.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
 # ...
 ```
 
@@ -182,7 +182,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.endpoint="http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
+--providers.marathon.endpoint=http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080
 ```
 
 Marathon server endpoint.
@@ -223,19 +223,19 @@ _Optional, Default=""_
 
 ```toml tab="File (TOML)"
 [providers.marathon]
-  constraints = "Label(`a.label.name`, `foo`)"
+  constraints = "Label(`a.label.name`,`foo`)"
   # ...
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   marathon:
-    constraints: "Label(`a.label.name`, `foo`)"
+    constraints: "Label(`a.label.name`,`foo`)"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.marathon.constraints="Label(`a.label.name`, `foo`)"
+--providers.marathon.constraints=Label(`a.label.name`,`foo`)
 # ...
 ```
 
@@ -389,7 +389,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.responseHeaderTimeout="66s"
+--providers.marathon.responseHeaderTimeout=66s
 # ...
 ```
 
@@ -532,7 +532,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.responseHeaderTimeout="10s"
+--providers.marathon.responseHeaderTimeout=10s
 # ...
 ```
 

docs/content/providers/overview.md

@@ -26,19 +26,52 @@ Even if each provider is different, we can categorize them in four groups:
 
 Below is the list of the currently supported providers in Traefik. 
 
-| Provider                          | Type         | Configuration Type |
-|-----------------------------------|--------------|--------------------|
-| [Docker](./docker.md)             | Orchestrator | Label              |
-| [Kubernetes](./kubernetes-crd.md) | Orchestrator | Custom Resource    |
-| [Marathon](./marathon.md)         | Orchestrator | Label              |
-| [Rancher](./rancher.md)           | Orchestrator | Label              |
-| [File](./file.md)                 | Manual       | TOML/YAML format   |
+| Provider                              | Type         | Configuration Type |
+|---------------------------------------|--------------|--------------------|
+| [Docker](./docker.md)                 | Orchestrator | Label              |
+| [Kubernetes](./kubernetes-crd.md)     | Orchestrator | Custom Resource    |
+| [Consul Catalog](./consul-catalog.md) | Orchestrator | Label              |
+| [Marathon](./marathon.md)             | Orchestrator | Label              |
+| [Rancher](./rancher.md)               | Orchestrator | Label              |
+| [File](./file.md)                     | Manual       | TOML/YAML format   |
 
 !!! info "More Providers"
 
     The current version of Traefik doesn't support (yet) every provider.
     See the [previous version (v1.7)](https://docs.traefik.io/v1.7/) for more providers.
 
+### Configuration reload frequency
+
+In some cases, some providers might undergo a sudden burst of changes,
+which would generate a lot of configuration change events.
+If Traefik took them all into account,
+that would trigger a lot more configuration reloads than what is necessary,
+or even useful.
+
+In order to mitigate that, the `providers.providersThrottleDuration` option can be set.
+It is the duration that Traefik waits for, after a configuration reload,
+before taking into account any new configuration refresh event.
+If any event arrives during that duration, only the most recent one is taken into account,
+and all the previous others are dropped.
+
+This option cannot be set per provider,
+but the throttling algorithm applies independently to each of them.
+It defaults to 2 seconds.
+
+```toml tab="File (TOML)"
+[providers]
+  providers.providersThrottleDuration = 10s
+```
+
+```yaml tab="File (YAML)"
+providers:
+  providersThrottleDuration: 10s
+```
+
+```bash tab="CLI"
+--providers.providersThrottleDuration=10s
+```
+
 <!--
 TODO (document TCP VS HTTP dynamic configuration)
 -->
@@ -58,6 +91,7 @@ or with a finer granularity mechanism based on constraints.
 List of providers that support that feature:
 
 - [Docker](./docker.md#exposedbydefault)
+- [Consul Catalog](./consul-catalog.md#exposedbydefault)
 - [Rancher](./rancher.md#exposedbydefault)
 - [Marathon](./marathon.md#exposedbydefault)
 
@@ -66,6 +100,7 @@ List of providers that support that feature:
 List of providers that support constraints:
 
 - [Docker](./docker.md#constraints)
+- [Consul Catalog](./consul-catalog.md#constraints)
 - [Rancher](./rancher.md#constraints)
 - [Marathon](./marathon.md#constraints)
 - [Kubernetes CRD](./kubernetes-crd.md#labelselector)

docs/content/providers/rancher.md

@@ -104,7 +104,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.rancher.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+--providers.rancher.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
 # ...
 ```
 
@@ -209,7 +209,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.rancher.prefix="/test"
+--providers.rancher.prefix=/test
 # ...
 ```
 
@@ -221,19 +221,19 @@ _Optional, Default=""_
 
 ```toml tab="File (TOML)"
 [providers.rancher]
-  constraints = "Label(`a.label.name`, `foo`)"
+  constraints = "Label(`a.label.name`,`foo`)"
   # ...
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   rancher:
-    constraints: "Label(`a.label.name`, `foo`)"
+    constraints: "Label(`a.label.name`,`foo`)"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.rancher.constraints="Label(`a.label.name`, `foo`)"
+--providers.rancher.constraints=Label(`a.label.name`,`foo`)
 # ...
 ```
 

docs/content/providers/rancher.txt

@@ -17,4 +17,4 @@
 --providers.rancher.intervalPoll=false
 
 # Prefix used for accessing the Rancher metadata service
---providers.rancher.prefix="/latest"
+--providers.rancher.prefix=/latest

docs/content/providers/rancher.yml

@@ -18,4 +18,4 @@ providers:
   intervalPoll: false
 
   # Prefix used for accessing the Rancher metadata service
-  prefix: "/latest"
+  prefix: /latest

docs/content/reference/dynamic-configuration/consul-catalog.md

@@ -0,0 +1,11 @@
+# Consul Catalog Configuration Reference
+
+Dynamic configuration with Consul Catalog
+{: .subtitle }
+
+The labels are case insensitive.
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/consul-catalog.yml"
+--8<-- "content/reference/dynamic-configuration/docker-labels.yml"
+```

docs/content/reference/dynamic-configuration/consul-catalog.yml

@@ -0,0 +1 @@
+- "traefik.enable=true"

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -103,6 +103,7 @@
 - "traefik.http.middlewares.middleware17.replacepathregex.regex=foobar"
 - "traefik.http.middlewares.middleware17.replacepathregex.replacement=foobar"
 - "traefik.http.middlewares.middleware18.retry.attempts=42"
+- "traefik.http.middlewares.middleware19.stripprefix.forceslash=true"
 - "traefik.http.middlewares.middleware19.stripprefix.prefixes=foobar, foobar"
 - "traefik.http.middlewares.middleware20.stripprefixregex.regex=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
@@ -129,38 +130,22 @@
 - "traefik.http.routers.router1.tls.domains[1].main=foobar"
 - "traefik.http.routers.router1.tls.domains[1].sans=foobar, foobar"
 - "traefik.http.routers.router1.tls.options=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.headers.name0=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.headers.name1=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.hostname=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.interval=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.path=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.port=42"
-- "traefik.http.services.service0.loadbalancer.healthcheck.scheme=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.timeout=foobar"
-- "traefik.http.services.service0.loadbalancer.passhostheader=true"
-- "traefik.http.services.service0.loadbalancer.responseforwarding.flushinterval=foobar"
-- "traefik.http.services.service0.loadbalancer.sticky=true"
-- "traefik.http.services.service0.loadbalancer.sticky.cookie.httponly=true"
-- "traefik.http.services.service0.loadbalancer.sticky.cookie.name=foobar"
-- "traefik.http.services.service0.loadbalancer.sticky.cookie.secure=true"
-- "traefik.http.services.service0.loadbalancer.server.port=foobar"
-- "traefik.http.services.service0.loadbalancer.server.scheme=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.headers.name0=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.headers.name1=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.hostname=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.interval=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.path=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.port=42"
-- "traefik.http.services.service1.loadbalancer.healthcheck.scheme=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.timeout=foobar"
-- "traefik.http.services.service1.loadbalancer.passhostheader=true"
-- "traefik.http.services.service1.loadbalancer.responseforwarding.flushinterval=foobar"
-- "traefik.http.services.service1.loadbalancer.sticky=true"
-- "traefik.http.services.service1.loadbalancer.sticky.cookie.httponly=true"
-- "traefik.http.services.service1.loadbalancer.sticky.cookie.name=foobar"
-- "traefik.http.services.service1.loadbalancer.sticky.cookie.secure=true"
-- "traefik.http.services.service1.loadbalancer.server.port=foobar"
-- "traefik.http.services.service1.loadbalancer.server.scheme=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.headers.name0=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.headers.name1=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.hostname=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.interval=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.path=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.port=42"
+- "traefik.http.services.service01.loadbalancer.healthcheck.scheme=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.timeout=foobar"
+- "traefik.http.services.service01.loadbalancer.passhostheader=true"
+- "traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval=foobar"
+- "traefik.http.services.service01.loadbalancer.sticky=true"
+- "traefik.http.services.service01.loadbalancer.sticky.cookie.httponly=true"
+- "traefik.http.services.service01.loadbalancer.sticky.cookie.name=foobar"
+- "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
+- "traefik.http.services.service01.loadbalancer.server.port=foobar"
+- "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
 - "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
 - "traefik.tcp.routers.tcprouter0.rule=foobar"
 - "traefik.tcp.routers.tcprouter0.service=foobar"
@@ -183,7 +168,5 @@
 - "traefik.tcp.routers.tcprouter1.tls.domains[1].sans=foobar, foobar"
 - "traefik.tcp.routers.tcprouter1.tls.options=foobar"
 - "traefik.tcp.routers.tcprouter1.tls.passthrough=true"
-- "traefik.tcp.services.tcpservice0.loadbalancer.server.port=foobar"
-- "traefik.tcp.services.tcpservice0.loadbalancer.terminationdelay=100"
-- "traefik.tcp.services.tcpservice1.loadbalancer.server.port=foobar"
-- "traefik.tcp.services.tcpservice1.loadbalancer.terminationdelay=100"
+- "traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay=42"
+- "traefik.tcp.services.tcpservice01.loadbalancer.server.port=foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -245,6 +245,7 @@
     [http.middlewares.Middleware19]
       [http.middlewares.Middleware19.stripPrefix]
         prefixes = ["foobar", "foobar"]
+        forceSlash = true
     [http.middlewares.Middleware20]
       [http.middlewares.Middleware20.stripPrefixRegex]
         regex = ["foobar", "foobar"]
@@ -284,25 +285,25 @@
           main = "foobar"
           sans = ["foobar", "foobar"]
   [tcp.services]
-    [tcp.services.TCPService0]
-      [tcp.services.TCPService0.loadBalancer]
-        terminationDelay = 100
+    [tcp.services.TCPService01]
+      [tcp.services.TCPService01.loadBalancer]
+        terminationDelay = 42
 
-        [[tcp.services.TCPService0.loadBalancer.servers]]
+        [[tcp.services.TCPService01.loadBalancer.servers]]
           address = "foobar"
 
-        [[tcp.services.TCPService0.loadBalancer.servers]]
+        [[tcp.services.TCPService01.loadBalancer.servers]]
           address = "foobar"
+    [tcp.services.TCPService02]
+      [tcp.services.TCPService02.weighted]
 
-    [tcp.services.TCPService1]
-      [tcp.services.TCPService1.loadBalancer]
-        terminationDelay = 100
+        [[tcp.services.TCPService02.weighted.services]]
+          name = "foobar"
+          weight = 42
 
-        [[tcp.services.TCPService1.loadBalancer.servers]]
-          address = "foobar"
-
-        [[tcp.services.TCPService1.loadBalancer.servers]]
-          address = "foobar"
+        [[tcp.services.TCPService02.weighted.services]]
+          name = "foobar"
+          weight = 42
 
 [tls]
 
@@ -318,15 +319,19 @@
   [tls.options]
     [tls.options.Options0]
       minVersion = "foobar"
+      maxVersion = "foobar"
       cipherSuites = ["foobar", "foobar"]
       sniStrict = true
+      curvePreferences = ["foobar", "foobar"]
       [tls.options.Options0.clientAuth]
         caFiles = ["foobar", "foobar"]
         clientAuthType = "foobar"
     [tls.options.Options1]
       minVersion = "foobar"
+      maxVersion = "foobar"
       cipherSuites = ["foobar", "foobar"]
       sniStrict = true
+      curvePreferences = ["foobar", "foobar"]
       [tls.options.Options1.clientAuth]
         caFiles = ["foobar", "foobar"]
         clientAuthType = "foobar"

docs/content/reference/dynamic-configuration/file.yaml

@@ -2,11 +2,11 @@ http:
   routers:
     Router0:
       entryPoints:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
       middlewares:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
       service: foobar
       rule: foobar
       priority: 42
@@ -14,21 +14,21 @@ http:
         options: foobar
         certResolver: foobar
         domains:
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
     Router1:
       entryPoints:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
       middlewares:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
       service: foobar
       rule: foobar
       priority: 42
@@ -36,14 +36,14 @@ http:
         options: foobar
         certResolver: foobar
         domains:
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
   services:
     Service01:
       loadBalancer:
@@ -53,8 +53,8 @@ http:
             secure: true
             httpOnly: true
         servers:
-          - url: foobar
-          - url: foobar
+        - url: foobar
+        - url: foobar
         healthCheck:
           scheme: foobar
           path: foobar
@@ -72,17 +72,17 @@ http:
       mirroring:
         service: foobar
         mirrors:
-          - name: foobar
-            percent: 42
-          - name: foobar
-            percent: 42
+        - name: foobar
+          percent: 42
+        - name: foobar
+          percent: 42
     Service03:
       weighted:
         services:
-          - name: foobar
-            weight: 42
-          - name: foobar
-            weight: 42
+        - name: foobar
+          weight: 42
+        - name: foobar
+          weight: 42
         sticky:
           cookie:
             name: foobar
@@ -95,8 +95,8 @@ http:
     Middleware01:
       basicAuth:
         users:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
         usersFile: foobar
         realm: foobar
         removeHeader: true
@@ -111,8 +111,8 @@ http:
     Middleware03:
       chain:
         middlewares:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
     Middleware04:
       circuitBreaker:
         expression: foobar
@@ -121,8 +121,8 @@ http:
     Middleware06:
       digestAuth:
         users:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
         usersFile: foobar
         removeHeader: true
         realm: foobar
@@ -130,8 +130,8 @@ http:
     Middleware07:
       errors:
         status:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
         service: foobar
         query: foobar
     Middleware08:
@@ -145,8 +145,8 @@ http:
           insecureSkipVerify: true
         trustForwardHeader: true
         authResponseHeaders:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
     Middleware09:
       headers:
         customRequestHeaders:
@@ -157,23 +157,23 @@ http:
           name1: foobar
         accessControlAllowCredentials: true
         accessControlAllowHeaders:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
         accessControlAllowMethods:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
         accessControlAllowOrigin: foobar
         accessControlExposeHeaders:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
         accessControlMaxAge: 42
         addVaryHeader: true
         allowedHosts:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
         hostsProxyHeaders:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
         sslRedirect: true
         sslTemporaryRedirect: true
         sslHost: foobar
@@ -198,13 +198,13 @@ http:
     Middleware10:
       ipWhiteList:
         sourceRange:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
         ipStrategy:
           depth: 42
           excludedIPs:
-            - foobar
-            - foobar
+          - foobar
+          - foobar
     Middleware11:
       inFlightReq:
         amount: 42
@@ -212,8 +212,8 @@ http:
           ipstrategy:
             depth: 42
             excludedIPs:
-              - foobar
-              - foobar
+            - foobar
+            - foobar
           requestHeaderName: foobar
           requestHost: true
     Middleware12:
@@ -247,8 +247,8 @@ http:
           ipstrategy:
             depth: 42
             excludedIPs:
-              - foobar
-              - foobar
+            - foobar
+            - foobar
           requestHeaderName: foobar
           requestHost: true
     Middleware14:
@@ -274,19 +274,20 @@ http:
     Middleware19:
       stripPrefix:
         prefixes:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
+        forceSlash: true
     Middleware20:
       stripPrefixRegex:
         regex:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
 tcp:
   routers:
     TCPRouter0:
       entryPoints:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
       service: foobar
       rule: foobar
       tls:
@@ -294,18 +295,18 @@ tcp:
         options: foobar
         certResolver: foobar
         domains:
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
     TCPRouter1:
       entryPoints:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
       service: foobar
       rule: foobar
       tls:
@@ -313,60 +314,69 @@ tcp:
         options: foobar
         certResolver: foobar
         domains:
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
   services:
-    TCPService0:
+    TCPService01:
       loadBalancer:
-        terminationDelay: 100
+        terminationDelay: 42
         servers:
-          - address: foobar
-          - address: foobar
-    TCPService1:
-      loadBalancer:
-        terminationDelay: 100
-        servers:
-          - address: foobar
-          - address: foobar
+        - address: foobar
+        - address: foobar
+    TCPService02:
+      weighted:
+        services:
+        - name: foobar
+          weight: 42
+        - name: foobar
+          weight: 42
 tls:
   certificates:
-    - certFile: foobar
-      keyFile: foobar
-      stores:
-        - foobar
-        - foobar
-    - certFile: foobar
-      keyFile: foobar
-      stores:
-        - foobar
-        - foobar
+  - certFile: foobar
+    keyFile: foobar
+    stores:
+    - foobar
+    - foobar
+  - certFile: foobar
+    keyFile: foobar
+    stores:
+    - foobar
+    - foobar
   options:
     Options0:
       minVersion: foobar
+      maxVersion: foobar
       cipherSuites:
         - foobar
         - foobar
+      curvePreferences:
+      - foobar
+      - foobar
       clientAuth:
         caFiles:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
         clientAuthType: foobar
       sniStrict: true
     Options1:
       minVersion: foobar
+      maxVersion: foobar
       cipherSuites:
         - foobar
         - foobar
+      curvePreferences:
+      - foobar
+      - foobar
       clientAuth:
         caFiles:
-          - foobar
-          - foobar
+        - foobar
+        - foobar
         clientAuthType: foobar
       sniStrict: true
   stores:

docs/content/reference/dynamic-configuration/kubernetes-crd-definition.yml

@@ -0,0 +1,73 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutes.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRoute
+    plural: ingressroutes
+    singular: ingressroute
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: Middleware
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutetcps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteTCP
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced

docs/content/reference/dynamic-configuration/kubernetes-crd-ingressroutetcp-definition.yml

@@ -0,0 +1,13 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutetcps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteTCP
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced

docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

@@ -0,0 +1,57 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - tlsoptions
+    verbs:
+      - get
+      - list
+      - watch
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik-ingress-controller
+    namespace: default

docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml

@@ -0,0 +1,157 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: wrr2
+  namespace: default
+
+spec:
+  weighted:
+    services:
+      - name: s1
+        weight: 1
+        port: 80
+        # Optional, as it is the default value
+        kind: Service
+      - name: s3
+        weight: 1
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: wrr1
+  namespace: default
+
+spec:
+  weighted:
+    services:
+      - name: wrr2
+        kind: TraefikService
+        weight: 1
+      - name: s3
+        weight: 1
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: mirror1
+  namespace: default
+
+spec:
+  mirroring:
+    name: s1
+    port: 80
+    mirrors:
+      - name: s3
+        percent: 20
+        port: 80
+      - name: mirror2
+        kind: TraefikService
+        percent: 20
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: mirror2
+  namespace: default
+
+spec:
+  mirroring:
+    name: wrr2
+    kind: TraefikService
+    mirrors:
+      - name: s2
+        # Optional, as it is the default value
+        kind: Service
+        percent: 20
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ingressroute
+spec:
+  entryPoints:
+    - web
+    - web-secure
+  routes:
+    - match: Host(`foo.com`) && PathPrefix(`/bar`)
+      kind: Rule
+      priority: 12
+      # defining several services is possible and allowed, but for now the servers of
+      # all the services (for a given route) get merged altogether under the same
+      # load-balancing strategy.
+      services:
+        - name: s1
+          port: 80
+          healthCheck:
+            path: /health
+            host: baz.com
+            intervalSeconds: 7
+            timeoutSeconds: 60
+          # strategy defines the load balancing strategy between the servers. It defaults
+          # to Round Robin, and for now only Round Robin is supported anyway.
+          strategy: RoundRobin
+        - name: s2
+          port: 433
+          healthCheck:
+            path: /health
+            host: baz.com
+            intervalSeconds: 7
+            timeoutSeconds: 60
+    - match: PathPrefix(`/misc`)
+      services:
+        - name: s3
+          port: 80
+      middlewares:
+        - name: stripprefix
+        - name: addprefix
+    - match: PathPrefix(`/misc`)
+      services:
+        - name: s3
+          # Optional, as it is the default value
+          kind: Service
+          port: 8443
+          # scheme allow to override the scheme for the service. (ex: https or h2c)
+          scheme: https
+    - match: PathPrefix(`/lb`)
+      services:
+        - name: wrr1
+          kind: TraefikService
+    - match: PathPrefix(`/mirrored`)
+      services:
+        - name: mirror1
+          kind: TraefikService
+  # use an empty tls object for TLS with Let's Encrypt
+  tls:
+    secretName: supersecret
+    options:
+      name: myTLSOption
+      namespace: default
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: ingressroutetcp.crd
+  namespace: default
+
+spec:
+  entryPoints:
+    - footcp
+  routes:
+    - match: HostSNI(`bar.com`)
+      services:
+        - name: whoamitcp
+          port: 8080
+  tls:
+    secretName: foosecret
+    passthrough: false
+    options:
+      name: myTLSOption
+      namespace: default

docs/content/reference/dynamic-configuration/kubernetes-crd.md

@@ -3,6 +3,20 @@
 Dynamic configuration with Kubernetes Custom Resource
 {: .subtitle }
 
+## Definitions
+
 ```yaml
---8<-- "content/reference/dynamic-configuration/kubernetes-crd.yml"
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
+```
+
+## Resources
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-resource.yml"
+```
+
+## RBAC
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
 ```

docs/content/reference/dynamic-configuration/kubernetes-crd.yml

@@ -56,6 +56,94 @@ spec:
     singular: ingressroutetcp
   scope: Namespaced
 
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: wrr2
+  namespace: default
+
+spec:
+  weighted:
+    services:
+      - name: s1
+        weight: 1
+        port: 80
+        # Optional, as it is the default value
+        kind: Service
+      - name: s3
+        weight: 1
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: wrr1
+  namespace: default
+
+spec:
+  weighted:
+    services:
+      - name: wrr2
+        kind: TraefikService
+        weight: 1
+      - name: s3
+        weight: 1
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: mirror1
+  namespace: default
+
+spec:
+  mirroring:
+    name: s1
+    port: 80
+    mirrors:
+      - name: s3
+        percent: 20
+        port: 80
+      - name: mirror2
+        kind: TraefikService
+        percent: 20
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: mirror2
+  namespace: default
+
+spec:
+  mirroring:
+    name: wrr2
+    kind: TraefikService
+    mirrors:
+      - name: s2
+        # Optional, as it is the default value
+        kind: Service
+        percent: 20
+        port: 80
+
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
@@ -100,9 +188,19 @@ spec:
     - match: PathPrefix(`/misc`)
       services:
         - name: s3
+          # Optional, as it is the default value
+          kind: Service
           port: 8443
           # scheme allow to override the scheme for the service. (ex: https or h2c)
           scheme: https
+    - match: PathPrefix(`/lb`)
+      services:
+        - name: wrr1
+          kind: TraefikService
+    - match: PathPrefix(`/mirrored`)
+      services:
+        - name: mirror1
+          kind: TraefikService
   # use an empty tls object for TLS with Let's Encrypt
   tls:
     secretName: supersecret

docs/content/reference/dynamic-configuration/marathon-labels.json

@@ -103,6 +103,7 @@
 "traefik.http.middlewares.middleware17.replacepathregex.regex": "foobar",
 "traefik.http.middlewares.middleware17.replacepathregex.replacement": "foobar",
 "traefik.http.middlewares.middleware18.retry.attempts": "42",
+"traefik.http.middlewares.middleware19.stripprefix.forceslash": "true",
 "traefik.http.middlewares.middleware19.stripprefix.prefixes": "foobar, foobar",
 "traefik.http.middlewares.middleware20.stripprefixregex.regex": "foobar, foobar",
 "traefik.http.routers.router0.entrypoints": "foobar, foobar",
@@ -110,7 +111,6 @@
 "traefik.http.routers.router0.priority": "42",
 "traefik.http.routers.router0.rule": "foobar",
 "traefik.http.routers.router0.service": "foobar",
-"traefik.http.routers.router0.tls": "true",
 "traefik.http.routers.router0.tls.certresolver": "foobar",
 "traefik.http.routers.router0.tls.domains[0].main": "foobar",
 "traefik.http.routers.router0.tls.domains[0].sans": "foobar, foobar",
@@ -122,49 +122,30 @@
 "traefik.http.routers.router1.priority": "42",
 "traefik.http.routers.router1.rule": "foobar",
 "traefik.http.routers.router1.service": "foobar",
-"traefik.http.routers.router1.tls": "true",
 "traefik.http.routers.router1.tls.certresolver": "foobar",
 "traefik.http.routers.router1.tls.domains[0].main": "foobar",
 "traefik.http.routers.router1.tls.domains[0].sans": "foobar, foobar",
 "traefik.http.routers.router1.tls.domains[1].main": "foobar",
 "traefik.http.routers.router1.tls.domains[1].sans": "foobar, foobar",
 "traefik.http.routers.router1.tls.options": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.headers.name0": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.headers.name1": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.hostname": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.interval": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.path": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.port": "42",
-"traefik.http.services.service0.loadbalancer.healthcheck.scheme": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.timeout": "foobar",
-"traefik.http.services.service0.loadbalancer.passhostheader": "true",
-"traefik.http.services.service0.loadbalancer.responseforwarding.flushinterval": "foobar",
-"traefik.http.services.service0.loadbalancer.sticky": "true",
-"traefik.http.services.service0.loadbalancer.sticky.cookie.httponly": "true",
-"traefik.http.services.service0.loadbalancer.sticky.cookie.name": "foobar",
-"traefik.http.services.service0.loadbalancer.sticky.cookie.secure": "true",
-"traefik.http.services.service0.loadbalancer.server.port": "foobar",
-"traefik.http.services.service0.loadbalancer.server.scheme": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.headers.name0": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.headers.name1": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.hostname": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.interval": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.path": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.port": "42",
-"traefik.http.services.service1.loadbalancer.healthcheck.scheme": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.timeout": "foobar",
-"traefik.http.services.service1.loadbalancer.passhostheader": "true",
-"traefik.http.services.service1.loadbalancer.responseforwarding.flushinterval": "foobar",
-"traefik.http.services.service1.loadbalancer.sticky": "true",
-"traefik.http.services.service1.loadbalancer.sticky.cookie.httponly": "true",
-"traefik.http.services.service1.loadbalancer.sticky.cookie.name": "foobar",
-"traefik.http.services.service1.loadbalancer.sticky.cookie.secure": "true",
-"traefik.http.services.service1.loadbalancer.server.port": "foobar",
-"traefik.http.services.service1.loadbalancer.server.scheme": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.headers.name0": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.headers.name1": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.hostname": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.interval": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.path": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.port": "42",
+"traefik.http.services.service01.loadbalancer.healthcheck.scheme": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.timeout": "foobar",
+"traefik.http.services.service01.loadbalancer.passhostheader": "true",
+"traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval": "foobar",
+"traefik.http.services.service01.loadbalancer.sticky.cookie.httponly": "true",
+"traefik.http.services.service01.loadbalancer.sticky.cookie.name": "foobar",
+"traefik.http.services.service01.loadbalancer.sticky.cookie.secure": "true",
+"traefik.http.services.service01.loadbalancer.server.port": "foobar",
+"traefik.http.services.service01.loadbalancer.server.scheme": "foobar",
 "traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",
 "traefik.tcp.routers.tcprouter0.rule": "foobar",
 "traefik.tcp.routers.tcprouter0.service": "foobar",
-"traefik.tcp.routers.tcprouter0.tls": "true",
 "traefik.tcp.routers.tcprouter0.tls.certresolver": "foobar",
 "traefik.tcp.routers.tcprouter0.tls.domains[0].main": "foobar",
 "traefik.tcp.routers.tcprouter0.tls.domains[0].sans": "foobar, foobar",
@@ -175,7 +156,6 @@
 "traefik.tcp.routers.tcprouter1.entrypoints": "foobar, foobar",
 "traefik.tcp.routers.tcprouter1.rule": "foobar",
 "traefik.tcp.routers.tcprouter1.service": "foobar",
-"traefik.tcp.routers.tcprouter1.tls": "true",
 "traefik.tcp.routers.tcprouter1.tls.certresolver": "foobar",
 "traefik.tcp.routers.tcprouter1.tls.domains[0].main": "foobar",
 "traefik.tcp.routers.tcprouter1.tls.domains[0].sans": "foobar, foobar",
@@ -183,7 +163,5 @@
 "traefik.tcp.routers.tcprouter1.tls.domains[1].sans": "foobar, foobar",
 "traefik.tcp.routers.tcprouter1.tls.options": "foobar",
 "traefik.tcp.routers.tcprouter1.tls.passthrough": "true",
-"traefik.tcp.services.tcpservice0.loadbalancer.server.port": "foobar",
-"traefik.tcp.services.tcpservice0.loadbalancer.terminationDelay": "100",
-"traefik.tcp.services.tcpservice1.loadbalancer.server.port": "foobar"
-"traefik.tcp.services.tcpservice1.loadbalancer.terminationDelay": "100",
+"traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay": "42",
+"traefik.tcp.services.tcpservice01.loadbalancer.server.port": "foobar",

docs/content/reference/static-configuration/cli-ref.md

@@ -213,6 +213,9 @@ Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000
 `--metrics.prometheus.entrypoint`:  
 EntryPoint (Default: ```traefik```)
 
+`--metrics.prometheus.manualrouting`:  
+Manual routing (Default: ```false```)
+
 `--metrics.statsd`:  
 StatsD metrics exporter type. (Default: ```false```)
 
@@ -225,6 +228,9 @@ StatsD address. (Default: ```localhost:8125```)
 `--metrics.statsd.addserviceslabels`:  
 Enable metrics on services. (Default: ```true```)
 
+`--metrics.statsd.prefix`:  
+Prefix to use for metrics collection. (Default: ```traefik```)
+
 `--metrics.statsd.pushinterval`:  
 StatsD push interval. (Default: ```10```)
 
@@ -234,6 +240,69 @@ Enable ping. (Default: ```false```)
 `--ping.entrypoint`:  
 EntryPoint (Default: ```traefik```)
 
+`--ping.manualrouting`:  
+Manual routing (Default: ```false```)
+
+`--providers.consulcatalog.cache`:  
+Use local agent caching for catalog reads. (Default: ```false```)
+
+`--providers.consulcatalog.constraints`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`--providers.consulcatalog.defaultrule`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`--providers.consulcatalog.endpoint.address`:  
+The address of the Consul server (Default: ```http://127.0.0.1:8500```)
+
+`--providers.consulcatalog.endpoint.datacenter`:  
+Data center to use. If not provided, the default agent data center is used
+
+`--providers.consulcatalog.endpoint.endpointwaittime`:  
+WaitTime limits how long a Watch will block. If not provided, the agent default values will be used (Default: ```0```)
+
+`--providers.consulcatalog.endpoint.httpauth.password`:  
+Basic Auth password
+
+`--providers.consulcatalog.endpoint.httpauth.username`:  
+Basic Auth username
+
+`--providers.consulcatalog.endpoint.scheme`:  
+The URI scheme for the Consul server
+
+`--providers.consulcatalog.endpoint.tls.ca`:  
+TLS CA
+
+`--providers.consulcatalog.endpoint.tls.caoptional`:  
+TLS CA.Optional (Default: ```false```)
+
+`--providers.consulcatalog.endpoint.tls.cert`:  
+TLS cert
+
+`--providers.consulcatalog.endpoint.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--providers.consulcatalog.endpoint.tls.key`:  
+TLS key
+
+`--providers.consulcatalog.endpoint.token`:  
+Token is used to provide a per-request ACL token which overrides the agent's default token
+
+`--providers.consulcatalog.exposedbydefault`:  
+Expose containers by default. (Default: ```true```)
+
+`--providers.consulcatalog.prefix`:  
+Prefix for consul service tags. Default 'traefik' (Default: ```traefik```)
+
+`--providers.consulcatalog.refreshinterval`:  
+Interval for check Consul API. Default 100ms (Default: ```15```)
+
+`--providers.consulcatalog.requireconsistent`:  
+Forces the read to be fully consistent. (Default: ```false```)
+
+`--providers.consulcatalog.stale`:  
+Use stale consistency for catalog reads. (Default: ```false```)
+
 `--providers.docker`:  
 Enable Docker backend with default settings. (Default: ```false```)
 
@@ -529,7 +598,7 @@ Specifies the header name that will be used to store the trace ID.
 Settings for Instana. (Default: ```false```)
 
 `--tracing.instana.localagenthost`:  
-Set instana-agent's host that the reporter will used. (Default: ```localhost```)
+Set instana-agent's host that the reporter will used.
 
 `--tracing.instana.localagentport`:  
 Set instana-agent's port that the reporter will used. (Default: ```42699```)

docs/content/reference/static-configuration/env-ref.md

@@ -213,6 +213,9 @@ Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000
 `TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT`:  
 EntryPoint (Default: ```traefik```)
 
+`TRAEFIK_METRICS_PROMETHEUS_MANUALROUTING`:  
+Manual routing (Default: ```false```)
+
 `TRAEFIK_METRICS_STATSD`:  
 StatsD metrics exporter type. (Default: ```false```)
 
@@ -225,6 +228,9 @@ StatsD address. (Default: ```localhost:8125```)
 `TRAEFIK_METRICS_STATSD_ADDSERVICESLABELS`:  
 Enable metrics on services. (Default: ```true```)
 
+`TRAEFIK_METRICS_STATSD_PREFIX`:  
+Prefix to use for metrics collection. (Default: ```traefik```)
+
 `TRAEFIK_METRICS_STATSD_PUSHINTERVAL`:  
 StatsD push interval. (Default: ```10```)
 
@@ -234,6 +240,69 @@ Enable ping. (Default: ```false```)
 `TRAEFIK_PING_ENTRYPOINT`:  
 EntryPoint (Default: ```traefik```)
 
+`TRAEFIK_PING_MANUALROUTING`:  
+Manual routing (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_CACHE`:  
+Use local agent caching for catalog reads. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_CONSTRAINTS`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_DEFAULTRULE`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_ADDRESS`:  
+The address of the Consul server (Default: ```http://127.0.0.1:8500```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_DATACENTER`:  
+Data center to use. If not provided, the default agent data center is used
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_ENDPOINTWAITTIME`:  
+WaitTime limits how long a Watch will block. If not provided, the agent default values will be used (Default: ```0```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_HTTPAUTH_PASSWORD`:  
+Basic Auth password
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_HTTPAUTH_USERNAME`:  
+Basic Auth username
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_SCHEME`:  
+The URI scheme for the Consul server
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CAOPTIONAL`:  
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_KEY`:  
+TLS key
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TOKEN`:  
+Token is used to provide a per-request ACL token which overrides the agent's default token
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_EXPOSEDBYDEFAULT`:  
+Expose containers by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_PREFIX`:  
+Prefix for consul service tags. Default 'traefik' (Default: ```traefik```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_REFRESHINTERVAL`:  
+Interval for check Consul API. Default 100ms (Default: ```15```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_REQUIRECONSISTENT`:  
+Forces the read to be fully consistent. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_STALE`:  
+Use stale consistency for catalog reads. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_DOCKER`:  
 Enable Docker backend with default settings. (Default: ```false```)
 
@@ -529,7 +598,7 @@ Specifies the header name that will be used to store the trace ID.
 Settings for Instana. (Default: ```false```)
 
 `TRAEFIK_TRACING_INSTANA_LOCALAGENTHOST`:  
-Set instana-agent's host that the reporter will used. (Default: ```localhost```)
+Set instana-agent's host that the reporter will used.
 
 `TRAEFIK_TRACING_INSTANA_LOCALAGENTPORT`:  
 Set instana-agent's port that the reporter will used. (Default: ```42699```)

docs/content/reference/static-configuration/file.toml

@@ -108,6 +108,27 @@
     refreshSeconds = 42
     intervalPoll = true
     prefix = "foobar"
+  [providers.consulCatalog]
+    constraints = "foobar"
+    prefix = "traefik"
+    defaultRule = "foobar"
+    exposedByDefault = true
+    refreshInterval = 15
+    requireConsistent = true
+    stale = true
+    cache = true
+    [providers.consulCatalog.endpoint]
+     address = "foobar"
+     scheme = "foobar"
+     datacenter = "foobar"
+     token = "foobar"
+     endpointWaitTime = "15s"
+     [providers.consulCatalog.endpoint.tls]
+      ca = "foobar"
+      caOptional = true
+      cert = "foobar"
+      key = "foobar"
+      insecureSkipVerify = true
 
 [api]
   insecure = true
@@ -120,6 +141,7 @@
     addEntryPointsLabels = true
     addServicesLabels = true
     entryPoint = "foobar"
+    manualRouting = true
   [metrics.datadog]
     address = "foobar"
     pushInterval = "10s"
@@ -130,6 +152,7 @@
     pushInterval = "10s"
     addEntryPointsLabels = true
     addServicesLabels = true
+    prefix = "traefik"
   [metrics.influxDB]
     address = "foobar"
     protocol = "foobar"
@@ -143,6 +166,7 @@
 
 [ping]
   entryPoint = "foobar"
+  manualRouting = true
 
 [log]
   level = "foobar"

docs/content/reference/static-configuration/file.yaml

@@ -115,6 +115,27 @@ providers:
     refreshSeconds: 42
     intervalPoll: true
     prefix: foobar
+  consulCatalog:
+    constraints: foobar
+    prefix: traefik
+    defaultRule: foobar
+    exposedByDefault: true
+    refreshInterval: 15
+    requireConsistent: true
+    stale: true
+    cache: true
+    endpoint:
+      address: foobar
+      scheme: foobar
+      datacenter: foobar
+      token: foobar
+      endpointWaitTime: 15s
+      tls:
+        ca: foobar
+        caOptional: true
+        cert: foobar
+        key: foobar
+        insecureSkipVerify: true
 api:
   insecure: true
   dashboard: true
@@ -127,6 +148,7 @@ metrics:
     addEntryPointsLabels: true
     addServicesLabels: true
     entryPoint: foobar
+    manualRouting: true
   datadog:
     address: foobar
     pushInterval: 42
@@ -137,6 +159,7 @@ metrics:
     pushInterval: 42
     addEntryPointsLabels: true
     addServicesLabels: true
+    prefix: traefik
   influxDB:
     address: foobar
     protocol: foobar
@@ -149,6 +172,7 @@ metrics:
     addServicesLabels: true
 ping:
   entryPoint: foobar
+  manualRouting: true
 log:
   level: foobar
   filePath: foobar

docs/content/routing/entrypoints.md

@@ -41,7 +41,7 @@ They define the port which will receive the requests (whether HTTP or TCP).
       [entryPoints.web]
         address = ":80"
     
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     ```
     
@@ -51,18 +51,18 @@ They define the port which will receive the requests (whether HTTP or TCP).
       web:
         address: ":80"
      
-      web-secure:
+      websecure:
         address: ":443"
     ```
     
     ```bash tab="CLI"
     ## Static configuration
     --entryPoints.web.address=:80
-    --entryPoints.web-secure.address=:443
+    --entryPoints.websecure.address=:443
     ```
 
-    - Two entrypoints are defined: one called `web`, and the other called `web-secure`.
-    - `web` listens on port `80`, and `web-secure` on port `443`. 
+    - Two entrypoints are defined: one called `web`, and the other called `websecure`.
+    - `web` listens on port `80`, and `websecure` on port `443`. 
 
 ## Configuration
 
@@ -128,9 +128,9 @@ You can define them using a toml file, CLI arguments, or a key-value store.
     --entryPoints.name.transport.respondingTimeouts.writeTimeout=42
     --entryPoints.name.transport.respondingTimeouts.idleTimeout=42
     --entryPoints.name.proxyProtocol.insecure=true
-    --entryPoints.name.proxyProtocol.trustedIPs="127.0.0.1,192.168.0.1"
+    --entryPoints.name.proxyProtocol.trustedIPs=127.0.0.1,192.168.0.1
     --entryPoints.name.forwardedHeaders.insecure=true
-    --entryPoints.name.forwardedHeaders.trustedIPs="127.0.0.1,192.168.0.1"
+    --entryPoints.name.forwardedHeaders.trustedIPs=127.0.0.1,192.168.0.1
     ```
 
 ### Forwarded Header

docs/content/routing/overview.md

@@ -33,9 +33,9 @@ Static configuration:
     address = ":8081"
 
 [providers]
-  # Enable the file provider to define routers / middlewares / services in a file
+  # Enable the file provider to define routers / middlewares / services in file
   [providers.file]
-    filename = "dynamic_conf.toml"
+    directory = "/path/to/dynamic/conf"
 ```
 
 ```yaml tab="File (YAML)"
@@ -45,17 +45,17 @@ entryPoints:
     address: :8081
 
 providers:
-  # Enable the file provider to define routers / middlewares / services in a file
+  # Enable the file provider to define routers / middlewares / services in file
   file:
-    filename: dynamic_conf.yml
+    directory: /path/to/dynamic/conf
 ```
 
 ```bash tab="CLI"
 # Listen on port 8081 for incoming requests
 --entryPoints.web.address=:8081
 
-# Enable the file provider to define routers / middlewares / services in a file
---providers.file.filename=dynamic_conf.toml
+# Enable the file provider to define routers / middlewares / services in file
+--providers.file.directory=/path/to/dynamic/conf
 ```
 
 Dynamic configuration:
@@ -133,9 +133,9 @@ http:
             address = ":8081"
 
         [providers]
-          # Enable the file provider to define routers / middlewares / services in a file
+          # Enable the file provider to define routers / middlewares / services in file
           [providers.file]
-            filename = "dynamic_conf.toml"
+            directory = "/path/to/dynamic/conf"
         ```
         
         ```yaml tab="File (YAML)"
@@ -144,17 +144,17 @@ http:
             # Listen on port 8081 for incoming requests
             address: :8081
         providers:
-          # Enable the file provider to define routers / middlewares / services in a file
+          # Enable the file provider to define routers / middlewares / services in file
           file:
-            filename: dynamic_conf.yml
+            directory: /path/to/dynamic/conf
         ```
         
         ```bash tab="CLI"
         # Listen on port 8081 for incoming requests
-        --entryPoints.web.address=":8081"
+        --entryPoints.web.address=:8081
         
-        # Enable the file provider to define routers / middlewares / services in a file
-        --providers.file.filename=dynamic_conf.toml
+        # Enable the file provider to define routers / middlewares / services in file
+        --providers.file.directory=/path/to/dynamic/conf
         ```
         
         **Dynamic Configuration**
@@ -235,3 +235,168 @@ http:
                 servers:
                 - address: xx.xx.xx.xx:xx
         ```
+
+## Transport configuration
+
+Most of what happens to the connection between the clients and Traefik,
+and then between Traefik and the backend servers, is configured through the
+[entrypoints](../entrypoints) and the [routers](../routers).
+
+In addition, a few parameters are dedicated to configuring globally
+what happens with the connections between Traefik and the backends.
+This is done through the `serversTransport` section of the configuration,
+which features these options:
+
+### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+`insecureSkipVerify` disables SSL certificate verification.
+
+```toml tab="File (TOML)"
+## Static configuration
+[serversTransport]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+## Static configuration
+serversTransport:
+  insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+## Static configuration
+--serversTransport.insecureSkipVerify=true
+```
+
+### `rootCAs`
+
+_Optional_
+
+`rootCAs` is the list of certificates (as file paths, or data bytes)
+that will be set as Root Certificate Authorities when using a self-signed TLS certificate.
+
+```toml tab="File (TOML)"
+## Static configuration
+[serversTransport]
+  rootCAs = ["foo.crt", "bar.crt"]
+```
+
+```yaml tab="File (YAML)"
+## Static configuration
+serversTransport:
+  rootCAs:
+    - foo.crt
+    - bar.crt
+```
+
+```bash tab="CLI"
+## Static configuration
+--serversTransport.rootCAs=foo.crt,bar.crt
+```
+
+### `maxIdleConnsPerHost`
+
+_Optional, Default=2_
+
+If non-zero, `maxIdleConnsPerHost` controls the maximum idle (keep-alive) connections to keep per-host.
+
+```toml tab="File (TOML)"
+## Static configuration
+[serversTransport]
+  maxIdleConnsPerHost = 7
+```
+
+```yaml tab="File (YAML)"
+## Static configuration
+serversTransport:
+  maxIdleConnsPerHost: 7
+```
+
+```bash tab="CLI"
+## Static configuration
+--serversTransport.maxIdleConnsPerHost=7
+```
+
+### `forwardingTimeouts`
+
+`forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers.
+
+#### forwardingTimeouts.dialTimeout`
+
+_Optional, Default=30s_
+
+`dialTimeout` is the maximum duration allowed for a connection to a backend server to be established.
+Zero means no timeout.
+
+```toml tab="File (TOML)"
+## Static configuration
+[serversTransport.forwardingTimeouts]
+  dialTimeout = "1s"
+```
+
+```yaml tab="File (YAML)"
+## Static configuration
+serversTransport:
+  forwardingTimeouts:
+    dialTimeout: 1s
+```
+
+```bash tab="CLI"
+## Static configuration
+--serversTransport.forwardingTimeouts.dialTimeout=1s
+```
+
+#### forwardingTimeouts.responseHeaderTimeout`
+
+_Optional, Default=0s_
+
+`responseHeaderTimeout`, if non-zero, specifies the amount of time to wait for a server's response headers
+after fully writing the request (including its body, if any).
+This time does not include the time to read the response body.
+Zero means no timeout.
+
+```toml tab="File (TOML)"
+## Static configuration
+[serversTransport.forwardingTimeouts]
+  responseHeaderTimeout = "1s"
+```
+
+```yaml tab="File (YAML)"
+## Static configuration
+serversTransport:
+  forwardingTimeouts:
+    responseHeaderTimeout: 1s
+```
+
+```bash tab="CLI"
+## Static configuration
+--serversTransport.forwardingTimeouts.responseHeaderTimeout=1s
+```
+
+#### forwardingTimeouts.idleConnTimeout`
+
+_Optional, Default=90s_
+
+`idleConnTimeout`, is the maximum amount of time an idle (keep-alive) connection
+will remain idle before closing itself.
+Zero means no limit.
+
+```toml tab="File (TOML)"
+## Static configuration
+[serversTransport.forwardingTimeouts]
+  idleConnTimeout = "1s"
+```
+
+```yaml tab="File (YAML)"
+## Static configuration
+serversTransport:
+  forwardingTimeouts:
+    idleConnTimeout: 1s
+```
+
+```bash tab="CLI"
+## Static configuration
+--serversTransport.forwardingTimeouts.idleConnTimeout=1s
+```