chore: skip openbsd/freebsd arm64

Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.
 
 Documentation fixes or enhancements:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.0
+- for Traefik v2: use branch v2.1
 
 Bug fixes:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.0
+- for Traefik v2: use branch v2.1
 
 Enhancements:
 - for Traefik v1: we only accept bug fixes

.golangci.toml

@@ -47,6 +47,7 @@
     "gocognit",
     "bodyclose", # Too many false-positive and panics.
     "wsl", # Too strict
+    "gomnd", # Too strict
     "stylecheck", # skip because report issues related to some generated files.
   ]
 
@@ -92,6 +93,15 @@
  [[issues.exclude-rules]]
     path = "cmd/configuration.go"
     text = "string `traefik` has (\\d) occurrences, make it a constant"
+ [[issues.exclude-rules]]
+    path = "pkg/server/middleware/middlewares.go"
+    text = "Function 'buildConstructor' is too long \\(\\d+ > 230\\)"
  [[issues.exclude-rules]] # FIXME must be fixed
     path = "cmd/context.go"
     text = "S1000: should use a simple channel send/receive instead of `select` with a single case"
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/haystack/logger.go"
+    linters = ["goprintffuncname"]
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/tracing.go"
+    text = "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"

.goreleaser.yml

@@ -34,8 +34,10 @@ builds:
         goarch: 386
       - goos: openbsd
         goarch: arm
+      - goos: openbsd
+        goarch: arm64
       - goos: freebsd
-        goarch: arm
+        goarch: arm64
 
 changelog:
   skip: true

.semaphoreci/vars

@@ -10,7 +10,7 @@ else
   export VERSION=''
 fi
 
-export CODENAME=montdor
+export CODENAME=cantal
 
 export N_MAKE_JOBS=2
 

.travis.yml

@@ -11,7 +11,7 @@ env:
   global:
     - REPO=$TRAVIS_REPO_SLUG
     - VERSION=$TRAVIS_TAG
-    - CODENAME=montdor
+    - CODENAME=cantal
     - GO111MODULE=on
 
 script:

CHANGELOG.md

@@ -1,3 +1,283 @@
+## [v2.1.7](https://github.com/containous/traefik/tree/v2.1.7) (2020-03-18)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.6...v2.1.7)
+
+**Bug fixes:**
+- **[logs,middleware]** Access log field quotes. ([#6484](https://github.com/containous/traefik/pull/6484) by [ldez](https://github.com/ldez))
+- **[metrics]** fix statsd scale for duration based metrics ([#6054](https://github.com/containous/traefik/pull/6054) by [ddtmachado](https://github.com/ddtmachado))
+- **[middleware]** Added support for replacement containing escaped characters ([#6413](https://github.com/containous/traefik/pull/6413) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[acme,docker]** Add some missing doc. ([#6422](https://github.com/containous/traefik/pull/6422) by [ldez](https://github.com/ldez))
+- **[acme]** Added wildcard ACME example ([#6423](https://github.com/containous/traefik/pull/6423) by [Basster](https://github.com/Basster))
+- **[acme]** fix typo ([#6408](https://github.com/containous/traefik/pull/6408) by [hamiltont](https://github.com/hamiltont))
+
+## [v2.1.6](https://github.com/containous/traefik/tree/v2.1.6) (2020-02-28)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.4...v2.1.6)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v3.4.0 ([#6376](https://github.com/containous/traefik/pull/6376) by [ldez](https://github.com/ldez))
+- **[api]** Return an error when ping is not enabled. ([#6304](https://github.com/containous/traefik/pull/6304) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Early filter of the catalog services. ([#6307](https://github.com/containous/traefik/pull/6307) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** fix: consul-catalog uses port from label instead of item port. ([#6345](https://github.com/containous/traefik/pull/6345) by [ldez](https://github.com/ldez))
+- **[file]** fix: YML example of template for the file provider. ([#6402](https://github.com/containous/traefik/pull/6402) by [ldez](https://github.com/ldez))
+- **[file]** Allow fsnotify to reload config files on k8s (or symlinks) ([#5037](https://github.com/containous/traefik/pull/5037) by [dtomcej](https://github.com/dtomcej))
+- **[healthcheck]** Launch healthcheck only one time instead of two ([#6372](https://github.com/containous/traefik/pull/6372) by [juliens](https://github.com/juliens))
+- **[k8s,k8s/crd,k8s/ingress]** Fix secret informer load ([#6364](https://github.com/containous/traefik/pull/6364) by [mmatur](https://github.com/mmatur))
+- **[k8s,k8s/crd]** Use consistent protocol determination ([#6365](https://github.com/containous/traefik/pull/6365) by [dtomcej](https://github.com/dtomcej))
+- **[k8s,k8s/crd]** fix: use the right error in the log ([#6311](https://github.com/containous/traefik/pull/6311) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[provider]** Don't throw away valid configuration updates ([#5952](https://github.com/containous/traefik/pull/5952) by [zaphod42](https://github.com/zaphod42))
+- **[tls]** Consider SSLv2 as TLS in order to close the handshake correctly ([#6371](https://github.com/containous/traefik/pull/6371) by [juliens](https://github.com/juliens))
+- **[tracing]** Fix docs and code to match in haystack tracing. ([#6352](https://github.com/containous/traefik/pull/6352) by [evanlurvey](https://github.com/evanlurvey))
+
+**Documentation:**
+- **[acme]** Improve documentation. ([#6324](https://github.com/containous/traefik/pull/6324) by [ldez](https://github.com/ldez))
+- **[file]** Add information about filename and directory options. ([#6333](https://github.com/containous/traefik/pull/6333) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/ingress]** Docs: Clarifying format of ingress endpoint service name ([#6306](https://github.com/containous/traefik/pull/6306) by [BretFisher](https://github.com/BretFisher))
+- **[k8s/crd]** fix: dashboard example with k8s CRD. ([#6330](https://github.com/containous/traefik/pull/6330) by [ldez](https://github.com/ldez))
+- **[middleware,k8s]** Fix formatting in "Kubernetes Namespace" block ([#6305](https://github.com/containous/traefik/pull/6305) by [berekuk](https://github.com/berekuk))
+- **[tls]** Remove TLS cipher suites for TLS minVersion 1.3 ([#6328](https://github.com/containous/traefik/pull/6328) by [rYR79435](https://github.com/rYR79435))
+- **[tls]** Fix typo in the godoc of TLS option MaxVersion ([#6347](https://github.com/containous/traefik/pull/6347) by [pschaub](https://github.com/pschaub))
+- Use explicitly the word Kubernetes in the migration guide. ([#6380](https://github.com/containous/traefik/pull/6380) by [ldez](https://github.com/ldez))
+- Minor readme improvements ([#6293](https://github.com/containous/traefik/pull/6293) by [Rowayda-Khayri](https://github.com/Rowayda-Khayri))
+- Added link to community forum ([#6283](https://github.com/containous/traefik/pull/6283) by [isaacnewtonfx](https://github.com/isaacnewtonfx))
+
+## [v2.1.5](https://github.com/containous/traefik/tree/v2.1.5) (2020-02-28)
+
+Skipped.
+
+## [v2.1.4](https://github.com/containous/traefik/tree/v2.1.4) (2020-02-06)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.3...v2.1.4)
+
+**Bug fixes:**
+- **[acme,logs]** Improvement of the certificates resolvers logs ([#6225](https://github.com/containous/traefik/pull/6225) by [ldez](https://github.com/ldez))
+- **[acme]** Fix kubernetes providers shutdown and clean safe.Pool ([#6244](https://github.com/containous/traefik/pull/6244) by [juliens](https://github.com/juliens))
+- **[authentication,middleware]** don't create http client for each request in forwardAuth middleware ([#6267](https://github.com/containous/traefik/pull/6267) by [juliens](https://github.com/juliens))
+- **[k8s,k8s/ingress]** Allow wildcard hosts in ingress provider ([#6251](https://github.com/containous/traefik/pull/6251) by [dtomcej](https://github.com/dtomcej))
+- **[logs,tls]** Properly purge default certificate from stores before logging ([#6281](https://github.com/containous/traefik/pull/6281) by [dtomcej](https://github.com/dtomcej))
+- **[middleware]** use provider-qualified name when recursing for chain ([#6233](https://github.com/containous/traefik/pull/6233) by [mpl](https://github.com/mpl))
+
+**Documentation:**
+- **[acme,cli]** Documentation fix for acme.md CLI ([#6262](https://github.com/containous/traefik/pull/6262) by [altano](https://github.com/altano))
+- **[acme,k8s/crd]** Add missing certResolver in IngressRoute examples. ([#6265](https://github.com/containous/traefik/pull/6265) by [ldez](https://github.com/ldez))
+- **[k8s]** fix a typo ([#6279](https://github.com/containous/traefik/pull/6279) by [silenceshell](https://github.com/silenceshell))
+- **[middleware]** Minor documentation tweaks. ([#6218](https://github.com/containous/traefik/pull/6218) by [stevegroom](https://github.com/stevegroom))
+- Correct a trivial spelling mistake in the documentation. ([#6269](https://github.com/containous/traefik/pull/6269) by [nepella](https://github.com/nepella))
+- Update install-traefik.md ([#6260](https://github.com/containous/traefik/pull/6260) by [bitfactory-sander-lissenburg](https://github.com/bitfactory-sander-lissenburg))
+- doc: use the same entry point name everywhere ([#6219](https://github.com/containous/traefik/pull/6219) by [ldez](https://github.com/ldez))
+- readme: update links to use HTTPS ([#6274](https://github.com/containous/traefik/pull/6274) by [imba-tjd](https://github.com/imba-tjd))
+
+## [v2.1.3](https://github.com/containous/traefik/tree/v2.1.3) (2020-01-21)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.2...v2.1.3)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v3.3.0 ([#6192](https://github.com/containous/traefik/pull/6192) by [shilch](https://github.com/shilch))
+- **[docker]** Use the calculated port when useBindPortIP is enabled ([#6199](https://github.com/containous/traefik/pull/6199) by [juliens](https://github.com/juliens))
+- **[docker]** fix: invalid service definition. ([#6198](https://github.com/containous/traefik/pull/6198) by [ldez](https://github.com/ldez))
+- **[server]** Remove Content-Type auto-detection ([#6097](https://github.com/containous/traefik/pull/6097) by [juliens](https://github.com/juliens))
+- **[service]** fix memleak in safe.Pool ([#6140](https://github.com/containous/traefik/pull/6140) by [mpl](https://github.com/mpl))
+
+**Documentation:**
+- **[docker]** Fix typo in docker routing documentation ([#6147](https://github.com/containous/traefik/pull/6147) by [tvrg](https://github.com/tvrg))
+- **[k8s]** Fixed typo in k8s doc ([#6163](https://github.com/containous/traefik/pull/6163) by [MyIgel](https://github.com/MyIgel))
+- **[marathon]** Fix typo in Marathon doc. ([#6150](https://github.com/containous/traefik/pull/6150) by [thatshubham](https://github.com/thatshubham))
+- **[middleware]** Adding an explanation how to use `htpasswd` for k8s secret ([#6194](https://github.com/containous/traefik/pull/6194) by [jamct](https://github.com/jamct))
+- doc: adds an explanation of the global redirection pattern. ([#6195](https://github.com/containous/traefik/pull/6195) by [ldez](https://github.com/ldez))
+- Fix small typo in user-guides documentation ([#6154](https://github.com/containous/traefik/pull/6154) by [evert-arias](https://github.com/evert-arias))
+
+## [v2.1.2](https://github.com/containous/traefik/tree/v2.1.2) (2020-01-07)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.1...v2.1.2)
+
+**Bug fixes:**
+- **[authentication,middleware,tracing]** fix(tracing): makes sure tracing headers are being propagated when using forwardAuth ([#6072](https://github.com/containous/traefik/pull/6072) by [jcchavezs](https://github.com/jcchavezs))
+- **[cli]** fix: invalid label/flag parsing. ([#6028](https://github.com/containous/traefik/pull/6028) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Query consul catalog for service health separately ([#6046](https://github.com/containous/traefik/pull/6046) by [SantoDE](https://github.com/SantoDE))
+- **[k8s,k8s/crd]** Restore ExternalName https support for Kubernetes CRD ([#6037](https://github.com/containous/traefik/pull/6037) by [kpeiruza](https://github.com/kpeiruza))
+- **[k8s,k8s/crd]** Log the ignored namespace only when needed ([#6087](https://github.com/containous/traefik/pull/6087) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/ingress]** k8s Ingress: fix crash on rules with nil http ([#6121](https://github.com/containous/traefik/pull/6121) by [grimmy](https://github.com/grimmy))
+- **[logs]** Improves error message when a configuration file is empty. ([#6135](https://github.com/containous/traefik/pull/6135) by [ldez](https://github.com/ldez))
+- **[server]** Handle respondingTimeout and better shutdown tests. ([#6115](https://github.com/containous/traefik/pull/6115) by [juliens](https://github.com/juliens))
+- **[server]** Don't set user-agent to Go-http-client/1.1 ([#6030](https://github.com/containous/traefik/pull/6030) by [sh7dm](https://github.com/sh7dm))
+- **[tracing]** fix: Malformed x-b3-traceid Header ([#6079](https://github.com/containous/traefik/pull/6079) by [ldez](https://github.com/ldez))
+- **[webui]** fix: dashboard redirect loop ([#6078](https://github.com/containous/traefik/pull/6078) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Use consistent name in ACME documentation ([#6019](https://github.com/containous/traefik/pull/6019) by [ldez](https://github.com/ldez))
+- **[api,k8s/crd]** Add a documentation example for dashboard and api for kubernetes CRD ([#6022](https://github.com/containous/traefik/pull/6022) by [dduportal](https://github.com/dduportal))
+- **[cli]** Fix examples for the use of websecure via CLI ([#6116](https://github.com/containous/traefik/pull/6116) by [tiagoboeing](https://github.com/tiagoboeing))
+- **[k8s,k8s/crd]** Improve documentation about Kubernetes IngressRoute ([#6058](https://github.com/containous/traefik/pull/6058) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[middleware]** Improve sourceRange explanation for ipWhiteList ([#6070](https://github.com/containous/traefik/pull/6070) by [der-domi](https://github.com/der-domi))
+
+## [v2.1.1](https://github.com/containous/traefik/tree/v2.1.1) (2019-12-12)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.0...v2.1.1)
+
+**Bug fixes:**
+- **[logs,middleware,metrics]** CloseNotifier: return pointer instead of value ([#6010](https://github.com/containous/traefik/pull/6010) by [mpl](https://github.com/mpl))
+
+**Documentation:**
+- Add Migration Guide for Traefik v2.1 ([#6017](https://github.com/containous/traefik/pull/6017) by [SantoDE](https://github.com/SantoDE))
+
+## [v2.1.0](https://github.com/containous/traefik/tree/v2.1.0) (2019-12-10)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc1...v2.1.0)
+
+**Enhancements:**
+- **[consulcatalog]** Add consul catalog options: requireConsistent, stale, cache ([#5752](https://github.com/containous/traefik/pull/5752) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Add Consul Catalog provider ([#5395](https://github.com/containous/traefik/pull/5395) by [negasus](https://github.com/negasus))
+- **[k8s,k8s/crd,service]** Support for all services kinds (and sticky) in CRD ([#5711](https://github.com/containous/traefik/pull/5711) by [mpl](https://github.com/mpl))
+- **[metrics]** Added configurable prefix for statsd metrics collection ([#5336](https://github.com/containous/traefik/pull/5336) by [schulterklopfer](https://github.com/schulterklopfer))
+- **[middleware]** Conditional compression based on request Content-Type ([#5721](https://github.com/containous/traefik/pull/5721) by [ldez](https://github.com/ldez))
+- **[server]** Add internal provider ([#5815](https://github.com/containous/traefik/pull/5815) by [ldez](https://github.com/ldez))
+- **[tls]** Add support for MaxVersion in tls.Options ([#5650](https://github.com/containous/traefik/pull/5650) by [kmeekva](https://github.com/kmeekva))
+- **[tls]** Add tls option for Elliptic Curve Preferences ([#5466](https://github.com/containous/traefik/pull/5466) by [ksarink](https://github.com/ksarink))
+- **[tracing]** Update jaeger dependencies ([#5637](https://github.com/containous/traefik/pull/5637) by [mmatur](https://github.com/mmatur))
+
+**Bug fixes:**
+- **[api]** fix: debug endpoint when insecure API. ([#5937](https://github.com/containous/traefik/pull/5937) by [ldez](https://github.com/ldez))
+- **[cli]** fix: sub command help ([#5887](https://github.com/containous/traefik/pull/5887) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** fix: consul catalog constraints. ([#5913](https://github.com/containous/traefik/pull/5913) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Service registered with same id on Consul Catalog ([#5900](https://github.com/containous/traefik/pull/5900) by [mmatur](https://github.com/mmatur))
+- **[consulcatalog]** Fix empty address for registering service without IP ([#5826](https://github.com/containous/traefik/pull/5826) by [mmatur](https://github.com/mmatur))
+- **[logs,middleware,metrics]** detect CloseNotify capability in accesslog and metrics ([#5985](https://github.com/containous/traefik/pull/5985) by [mpl](https://github.com/mpl))
+- **[server]** fix: remove double call to server Close. ([#5960](https://github.com/containous/traefik/pull/5960) by [ldez](https://github.com/ldez))
+- **[webui]** Fix weighted service provider icon ([#5983](https://github.com/containous/traefik/pull/5983) by [sh7dm](https://github.com/sh7dm))
+- **[webui]** Fix http/tcp resources pagination ([#5986](https://github.com/containous/traefik/pull/5986) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Use valid condition in the service details panel UI ([#5984](https://github.com/containous/traefik/pull/5984) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[webui]** Web UI: Avoid polling on /api/entrypoints ([#5863](https://github.com/containous/traefik/pull/5863) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Web UI: Sync toolbar table state with url query params ([#5861](https://github.com/containous/traefik/pull/5861) by [matthieuh](https://github.com/matthieuh))
+
+**Documentation:**
+- **[consulcatalog]** fix: Consul Catalog documentation. ([#5725](https://github.com/containous/traefik/pull/5725) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Fix consul catalog documentation ([#5661](https://github.com/containous/traefik/pull/5661) by [mmatur](https://github.com/mmatur))
+- Prepare release v2.1.0-rc2 ([#5846](https://github.com/containous/traefik/pull/5846) by [ldez](https://github.com/ldez))
+- Prepare release v2.1.0-rc1 ([#5844](https://github.com/containous/traefik/pull/5844) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Several documentation fixes ([#5987](https://github.com/containous/traefik/pull/5987) by [ldez](https://github.com/ldez))
+- Prepare release v2.1.0-rc3 ([#5929](https://github.com/containous/traefik/pull/5929) by [ldez](https://github.com/ldez))
+
+**Misc:**
+- **[cli]** Add custom help function to command ([#5923](https://github.com/containous/traefik/pull/5923) by [Ullaakut](https://github.com/Ullaakut))
+- **[server]** fix: use MaxInt32. ([#5845](https://github.com/containous/traefik/pull/5845) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master ([#5841](https://github.com/containous/traefik/pull/5841) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5749](https://github.com/containous/traefik/pull/5749) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5619](https://github.com/containous/traefik/pull/5619) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5464](https://github.com/containous/traefik/pull/5464) by [ldez](https://github.com/ldez))
+- Merge v2.0.0 into master ([#5402](https://github.com/containous/traefik/pull/5402) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-rc3 into master ([#5354](https://github.com/containous/traefik/pull/5354) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-rc1 into master  ([#5253](https://github.com/containous/traefik/pull/5253) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into v2.1 ([#5977](https://github.com/containous/traefik/pull/5977) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into v2.1 ([#5931](https://github.com/containous/traefik/pull/5931) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into v2.1 ([#5928](https://github.com/containous/traefik/pull/5928) by [ldez](https://github.com/ldez))
+
+## [v2.0.7](https://github.com/containous/traefik/tree/v2.0.7) (2019-12-09)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.6...v2.0.7)
+
+**Bug fixes:**
+- **[logs,middleware]** Remove mirroring impact in accesslog ([#5967](https://github.com/containous/traefik/pull/5967) by [juliens](https://github.com/juliens))
+- **[middleware]** fix: PassClientTLSCert middleware separators and formatting ([#5921](https://github.com/containous/traefik/pull/5921) by [ldez](https://github.com/ldez))
+- **[server]** Do not stop to listen on tcp listeners on temporary errors  ([#5935](https://github.com/containous/traefik/pull/5935) by [skwair](https://github.com/skwair))
+
+**Documentation:**
+- **[acme,k8s/crd,k8s/ingress]** Document LE caveats with Kubernetes on v2 ([#5902](https://github.com/containous/traefik/pull/5902) by [dtomcej](https://github.com/dtomcej))
+- **[acme]** The Cloudflare hint for the GLOBAL API KEY for CF MAIL/API_KEY ([#5964](https://github.com/containous/traefik/pull/5964) by [EugenMayer](https://github.com/EugenMayer))
+- **[acme]** Improve documentation for ACME/Let's Encrypt ([#5819](https://github.com/containous/traefik/pull/5819) by [dduportal](https://github.com/dduportal))
+- **[file]** Improve documentation on file provider limitations with file system notifications ([#5939](https://github.com/containous/traefik/pull/5939) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Make trailing slash more prominent for the "secure dashboard setup" too ([#5963](https://github.com/containous/traefik/pull/5963) by [EugenMayer](https://github.com/EugenMayer))
+- Fix Docker example in "Strip and Rewrite Path Prefixes" in migration guide ([#5949](https://github.com/containous/traefik/pull/5949) by [q210](https://github.com/q210))
+- readme: Fix link to file backend/provider documentation ([#5945](https://github.com/containous/traefik/pull/5945) by [hartwork](https://github.com/hartwork))
+
+## [v2.1.0-rc3](https://github.com/containous/traefik/tree/v2.1.0-rc3) (2019-12-02)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.0-rc2...v2.1.0-rc3)
+
+**Bug fixes:**
+- **[cli]** fix: sub command help ([#5887](https://github.com/containous/traefik/pull/5887) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** fix: consul catalog constraints. ([#5913](https://github.com/containous/traefik/pull/5913) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Service registered with same id on Consul Catalog ([#5900](https://github.com/containous/traefik/pull/5900) by [mmatur](https://github.com/mmatur))
+- **[webui]** Web UI: Avoid polling on /api/entrypoints ([#5863](https://github.com/containous/traefik/pull/5863) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Web UI: Sync toolbar table state with url query params ([#5861](https://github.com/containous/traefik/pull/5861) by [matthieuh](https://github.com/matthieuh))
+
+**Misc:**
+- **[cli]** Add custom help function to command ([#5923](https://github.com/containous/traefik/pull/5923) by [Ullaakut](https://github.com/Ullaakut))
+
+## [v2.0.6](https://github.com/containous/traefik/tree/v2.0.6) (2019-12-02)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.5...v2.0.6)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to 3.2.0 ([#5839](https://github.com/containous/traefik/pull/5839) by [kolaente](https://github.com/kolaente))
+- **[cli,healthcheck]** Uses, if it exists, the ping entry point provided in the static configuration ([#5867](https://github.com/containous/traefik/pull/5867) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[healthcheck]** Healthcheck managed for all related services ([#5860](https://github.com/containous/traefik/pull/5860) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[logs,middleware]** Do not give responsewriter or its headers to asynchronous logging goroutine ([#5840](https://github.com/containous/traefik/pull/5840) by [mpl](https://github.com/mpl))
+- **[middleware]** X-Forwarded-Proto must not skip the redirection. ([#5836](https://github.com/containous/traefik/pull/5836) by [ldez](https://github.com/ldez))
+- **[middleware]** fix: location header rewrite. ([#5835](https://github.com/containous/traefik/pull/5835) by [ldez](https://github.com/ldez))
+- **[middleware]** Remove Request Headers CORS Preflight Requirement ([#5903](https://github.com/containous/traefik/pull/5903) by [dtomcej](https://github.com/dtomcej))
+- **[rancher]** Change service name in rancher provider to make webui service details view work ([#5895](https://github.com/containous/traefik/pull/5895) by [SantoDE](https://github.com/SantoDE))
+- **[tracing]** Fix extraction for zipkin tracing ([#5920](https://github.com/containous/traefik/pull/5920) by [jcchavezs](https://github.com/jcchavezs))
+- **[webui]** Web UI: Avoid unnecessary duplicated api calls ([#5884](https://github.com/containous/traefik/pull/5884) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Web UI: Avoid some router properties to overflow their container ([#5872](https://github.com/containous/traefik/pull/5872) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Web UI: Fix displayed tcp service details ([#5868](https://github.com/containous/traefik/pull/5868) by [matthieuh](https://github.com/matthieuh))
+
+**Documentation:**
+- **[acme]** doc: fix wrong acme information ([#5837](https://github.com/containous/traefik/pull/5837) by [ldez](https://github.com/ldez))
+- **[docker,docker/swarm]** Add Swarm section to the Docker Provider Documentation ([#5874](https://github.com/containous/traefik/pull/5874) by [dduportal](https://github.com/dduportal))
+- **[docker]** Update router entrypoint example ([#5766](https://github.com/containous/traefik/pull/5766) by [woto](https://github.com/woto))
+- **[k8s/helm]** Mention the experimental Helm Chart in the installation section of documentation ([#5879](https://github.com/containous/traefik/pull/5879) by [dduportal](https://github.com/dduportal))
+- doc: remove double quotes on CLI flags. ([#5862](https://github.com/containous/traefik/pull/5862) by [ldez](https://github.com/ldez))
+- Fixed spelling error ([#5834](https://github.com/containous/traefik/pull/5834) by [blakebuthod](https://github.com/blakebuthod))
+- Add back the security section from v1 ([#5832](https://github.com/containous/traefik/pull/5832) by [pascalandy](https://github.com/pascalandy))
+
+## [v2.1.0-rc2](https://github.com/containous/traefik/tree/v2.0.4) (2019-11-15)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc1...v2.1.0-rc2)
+
+Fixes int overflow.
+Same changelog as v2.1.0-rc1
+
+## [v2.1.0-rc1](https://github.com/containous/traefik/tree/v2.1.0-rc1) (2019-11-15)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc1...v2.1.0-rc1)
+
+**Enhancements:**
+- **[consulcatalog]** Add consul catalog options: requireConsistent, stale, cache ([#5752](https://github.com/containous/traefik/pull/5752) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Add Consul Catalog provider ([#5395](https://github.com/containous/traefik/pull/5395) by [negasus](https://github.com/negasus))
+- **[k8s,k8s/crd,service]** Support for all services kinds (and sticky) in CRD ([#5711](https://github.com/containous/traefik/pull/5711) by [mpl](https://github.com/mpl))
+- **[metrics]** Added configurable prefix for statsd metrics collection ([#5336](https://github.com/containous/traefik/pull/5336) by [schulterklopfer](https://github.com/schulterklopfer))
+- **[middleware]** Conditional compression based on request Content-Type ([#5721](https://github.com/containous/traefik/pull/5721) by [ldez](https://github.com/ldez))
+- **[server]** Add internal provider ([#5815](https://github.com/containous/traefik/pull/5815) by [ldez](https://github.com/ldez))
+- **[tls]** Add support for MaxVersion in tls.Options ([#5650](https://github.com/containous/traefik/pull/5650) by [kmeekva](https://github.com/kmeekva))
+- **[tls]** Add tls option for Elliptic Curve Preferences ([#5466](https://github.com/containous/traefik/pull/5466) by [ksarink](https://github.com/ksarink))
+- **[tracing]** Update jaeger dependencies ([#5637](https://github.com/containous/traefik/pull/5637) by [mmatur](https://github.com/mmatur))
+
+**Bug fixes:**
+- **[consulcatalog]** Fix empty address for registering service without IP ([#5826](https://github.com/containous/traefik/pull/5826) by [mmatur](https://github.com/mmatur))
+
+**Documentation:**
+- **[consulcatalog]** fix: Consul Catalog documentation. ([#5725](https://github.com/containous/traefik/pull/5725) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Fix consul catalog documentation ([#5661](https://github.com/containous/traefik/pull/5661) by [mmatur](https://github.com/mmatur))
+
+**Misc:**
+- Merge current v2.0 branch into master  ([#5749](https://github.com/containous/traefik/pull/5749) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5619](https://github.com/containous/traefik/pull/5619) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5464](https://github.com/containous/traefik/pull/5464) by [ldez](https://github.com/ldez))
+- Merge v2.0.0 into master ([#5402](https://github.com/containous/traefik/pull/5402) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-rc3 into master ([#5354](https://github.com/containous/traefik/pull/5354) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-rc1 into master  ([#5253](https://github.com/containous/traefik/pull/5253) by [ldez](https://github.com/ldez))
+
+## [v2.0.5](https://github.com/containous/traefik/tree/v2.0.5) (2019-11-14)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.4...v2.0.5)
+
+**Bug fixes:**
+- **[metrics]** fix: metric with services LB. ([#5759](https://github.com/containous/traefik/pull/5759) by [ldez](https://github.com/ldez))
+- **[middleware]** fix: stripPrefix middleware with empty resulting path. ([#5806](https://github.com/containous/traefik/pull/5806) by [ldez](https://github.com/ldez))
+- **[middleware]** Fix rate limiting and SSE ([#5737](https://github.com/containous/traefik/pull/5737) by [sylr](https://github.com/sylr))
+- **[tracing]** Upgrades zipkin library to avoid errors when using textMap. ([#5754](https://github.com/containous/traefik/pull/5754) by [jcchavezs](https://github.com/jcchavezs))
+
+**Documentation:**
+- **[acme,cluster]** Update ACME storage docs to remove reference to KV store in CE ([#5433](https://github.com/containous/traefik/pull/5433) by [bradjones1](https://github.com/bradjones1))
+- **[api]** docs: remove field api.entryPoint ([#5776](https://github.com/containous/traefik/pull/5776) by [waitingsong](https://github.com/waitingsong))
+- **[api]** Adds missed quotes in api.md ([#5787](https://github.com/containous/traefik/pull/5787) by [woto](https://github.com/woto))
+- **[docker/swarm]** Dashboard example with swarm ([#5795](https://github.com/containous/traefik/pull/5795) by [dduportal](https://github.com/dduportal))
+- **[docker]** Fix error in link description for priority ([#5746](https://github.com/containous/traefik/pull/5746) by [ASDFGamer](https://github.com/ASDFGamer))
+- **[k8s]** Wrong endpoint on the TLS secret example ([#5817](https://github.com/containous/traefik/pull/5817) by [yacinelazaar](https://github.com/yacinelazaar))
+- **[middleware,docker]** Double dollar on docker-compose config ([#5775](https://github.com/containous/traefik/pull/5775) by [clery](https://github.com/clery))
+- Fix quickstart link in README ([#5794](https://github.com/containous/traefik/pull/5794) by [mcky](https://github.com/mcky))
+- fix typo in v1 to v2 migration guide ([#5820](https://github.com/containous/traefik/pull/5820) by [fschl](https://github.com/fschl))
+- slashes ended up in bad place. ([#5798](https://github.com/containous/traefik/pull/5798) by [icepic](https://github.com/icepic))
+
 ## [v2.0.4](https://github.com/containous/traefik/tree/v2.0.4) (2019-10-28)
 [All Commits](https://github.com/containous/traefik/compare/v2.0.3...v2.0.4)
 

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2018 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -5,7 +5,7 @@
 
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
-[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](http://goreportcard.com/report/containous/traefik)
+[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](https://goreportcard.com/report/containous/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
 [![Join the community support forum at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
@@ -73,11 +73,11 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - [Kubernetes](https://docs.traefik.io/providers/kubernetes-crd/)
 - [Marathon](https://docs.traefik.io/providers/marathon/)
 - [Rancher](https://docs.traefik.io/providers/rancher/) (Metadata)
-- [File](https://docs.traefik.io/configuration/backends/file)
+- [File](https://docs.traefik.io/providers/file/)
 
 ## Quickstart
 
-To get your hands on Traefik, you can use the [5-Minute Quickstart](http://docs.traefik.io/#the-traefik-quickstart-using-docker) in our documentation (you will need Docker).
+To get your hands on Traefik, you can use the [5-Minute Quickstart](https://docs.traefik.io/getting-started/quick-start/) in our documentation (you will need Docker).
 
 ## Web UI
 
@@ -89,7 +89,7 @@ You can access the simple HTML frontend of Traefik.
 
 You can find the complete documentation of Traefik v2 at [https://docs.traefik.io](https://docs.traefik.io).
 
-If you are using Traefik v1, you can find the complete documentation at [https://docs.traefik.io/v1.7/](https://docs.traefik.io/v1.7/)
+If you are using Traefik v1, you can find the complete documentation at [https://docs.traefik.io/v1.7/](https://docs.traefik.io/v1.7/).
 
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
@@ -122,7 +122,7 @@ git clone https://github.com/containous/traefik
 
 ## Introductory Videos
 
-You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us)
+You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us).
 
 ## Maintainers
 
@@ -138,16 +138,16 @@ By participating in this project, you agree to abide by its terms.
 ## Release Cycle
 
 - We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
-- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0)
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
-- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only)
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
 
-Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out)
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).
 
-We use [Semantic Versioning](http://semver.org/)
+We use [Semantic Versioning](https://semver.org/).
 
-## Mailing lists
+## Mailing Lists
 
-- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news)
+- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news).
 - Security announcements: mail at security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
 
 ## Credits
@@ -156,5 +156,5 @@ Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on t
 
 Traefik's logo is licensed under the Creative Commons 3.0 Attributions license.
 
-Traefik's logo was inspired by the gopher stickers made by Takuya Ueda (https://twitter.com/tenntenn).
+Traefik's logo was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
-The original Go gopher was designed by Renee French (http://reneefrench.blogspot.com/).
+The original Go gopher was designed by [Renee French](https://reneefrench.blogspot.com/).

build.Dockerfile

@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.20.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.23.0
 
 # Download golangci-lint and misspell binary to bin folder in $GOPATH
 RUN GO111MODULE=off go get github.com/client9/misspell/cmd/misspell

cmd/healthcheck/healthcheck.go

@@ -51,9 +51,14 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 		return nil, errors.New("please enable `ping` to use health check")
 	}
 
-	pingEntryPoint, ok := staticConfiguration.EntryPoints["traefik"]
+	ep := staticConfiguration.Ping.EntryPoint
+	if ep == "" {
+		ep = "traefik"
+	}
+
+	pingEntryPoint, ok := staticConfiguration.EntryPoints[ep]
 	if !ok {
-		return nil, errors.New("missing `ping` entrypoint")
+		return nil, fmt.Errorf("ping: missing %s entry point", ep)
 	}
 
 	client := &http.Client{Timeout: 5 * time.Second}

cmd/traefik/traefik.go

@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	stdlog "log"
 	"net/http"
 	"os"
@@ -20,12 +19,17 @@ import (
 	"github.com/containous/traefik/v2/pkg/config/dynamic"
 	"github.com/containous/traefik/v2/pkg/config/static"
 	"github.com/containous/traefik/v2/pkg/log"
+	"github.com/containous/traefik/v2/pkg/metrics"
+	"github.com/containous/traefik/v2/pkg/middlewares/accesslog"
 	"github.com/containous/traefik/v2/pkg/provider/acme"
 	"github.com/containous/traefik/v2/pkg/provider/aggregator"
+	"github.com/containous/traefik/v2/pkg/provider/traefik"
 	"github.com/containous/traefik/v2/pkg/safe"
 	"github.com/containous/traefik/v2/pkg/server"
-	"github.com/containous/traefik/v2/pkg/server/router"
+	"github.com/containous/traefik/v2/pkg/server/middleware"
+	"github.com/containous/traefik/v2/pkg/server/service"
 	traefiktls "github.com/containous/traefik/v2/pkg/tls"
+	"github.com/containous/traefik/v2/pkg/types"
 	"github.com/containous/traefik/v2/pkg/version"
 	"github.com/coreos/go-systemd/daemon"
 	assetfs "github.com/elazarl/go-bindata-assetfs"
@@ -65,10 +69,10 @@ Complete documentation is available at https://traefik.io`,
 	err = cli.Execute(cmdTraefik)
 	if err != nil {
 		stdlog.Println(err)
-		os.Exit(1)
+		logrus.Exit(1)
 	}
 
-	os.Exit(0)
+	logrus.Exit(0)
 }
 
 func runCmd(staticConfiguration *static.Configuration) error {
@@ -77,7 +81,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
 	if err := roundrobin.SetDefaultWeight(0); err != nil {
-		log.WithoutContext().Errorf("Could not set roundrobin default weight: %v", err)
+		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
 	}
 
 	staticConfiguration.SetEffectiveConfiguration()
@@ -105,43 +109,11 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	stats(staticConfiguration)
 
-	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
+	svr, err := setupServer(staticConfiguration)
-
+	if err != nil {
-	tlsManager := traefiktls.NewManager()
+		return err
-
-	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
-
-	serverEntryPointsTCP := make(server.TCPEntryPoints)
-	for entryPointName, config := range staticConfiguration.EntryPoints {
-		ctx := log.With(context.Background(), log.Str(log.EntryPointName, entryPointName))
-		serverEntryPointsTCP[entryPointName], err = server.NewTCPEntryPoint(ctx, config)
-		if err != nil {
-			return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
-		}
-		serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProviders)
 	}
 
-	svr := server.NewServer(*staticConfiguration, providerAggregator, serverEntryPointsTCP, tlsManager)
-
-	resolverNames := map[string]struct{}{}
-
-	for _, p := range acmeProviders {
-		resolverNames[p.ResolverName] = struct{}{}
-		svr.AddListener(p.ListenConfiguration)
-	}
-
-	svr.AddListener(func(config dynamic.Configuration) {
-		for rtName, rt := range config.HTTP.Routers {
-			if rt.TLS == nil || rt.TLS.CertResolver == "" {
-				continue
-			}
-
-			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
-				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
-			}
-		}
-	})
-
 	ctx := cmd.ContextWithSignal(context.Background())
 
 	if staticConfiguration.Ping != nil {
@@ -168,7 +140,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 			for range tick {
 				resp, errHealthCheck := healthcheck.Do(*staticConfiguration)
 				if resp != nil {
-					resp.Body.Close()
+					_ = resp.Body.Close()
 				}
 
 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
@@ -184,10 +156,97 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	svr.Wait()
 	log.WithoutContext().Info("Shutting down")
-	logrus.Exit(0)
 	return nil
 }
 
+func setupServer(staticConfiguration *static.Configuration) (*server.Server, error) {
+	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
+
+	// adds internal provider
+	err := providerAggregator.AddProvider(traefik.New(*staticConfiguration))
+	if err != nil {
+		return nil, err
+	}
+
+	tlsManager := traefiktls.NewManager()
+
+	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
+
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx := context.Background()
+	routinesPool := safe.NewPool(ctx)
+
+	metricsRegistry := registerMetricClients(staticConfiguration.Metrics)
+	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry)
+	tcpRouterFactory := server.NewTCPRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder)
+
+	watcher := server.NewConfigurationWatcher(routinesPool, providerAggregator, time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration))
+
+	watcher.AddListener(func(conf dynamic.Configuration) {
+		ctx := context.Background()
+		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
+	})
+
+	watcher.AddListener(func(_ dynamic.Configuration) {
+		metricsRegistry.ConfigReloadsCounter().Add(1)
+		metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
+	})
+
+	watcher.AddListener(switchRouter(tcpRouterFactory, acmeProviders, serverEntryPointsTCP))
+
+	watcher.AddListener(func(conf dynamic.Configuration) {
+		if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
+			var eps []string
+			for key := range serverEntryPointsTCP {
+				eps = append(eps, key)
+			}
+
+			metrics.OnConfigurationUpdate(conf, eps)
+		}
+	})
+
+	resolverNames := map[string]struct{}{}
+	for _, p := range acmeProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		watcher.AddListener(p.ListenConfiguration)
+	}
+
+	watcher.AddListener(func(config dynamic.Configuration) {
+		for rtName, rt := range config.HTTP.Routers {
+			if rt.TLS == nil || rt.TLS.CertResolver == "" {
+				continue
+			}
+
+			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
+				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+			}
+		}
+	})
+
+	return server.NewServer(routinesPool, serverEntryPointsTCP, watcher, chainBuilder, accessLog), nil
+}
+
+func switchRouter(tcpRouterFactory *server.TCPRouterFactory, acmeProviders []*acme.Provider, serverEntryPointsTCP server.TCPEntryPoints) func(conf dynamic.Configuration) {
+	return func(conf dynamic.Configuration) {
+		routers := tcpRouterFactory.CreateTCPRouters(conf)
+		for entryPointName, rt := range routers {
+			for _, p := range acmeProviders {
+				if p != nil && p.HTTPChallenge != nil && p.HTTPChallenge.EntryPoint == entryPointName {
+					rt.HTTPHandler(p.CreateHandler(rt.GetHTTPHandler()))
+					break
+				}
+			}
+		}
+		serverEntryPointsTCP.Switch(routers)
+	}
+}
+
 // initACMEProvider creates an acme provider from the ACME part of globalConfiguration
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
 	challengeStore := acme.NewLocalChallengeStore()
@@ -208,20 +267,78 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 			}
 
 			if err := providerAggregator.AddProvider(p); err != nil {
-				log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
+				log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
 				continue
 			}
+
 			p.SetTLSManager(tlsManager)
+
 			if p.TLSChallenge != nil {
 				tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
 			}
+
 			p.SetConfigListenerChan(make(chan dynamic.Configuration))
+
 			resolvers = append(resolvers, p)
 		}
 	}
 	return resolvers
 }
 
+func registerMetricClients(metricsConfig *types.Metrics) metrics.Registry {
+	if metricsConfig == nil {
+		return metrics.NewVoidRegistry()
+	}
+
+	var registries []metrics.Registry
+
+	if metricsConfig.Prometheus != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
+		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
+		if prometheusRegister != nil {
+			registries = append(registries, prometheusRegister)
+			log.FromContext(ctx).Debug("Configured Prometheus metrics")
+		}
+	}
+
+	if metricsConfig.Datadog != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
+		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
+		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
+			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
+	}
+
+	if metricsConfig.StatsD != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
+		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
+		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
+			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
+	}
+
+	if metricsConfig.InfluxDB != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
+		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
+		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
+			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
+	}
+
+	return metrics.NewMultiRegistry(registries)
+}
+
+func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
+	if conf == nil {
+		return nil
+	}
+
+	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
+	if err != nil {
+		log.WithoutContext().Warnf("Unable to create access logger : %v", err)
+		return nil
+	}
+
+	return accessLoggerMiddleware
+}
+
 func configureLogging(staticConfiguration *static.Configuration) {
 	// configure default log flags
 	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
@@ -291,13 +408,13 @@ func stats(staticConfiguration *static.Configuration) {
 		logger.Info(`Stats collection is enabled.`)
 		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
 		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://docs.traefik.io/v2.0/contributing/data-collection/`)
+		logger.Info(`More details on: https://docs.traefik.io/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
 		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://docs.traefik.io/v2.0/contributing/data-collection/
+More details on: https://docs.traefik.io/contributing/data-collection/
 `)
 	}
 }

docs/.markdownlint.json

@@ -7,5 +7,6 @@
     "MD026": false,
     "MD033": false,
     "MD034": false,
-    "MD036": false
+    "MD036": false,
+    "MD046": false
 }

docs/check.Dockerfile

@@ -1,9 +1,6 @@
 
-FROM alpine:3.9 as alpine
+FROM alpine:3.10 as alpine
 
-# The "build-dependencies" virtual package provides build tools for html-proofer installation.
-# It compile ruby-nokogiri, because alpine native version is always out of date
-# This virtual package is cleaned at the end.
 RUN apk --no-cache --no-progress add \
     libcurl \
     ruby \
@@ -11,21 +8,21 @@ RUN apk --no-cache --no-progress add \
     ruby-etc \
     ruby-ffi \
     ruby-json \
-  && apk add --no-cache --virtual build-dependencies \
+    ruby-nokogiri
-    build-base \
+RUN gem install html-proofer --version 3.13.0 --no-document -- --use-system-libraries
-    libcurl \
-    libxml2-dev \
-    libxslt-dev \
-    ruby-dev \
-  && gem install --no-document html-proofer -v 3.10.2 \
-  && apk del build-dependencies
 
 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \
     git \
     nodejs \
-    npm \
+    npm
-  && npm install markdownlint@0.12.0 markdownlint-cli@0.13.0 --global
+
+# To handle 'not get uid/gid'
+RUN npm config set unsafe-perm true
+
+RUN npm install --global \
+    markdownlint@0.17.2 \
+    markdownlint-cli@0.19.0
 
 # Finally the shell tools we need for later
 # tini helps to terminate properly all the parallelized tasks when sending CTRL-C

docs/content/contributing/building-testing.md

@@ -62,6 +62,7 @@ Requirements:
 
 - `go` v1.13+
 - environment variable `GO111MODULE=on`
+- [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
 
 !!! tip "Source Directory"
 
@@ -97,30 +98,32 @@ Requirements:
 #### Build Traefik
 
 Once you've set up your go environment and cloned the source repository, you can build Traefik.
-Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process).
+
+Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).
 
 ```bash
 cd ~/go/src/github.com/containous/traefik
 
 # Get go-bindata. (Important: the ellipses are required.)
 GO111MODULE=off go get github.com/containous/go-bindata/...
+```
 
-# Let's build
+```bash
+# Generate UI static files
+rm -rf static/ autogen/; make generate-webui
 
-# generate
+# required to merge non-code components into the final binary,
-# (required to merge non-code components into the final binary, such as the web dashboard and the provider's templates)
+# such as the web dashboard/UI
 go generate
+```
 
+```bash
 # Standard go build
 go build ./cmd/traefik
 ```
 
 You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
 
-### Updating the templates
-
-If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.
-
 ## Testing
 
 ### Method 1: `Docker` and `make`

docs/content/contributing/submitting-pull-requests.md

@@ -3,11 +3,11 @@
 A Quick Guide for Efficient Contributions
 {: .subtitle }
 
-So you've decide to improve Traefik? 
+So you've decided to improve Traefik? 
 Thank You! 
 Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.
 
-Let's go though the classic pitfalls to make sure everything is right. 
+Let's go through the classic pitfalls to make sure everything is right. 
 
 ## Title
 
@@ -36,7 +36,7 @@ Help the readers focus on what matters, and help them understand the structure o
 - Add tests.
 - Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
 
-!!! note "third-party dependencies"
+!!! note "Third-Party Dependencies"
 
     If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
 

docs/content/contributing/submitting-security-issues.md

@@ -0,0 +1,16 @@
+# Security
+
+## Security Advisories
+
+We strongly advise you to join our mailing list to be aware of the latest announcements from our security team.
+You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+
+## CVE
+
+Reported vulnerabilities can be found on 
+[cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
+
+## Report a Vulnerability
+
+We want to keep Traefik safe for everyone.
+If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).

docs/content/getting-started/configuration-overview.md

@@ -74,7 +74,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:2.0 --help
+# ex: docker run traefik:2.1 --help
 ```
 
 All available arguments can also be found [here](../reference/static-configuration/cli.md).

docs/content/getting-started/install-traefik.md

@@ -3,16 +3,17 @@
 You can install Traefik with the following flavors:
 
 * [Use the official Docker image](./#use-the-official-docker-image)
+* [(Experimental) Use the Helm Chart](./#use-the-helm-chart)
 * [Use the binary distribution](./#use-the-binary-distribution)
 * [Compile your binary from the sources](./#compile-your-binary-from-the-sources)
 
 ## Use the Official Docker Image
 
-Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.0/traefik.sample.toml):
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.1/traefik.sample.toml):
 
 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.0
+    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.1
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -20,9 +21,73 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.0.0`
+    ex: `traefik:v2.1.4`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
-    * All the orchestrator using docker images could fetch the official Traefik docker image.
+    * Any orchestrator using docker images can fetch the official Traefik docker image.
+
+## Use the Helm Chart
+
+!!! warning "Experimental Helm Chart"
+    
+    Please note that the Helm Chart for Traefik v2 is still experimental.
+    
+    The Traefik Stable Chart from 
+    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://docs.traefik.io/v1.7).
+
+Traefik can be installed in Kubernetes using the v2.0 Helm chart from <https://github.com/containous/traefik-helm-chart>.
+
+Ensure that the following requirements are met:
+
+* Kubernetes 1.14+
+* Helm version 2.x is [installed](https://v2.helm.sh/docs/using_helm/) and initialized with Tiller
+
+Retrieve the latest chart version from the repository:
+
+```bash
+# Retrieve Chart from the repository
+git clone https://github.com/containous/traefik-helm-chart
+```
+
+And install it with the `helm` command line:
+
+```bash
+helm install ./traefik-helm-chart
+```
+
+!!! tip "Helm Features"
+    
+    All [Helm features](https://v2.helm.sh/docs/using_helm/#using-helm) are supported.
+    For instance, installing the chart in a dedicated namespace:
+
+    ```bash tab="Install in a Dedicated Namespace"
+    # Install in the namespace "traefik-v2"
+    helm install --namespace=traefik-v2 \
+        ./traefik-helm-chart
+    ```
+
+??? example "Installing with Custom Values"
+    
+    You can customize the installation by specifying custom values,
+    as with [any helm chart](https://v2.helm.sh/docs/using_helm/#customizing-the-chart-before-installing).
+    {: #helm-custom-values }
+    
+    The values are not (yet) documented, but are self-explanatory:
+    you can look at the [default `values.yaml`](https://github.com/containous/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
+    
+    Example of installation with logging set to `DEBUG`:
+    
+    ```bash tab="Using Helm CLI"
+    helm install --namespace=traefik-v2 \
+        --set="logs.loglevel=DEBUG" \
+        ./traefik-helm-chart
+    ```
+    
+    ```yml tab="With a custom values file"
+    # File custom-values.yml
+    ## Install with "helm install --values=./custom-values.yml ./traefik-helm-chart
+    logs:
+        loglevel: DEBUG
+    ```
 
 ## Use the Binary Distribution
 

docs/content/getting-started/quick-start.md

@@ -14,8 +14,8 @@ version: '3'
 
 services:
   reverse-proxy:
-    # The official v2.0 Traefik docker image
+    # The official v2 Traefik docker image
-    image: traefik:v2.0
+    image: traefik:v2.1
     # Enables the web UI and tells Traefik to listen to docker
     command: --api.insecure=true --providers.docker
     ports:

docs/content/https/.markdownlint.json

@@ -0,0 +1,4 @@
+{
+    "extends": "../../.markdownlint.json",
+    "MD041": false
+}

docs/content/https/acme.md

@@ -8,53 +8,20 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
 !!! warning "Let's Encrypt and Rate Limiting"
     Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
 
-## Configuration Examples
+    Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
+    when experimenting to avoid hitting this limit too fast.
+    
+## Certificate Resolvers
 
-??? example "Enabling ACME"
+Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration), 
-    
+which are responsible for retrieving certificates from an ACME server.
-    ```toml tab="File (TOML)"
+
-    [entryPoints]
+Then, each ["router"](../routing/routers/index.md) is configured to enable TLS,
-      [entryPoints.web]
+and is associated to a certificate resolver through the [`tls.certresolver` configuration option](../routing/routers/index.md#certresolver).
-        address = ":80"
+
-    
+Certificates are requested for domain names retrieved from the router's [dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration).
-      [entryPoints.web-secure]
+
-        address = ":443"
+You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).
-    
-    [certificatesResolvers.sample.acme]
-      email = "your-email@your-domain.org"
-      storage = "acme.json"
-      [certificatesResolvers.sample.acme.httpChallenge]
-        # used during the challenge
-        entryPoint = "web"
-    ```
-    
-    ```yaml tab="File (YAML)"
-    entryPoints:
-      web:
-        address: ":80"
-    
-      web-secure:
-        address: ":443"
-    
-    certificatesResolvers:
-      sample:
-        acme:
-          email: your-email@your-domain.org
-          storage: acme.json
-          httpChallenge:
-            # used during the challenge
-            entryPoint: web
-    ```
-    
-    ```bash tab="CLI"
-    --entryPoints.web.address=":80"
-    --entryPoints.websecure.address=":443"
-    # ...
-    --certificatesResolvers.sample.acme.email="your-email@your-domain.org"
-    --certificatesResolvers.sample.acme.storage="acme.json"
-    # used during the challenge
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
-    ```
 
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
 
@@ -75,6 +42,100 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
     --8<-- "content/https/ref-acme.txt"
     ```
 
+## Domain Definition
+
+Certificate resolvers request certificates for a set of the domain names 
+inferred from routers, with the following logic:
+
+- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
+  then the certificate resolver uses the `main` (and optionally `sans`) option of `tls.domains` to know the domain names for this router.
+
+- If no [`tls.domains`](../routing/routers/index.md#domains) option is set, 
+  then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule), 
+  by checking the `Host()` matchers. 
+  Please note that [multiple `Host()` matchers can be used](../routing/routers/index.md#certresolver)) for specifying multiple domain names for this router.
+
+Please note that:
+
+- When multiple domain names are inferred from a given router,
+  only **one** certificate is requested with the first domain name as the main domain,
+  and the other domains as ["SANs" (Subject Alternative Name)](https://en.wikipedia.org/wiki/Subject_Alternative_Name).
+
+- As [ACME V2 supports "wildcard domains"](#wildcard-domains),
+  any router can provide a [wildcard domain](https://en.wikipedia.org/wiki/Wildcard_certificate) name, as "main" domain or as "SAN" domain.
+
+Please check the [configuration examples below](#configuration-examples) for more details.
+
+## Configuration Examples
+
+??? example "Enabling ACME"
+    
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+    
+      [entryPoints.websecure]
+        address = ":443"
+    
+    [certificatesResolvers.myresolver.acme]
+      email = "your-email@your-domain.org"
+      storage = "acme.json"
+      [certificatesResolvers.myresolver.acme.httpChallenge]
+        # used during the challenge
+        entryPoint = "web"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+    
+      websecure:
+        address: ":443"
+    
+    certificatesResolvers:
+      myresolver:
+        acme:
+          email: your-email@your-domain.org
+          storage: acme.json
+          httpChallenge:
+            # used during the challenge
+            entryPoint: web
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
+    # ...
+    --certificatesResolvers.myresolver.acme.email=your-email@your-domain.org
+    --certificatesResolvers.myresolver.acme.storage=acme.json
+    # used during the challenge
+    --certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
+    ```
+
+!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
+??? example "Single Domain from Router's Rule Example"
+    
+    * A certificate for the domain `company.com` is requested:
+
+    --8<-- "content/https/include-acme-single-domain-example.md"
+
+??? example "Multiple Domains from Router's Rule Example"
+ 
+    * A certificate for the domains `company.com` (main) and `blog.company.org`
+      is requested:
+    
+    --8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
+    
+??? example "Multiple Domains from Router's `tls.domain` Example"
+
+    * A certificate for the domains `company.com` (main) and `*.company.org` (SAN)
+      is requested:
+      
+    --8<-- "content/https/include-acme-multiple-domains-example.md"
+
 ## Automatic Renewals
 
 Traefik automatically tracks the expiry date of ACME certificates it generates.
@@ -84,6 +145,13 @@ If there are less than 30 days remaining before the certificate expires, Traefik
 !!! info ""
     Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
 
+## Using LetsEncrypt with Kubernetes
+
+When using LetsEncrypt with kubernetes, there are some known caveats with both the [ingress](../providers/kubernetes-ingress.md) and [crd](../providers/kubernetes-crd.md) providers.
+
+!!! info ""
+    If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.
+
 ## The Different ACME Challenges
 
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
@@ -98,14 +166,14 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 ??? example "Configuring the `tlsChallenge`"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.tlsChallenge]
+      [certificatesResolvers.myresolver.acme.tlsChallenge]
     ```
 
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           tlsChallenge: {}
@@ -113,7 +181,7 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.tlsChallenge=true
+    --certificatesResolvers.myresolver.acme.tlsChallenge=true
     ```
 
 ### `httpChallenge`
@@ -121,21 +189,21 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
 
 As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
+when using the `HTTP-01` challenge, `certificatesResolvers.myresolver.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
 
-??? example "Using an EntryPoint Called http for the `httpChallenge`"
+??? example "Using an EntryPoint Called web for the `httpChallenge`"
 
     ```toml tab="File (TOML)"
     [entryPoints]
       [entryPoints.web]
         address = ":80"
       
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.myresolver.acme.httpChallenge]
         entryPoint = "web"
     ```
 
@@ -144,11 +212,11 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
       web:
         address: ":80"
     
-      web-secure:
+      websecure:
         address: ":443"
     
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           httpChallenge:
@@ -156,10 +224,10 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
     ```
     
     ```bash tab="CLI"
-    --entryPoints.web.address=":80"
+    --entryPoints.web.address=:80
-    --entryPoints.websecure.address=":443"
+    --entryPoints.websecure.address=:443
     # ...
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
     ```
 
 !!! info ""
@@ -172,9 +240,9 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 ??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.dnsChallenge]
+      [certificatesResolvers.myresolver.acme.dnsChallenge]
         provider = "digitalocean"
         delayBeforeCheck = 0
     # ...
@@ -182,7 +250,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           dnsChallenge:
@@ -193,8 +261,8 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+    --certificatesResolvers.myresolver.acme.dnsChallenge.provider=digitalocean
-    --certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+    --certificatesResolvers.myresolver.acme.dnsChallenge.delayBeforeCheck=0
     # ...
     ```
 
@@ -215,13 +283,16 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
 | [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
 | [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
+| [Autodns](https://www.internetx.com/domains/autodns/)       | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
 | [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
 | [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
+| [Checkdomain](https://www.checkdomain.de/)                  | `checkdomain`  | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
 | [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
-| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]` [^5]                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
+| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
 | [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
 | [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
+| [Constellix](https://constellix.com)                        | `constellix`   | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)   |
 | [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
 | [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
 | [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
@@ -265,7 +336,9 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)      |
 | [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)  |
+| [Scaleway](https://www.scaleway.com)                        | `scaleway`     | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)     |
 | [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
+| [Servercow](https://servercow.de)                           | `servercow`    | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)    |
 | [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
 | [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
@@ -290,16 +363,16 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 Use custom DNS servers to resolve the FQDN authority.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
   # ...
-  [certificatesResolvers.sample.acme.dnsChallenge]
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
     # ...
     resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
 ```
 
 ```yaml tab="File (YAML)"
 certificatesResolvers:
-  sample:
+  myresolver:
     acme:
       # ...
       dnsChallenge:
@@ -311,7 +384,7 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.dnsChallenge.resolvers:="1.1.1.1:53,8.8.8.8:53"
+--certificatesResolvers.myresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```
 
 #### Wildcard Domains
@@ -319,12 +392,21 @@ certificatesResolvers:
 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
 As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
 
-## `caServer`
+## More Configuration
+
+### `caServer`
+
+_Required, Default="https://acme-v02.api.letsencrypt.org/directory"_
+
+The CA server to use:
+
+- Let's Encrypt production server: https://acme-v02.api.letsencrypt.org/directory
+- Let's Encrypt staging server: https://acme-staging-v02.api.letsencrypt.org/directory
 
 ??? example "Using the Let's Encrypt staging server"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
       caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
       # ...
@@ -332,7 +414,7 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
     
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           caServer: https://acme-staging-v02.api.letsencrypt.org/directory
@@ -341,16 +423,18 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
 
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+    --certificatesResolvers.myresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
     # ...
     ```
 
-## `storage`
+### `storage`
+
+_Required, Default="acme.json"_
 
 The `storage` option sets the location where your ACME certificates are saved to.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
   # ...
   storage = "acme.json"
   # ...
@@ -358,7 +442,7 @@ The `storage` option sets the location where your ACME certificates are saved to
 
 ```yaml tab="File (YAML)"
 certificatesResolvers:
-  sample:
+  myresolver:
     acme:
       # ...
       storage: acme.json
@@ -367,17 +451,11 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.storage=acme.json
+--certificatesResolvers.myresolver.acme.storage=acme.json
 # ...
 ```
 
-The value can refer to some kinds of storage:
+ACME certificates are stored in a JSON file that needs to have a `600` file mode.
-
-- a JSON file
-
-### In a File
-
-ACME certificates can be stored in a JSON file that needs to have a `600` file mode .
 
 In Docker you can mount either the JSON file, or the folder containing it:
 
@@ -390,7 +468,7 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 ```
 
 !!! warning
-    For concurrency reason, this file cannot be shared across multiple instances of Traefik. Use a key value store entry instead.
+    For concurrency reason, this file cannot be shared across multiple instances of Traefik.
 
 ## Fallback
 

docs/content/https/include-acme-multiple-domains-example.md

@@ -0,0 +1,91 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=company.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.routers.blog.tls.domains[0].main=company.org
+    - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`company.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certResolver: myresolver
+    domains:
+    - main: company.org
+      sans:
+      - *.company.org
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.routers.blog.tls.domains[0].main": "company.com",
+  "traefik.http.routers.blog.tls.domains[0].sans": "*.company.com",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=company.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "Host(`company.com`) && Path(`/blog`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver" # From static configuration
+      [[http.routers.blog.tls.domains]]
+        main = "company.org"
+        sans = ["*.company.org"]
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`company.com`) && Path(`/blog`)"
+      tls:
+        certResolver: myresolver
+        domains:
+          - main: "company.org"
+            sans:
+              - "*.company.org"
+```

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: (Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certresolver: myresolver
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
+      tls:
+        certResolver: myresolver
+```

docs/content/https/include-acme-single-domain-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`company.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certresolver: myresolver
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
+```toml tab="Single Domain"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+  rule = "Host(`company.com`) && Path(`/blog`)"
+  [http.routers.blog.tls]
+    certResolver = "myresolver"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`company.com`) && Path(`/blog`)"
+      tls:
+        certResolver: myresolver
+```

docs/content/https/ref-acme.toml

@@ -1,5 +1,5 @@
 # Enable ACME (Let's Encrypt): automatic SSL.
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
 
   # Email address used for registration.
   #
@@ -35,13 +35,13 @@
   #
   # Optional (but recommended)
   #
-  [certificatesResolvers.sample.acme.tlsChallenge]
+  [certificatesResolvers.myresolver.acme.tlsChallenge]
 
   # Use a HTTP-01 ACME challenge.
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.httpChallenge]
+  # [certificatesResolvers.myresolver.acme.httpChallenge]
 
     # EntryPoint to use for the HTTP-01 challenges.
     #
@@ -54,7 +54,7 @@
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.dnsChallenge]
+  # [certificatesResolvers.myresolver.acme.dnsChallenge]
 
     # DNS provider used.
     #

docs/content/https/ref-acme.txt

@@ -4,13 +4,13 @@
 #
 # Required
 #
---certificatesResolvers.sample.acme.email="test@traefik.io"
+--certificatesResolvers.myresolver.acme.email=test@traefik.io
 
 # File or key used for certificates storage.
 #
 # Required
 #
---certificatesResolvers.sample.acme.storage="acme.json"
+--certificatesResolvers.myresolver.acme.storage=acme.json
 
 # CA server to use.
 # Uncomment the line to use Let's Encrypt's staging server,
@@ -19,7 +19,7 @@
 # Optional
 # Default: "https://acme-v02.api.letsencrypt.org/directory"
 #
---certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+--certificatesResolvers.myresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
 
 # KeyType to use.
 #
@@ -28,38 +28,38 @@
 #
 # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
 #
---certificatesResolvers.sample.acme.keyType=RSA4096
+--certificatesResolvers.myresolver.acme.keyType=RSA4096
 
 # Use a TLS-ALPN-01 ACME challenge.
 #
 # Optional (but recommended)
 #
---certificatesResolvers.sample.acme.tlsChallenge=true
+--certificatesResolvers.myresolver.acme.tlsChallenge=true
 
 # Use a HTTP-01 ACME challenge.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.httpChallenge=true
+--certificatesResolvers.myresolver.acme.httpChallenge=true
 
 # EntryPoint to use for the HTTP-01 challenges.
 #
 # Required
 #
---certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+--certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
 
 # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
 # Note: mandatory for wildcard certificate generation.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.dnsChallenge=true
+--certificatesResolvers.myresolver.acme.dnsChallenge=true
 
 # DNS provider used.
 #
 # Required
 #
---certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+--certificatesResolvers.myresolver.acme.dnsChallenge.provider=digitalocean
 
 # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
 # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
@@ -68,14 +68,14 @@
 # Optional
 # Default: 0
 #
---certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+--certificatesResolvers.myresolver.acme.dnsChallenge.delayBeforeCheck=0
 
 # Use following DNS servers to resolve the FQDN authority.
 #
 # Optional
 # Default: empty
 #
---certificatesResolvers.sample.acme.dnsChallenge.resolvers="1.1.1.1:53,8.8.8.8:53"
+--certificatesResolvers.myresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 
 # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
 #
@@ -85,4 +85,4 @@
 # Optional
 # Default: false
 #
---certificatesResolvers.sample.acme.dnsChallenge.disablePropagationCheck=true
+--certificatesResolvers.myresolver.acme.dnsChallenge.disablePropagationCheck=true

docs/content/https/ref-acme.yaml

@@ -1,5 +1,5 @@
 certificatesResolvers:
-  sample:
+  myresolver:
     # Enable ACME (Let's Encrypt): automatic SSL.
     acme:
 

docs/content/https/tls.md

@@ -40,7 +40,7 @@ tls:
 
     In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
     It is the only available method to configure the certificates (as well as the options and the stores).
-    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](../routing/providers/kubernetes-crd.md#tls). 
+    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
 
 ## Certificates Stores
 
@@ -181,6 +181,57 @@ spec:
   minVersion: VersionTLS13
 ```
 
+### Maximum TLS Version
+
+We discourages the use of this setting to disable TLS1.3.
+
+The right approach is to update the clients to support TLS1.3.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    maxVersion = "VersionTLS13"
+
+  [tls.options.maxtls12]
+    maxVersion = "VersionTLS12"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      maxVersion: VersionTLS13
+
+    maxtls12:
+      maxVersion: VersionTLS12
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS13
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: maxtls12
+  namespace: default
+
+spec:
+  maxVersion: VersionTLS12
+```
+
 ### Cipher Suites
 
 See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
@@ -223,6 +274,46 @@ spec:
     With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).
     <https://golang.org/doc/go1.12#tls_1_3>
 
+### Curve Preferences
+
+This option allows to set the preferred elliptic curves in a specific order.
+
+The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used.
+
+See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    curvePreferences = ["CurveP521", "CurveP384"]
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  curvePreferences:
+    - CurveP521
+    - CurveP384
+```
+
 ### Strict SNI Checking
 
 With strict SNI checking, Traefik won't allow connections from clients connections

docs/content/index.md

@@ -20,4 +20,9 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
 
 !!! info
 
-    If you're a business running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. 
+    Join our user friendly and active [Community Forum](https://community.containo.us) to discuss, learn, and connect with the traefik community.
+    
+    If you're a business running critical services behind Traefik,
+    know that [Containous](https://containo.us), the company that sponsors Traefik's development,
+    can provide [commercial support](https://info.containo.us/commercial-services)
+    and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik.

docs/content/middlewares/addprefix.md

@@ -26,6 +26,11 @@ spec:
     prefix: /foo
 ```
 
+```yaml tab="Consul Catalog"
+# Prefixing with /foo
+- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.add-foo.addprefix.prefix": "/foo"
@@ -58,4 +63,5 @@ http:
 
 ### `prefix`
 
-`prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`).
+`prefix` is the string to add before the current path in the requested URL.
+It should include the leading slash (`/`).

docs/content/middlewares/basicauth.md

@@ -30,6 +30,10 @@ spec:
     secret: secretName
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
@@ -86,7 +90,7 @@ The `users` option is an array of authorized users. Each user will be declared u
 # Declaring the user list
 #
 # Note: all dollar signs in the hash need to be doubled for escaping.
-# To create user:password pair, it's possible to use this command:
+# To create a user:password pair, the following command can be used:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -103,6 +107,10 @@ spec:
     secret: authsecret
 
 ---
+# Note: in a kubernetes secret the string (e.g. generated by htpasswd) must be base64-encoded first.
+# To create an encoded user:password pair, the following command can be used:
+# htpasswd -nb user password | openssl base64
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -115,6 +123,11 @@ data:
     aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
 ```
 
+```yaml tab="Consul Catalog"
+# Declaring the user list
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
@@ -186,6 +199,10 @@ data:
     aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.usersfile": "/path/to/my/usersfile"
@@ -237,6 +254,10 @@ spec:
     realm: MyRealm
 ```
 
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.realm": "MyRealm"
@@ -282,6 +303,10 @@ spec:
     headerField: X-WebAuth-User
 ```
 
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.my-auth.basicauth.headerField": "X-WebAuth-User"
@@ -322,6 +347,10 @@ spec:
     removeHeader: true
 ```
 
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.basicauth.removeheader": "true"

docs/content/middlewares/buffering.md

@@ -30,6 +30,11 @@ spec:
     maxRequestBodyBytes: 2000000
 ```
 
+```yaml tab="Consul Catalog"
+# Sets the maximum request body to 2Mb
+- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
@@ -81,6 +86,10 @@ spec:
     maxRequestBodyBytes: 2000000
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
@@ -125,6 +134,10 @@ spec:
     memRequestBodyBytes: 2000000
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.limit.buffering.memRequestBodyBytes": "2000000"
@@ -171,6 +184,10 @@ spec:
     maxResponseBodyBytes: 2000000
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes": "2000000"
@@ -215,6 +232,10 @@ spec:
     memResponseBodyBytes: 2000000
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.limit.buffering.memResponseBodyBytes": "2000000"
@@ -261,6 +282,10 @@ You can have the Buffering middleware replay the request with the help of the `r
         retryExpression: "IsNetworkError() && Attempts() < 2"
     ```
     
+    ```yaml tab="Consul Catalog"
+    - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
+    ```
+        
     ```json tab="Marathon"
     "labels": {
       "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"

docs/content/middlewares/chain.md

@@ -83,6 +83,17 @@ spec:
     - 127.0.0.1/32
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.routers.router1.service=service1"
+- "traefik.http.routers.router1.middlewares=secured"
+- "traefik.http.routers.router1.rule=Host(`mydomain`)"
+- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+- "http.services.service1.loadbalancer.server.port=80"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.routers.router1.service": "service1",

docs/content/middlewares/circuitbreaker.md

@@ -45,6 +45,11 @@ spec:
     expression: LatencyAtQuantileMS(50.0) > 100
 ```
 
+```yaml tab="Consul Catalog"
+# Latency Check
+- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.latency-check.circuitbreaker.expression": "LatencyAtQuantileMS(50.0) > 100"

docs/content/middlewares/compress.md

@@ -25,6 +25,11 @@ spec:
   compress: {}
 ```
 
+```yaml tab="Consul Catalog"
+# Enable gzip compression
+- "traefik.http.middlewares.test-compress.compress=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-compress.compress": "true"
@@ -58,3 +63,59 @@ http:
     * The response body is larger than `1400` bytes.
     * The `Accept-Encoding` request header contains `gzip`.
     * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
+
+## Configuration Options
+
+### `excludedContentTypes`
+
+`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests to before compressing.
+
+The requests with content types defined in `excludedContentTypes` are not compressed.
+
+Content types are compared in a case-insensitive, whitespace-ignored manner.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    excludedContentTypes:
+      - text/event-stream
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress.excludedcontenttypes": "text/event-stream"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    excludedContentTypes = ["text/event-stream"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        excludedContentTypes:
+          - text/event-stream
+```

docs/content/middlewares/contenttype.md

@@ -0,0 +1,83 @@
+
+# ContentType
+
+Handling ContentType auto-detection
+{: .subtitle }
+
+The Content-Type middleware - or rather its unique `autoDetect` option -
+specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.
+
+As a proxy, the default behavior should be to leave the header alone,
+regardless of what the backend did with it.
+However, the historic default was to always auto-detect and set the header if it was nil,
+and it is going to be kept that way in order to support users currently relying on it.
+This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+
+!!! info
+
+    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
+    is still to automatically set the `Content-Type` header.
+    Therefore, given the default value of the `autoDetect` option (false),
+    simply enabling this middleware for a router switches the router's behavior.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```yaml tab="Kubernetes"
+# Disable auto-detection
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: autodetect
+spec:
+  contentType:
+    autoDetect: false
+```
+
+```yaml tab="Consul Catalog"
+# Disable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
+}
+```
+
+```yaml tab="Rancher"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```toml tab="File (TOML)"
+# Disable auto-detection
+[http.middlewares]
+  [http.middlewares.autodetect.contentType]
+     autoDetect=false
+```
+
+```yaml tab="File (YAML)"
+# Disable auto-detection
+http:
+  middlewares:
+    autodetect:
+      contentType:
+        autoDetect: false
+```
+
+## Configuration Options
+
+### `autoDetect`
+
+`autoDetect` specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.

docs/content/middlewares/digestauth.md

@@ -26,6 +26,11 @@ spec:
     secret: userssecret
 ```
 
+```yaml tab="Consul Catalog"
+# Declaring the user list
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
@@ -100,6 +105,10 @@ data:
     dGVzdDp0cmFlZmlrOmEyNjg4ZTAzMWVkYjRiZTZhMzc5N2YzODgyNjU1YzA1CnRlc3QyOnRyYWVmaWs6NTE4ODQ1ODAwZjllMmJmYjFmMWY3NDBlYzI0ZjA3NGUKCg==
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
@@ -168,6 +177,10 @@ data:
     aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
@@ -219,6 +232,10 @@ spec:
     realm: MyRealm
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
@@ -264,9 +281,8 @@ spec:
     headerField: X-WebAuth-User
 ```
 
-```yaml tab="Rancher"
+```yaml tab="Consul Catalog"
-labels:
+- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
-  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```
 
 ```json tab="Marathon"
@@ -275,6 +291,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares.my-auth.digestAuth]
   # ...
@@ -309,6 +330,10 @@ spec:
     removeHeader: true
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"

docs/content/middlewares/errorpages.md

@@ -35,6 +35,13 @@ spec:
       port: 80
 ```
 
+```yaml tab="Consul Catalog"
+# Dynamic Custom Error Page for 5XX Status Code
+- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
+- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
+- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-errorpage.errors.status": "500-599",

docs/content/middlewares/forwardauth.md

@@ -28,6 +28,11 @@ spec:
     address: https://authserver.com/auth
 ```
 
+```yaml tab="Consul Catalog"
+# Forward authentication to authserver.com
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
@@ -77,6 +82,10 @@ spec:
     address: https://authserver.com/auth 
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
@@ -122,6 +131,10 @@ spec:
     trustForwardHeader: true
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
@@ -171,6 +184,10 @@ spec:
       - X-Secret
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret"
@@ -235,6 +252,10 @@ data:
   ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt"
@@ -290,6 +311,10 @@ spec:
       caOptional: true
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true"
@@ -352,6 +377,11 @@ data:
   tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
@@ -421,6 +451,11 @@ data:
   tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
@@ -478,6 +513,10 @@ spec:
       insecureSkipVerify: true
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true"

docs/content/middlewares/headers.md

@@ -32,6 +32,11 @@ spec:
       X-Custom-Response-Header: "value"
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
@@ -91,6 +96,10 @@ spec:
       X-Custom-Response-Header: "" # Removes
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
@@ -146,6 +155,11 @@ spec:
     sslRedirect: "true"
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.framedeny=true"
+- "traefik.http.middlewares.testheader.headers.sslredirect=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.framedeny": "true",
@@ -204,6 +218,13 @@ spec:
     addVaryHeader: "true"
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+- "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+- "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+- "traefik.http.middlewares.testheader.headers.addvaryheader=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",

docs/content/middlewares/inflightreq.md

@@ -24,6 +24,11 @@ spec:
     amount: 10
 ```
 
+```yaml tab="Consul Catalog"
+# Limiting to 10 simultaneous connections
+- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
@@ -74,6 +79,11 @@ spec:
     amount: 10
 ```
 
+```yaml tab="Consul Catalog"
+# Limiting to 10 simultaneous connections
+- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
@@ -146,9 +156,8 @@ spec:
         depth: 2
 ```
 
-```yaml tab="Rancher"
+```yaml tab="Consul Catalog"
-labels:
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
 ```
 
 ```json tab="Marathon"
@@ -157,6 +166,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-inflightreq.inflightreq]
@@ -209,6 +223,10 @@ spec:
         - 192.168.1.7
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
@@ -259,9 +277,8 @@ spec:
       requestHeaderName: username
 ```
 
-```yaml tab="Rancher"
+```yaml tab="Consul Catalog"
-labels:
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
 
 ```json tab="Marathon"
@@ -270,6 +287,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-inflightreq.inflightreq]
@@ -306,9 +328,8 @@ spec:
       requestHost: true
 ```
 
-```yaml tab="Rancher"
+```yaml tab="Cosul Catalog"
-labels:
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
 
 ```json tab="Marathon"
@@ -317,6 +338,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-inflightreq.inflightreq]

docs/content/middlewares/ipwhitelist.md

@@ -27,6 +27,11 @@ spec:
       - 192.168.1.7
 ```
 
+```yaml tab="Consul Catalog"
+# Accepts request from defined IP
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
@@ -61,7 +66,7 @@ http:
 
 ### `sourceRange`
 
-The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
+The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
 
 ### `ipStrategy`
 
@@ -95,11 +100,10 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
           depth: 2
     ```
     
-    ```yaml tab="Rancher"
+    ```yaml tab="Consul Catalog"
     # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    labels:
+    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
     ```
     
     ```json tab="Marathon"
@@ -109,6 +113,13 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
     }
     ```
     
+    ```yaml tab="Rancher"
+    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
+    labels:
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+    ```
+    
     ```toml tab="File (TOML)"
     # Whitelisting Based on `X-Forwarded-For` with `depth=2`
     [http.middlewares]
@@ -168,10 +179,9 @@ spec:
         - 192.168.1.7
 ```
 
-```yaml tab="Rancher"
+```yaml tab="Consul Catalog"
 # Exclude from `X-Forwarded-For`
-labels:
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```json tab="Marathon"
@@ -180,6 +190,12 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+# Exclude from `X-Forwarded-For`
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```toml tab="File (TOML)"
 # Exclude from `X-Forwarded-For`
 [http.middlewares]

docs/content/middlewares/overview.md

@@ -5,9 +5,9 @@ Tweaking the Request
 
 ![Overview](../assets/img/middleware/overview.png)
 
-Attached to the routers, pieces of middleware are a mean of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
+Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
 
-There are many different available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
+There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
 
 Pieces of middleware can be combined in chains to fit every scenario.
 
@@ -63,6 +63,13 @@ spec:
       - name: stripprefix
 ```
 
+```yaml tab="Consul Catalog"
+# Create a middleware named `foo-add-prefix`
+- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+# Apply the middleware named `foo-add-prefix` to the router named `router1`
+- "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
@@ -123,7 +130,7 @@ http:
 
 ## Provider Namespace
 
-When you declare a middleware, it lives in its provider namespace.
+When you declare a middleware, it lives in its provider's namespace.
 For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.
 
 If you use multiple providers and wish to reference a middleware declared in another provider
@@ -136,11 +143,11 @@ then you'll have to append to the middleware name, the `@` separator, followed b
 
 !!! important "Kubernetes Namespace"
 
-	As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
+    As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
-with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
+    with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
-In this case, since the definition of the middleware is not in kubernetes,
+    In this case, since the definition of the middleware is not in kubernetes,
-specifying a "kubernetes namespace" when referring to the resource does not make any sense,
+    specifying a "kubernetes namespace" when referring to the resource does not make any sense,
-and therefore this specification would be ignored even if present.
+    and therefore this specification would be ignored even if present.
 
 !!! abstract "Referencing a Middleware from Another Provider"
 

docs/content/middlewares/passtlsclientcert.md

@@ -29,6 +29,11 @@ spec:
     pem: true
 ```
 
+```yaml tab="Consul Catalog"
+# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header
+- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
@@ -111,26 +116,25 @@ http:
             domainComponent: true
     ```
     
-    ```yaml tab="Rancher"
+    ```yaml tab="Consul Catalog"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
-    labels:
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
     ```
         
     ```json tab="Marathon"
@@ -154,6 +158,28 @@ http:
       "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
     }
     ```
+    
+    ```yaml tab="Rancher"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    labels:
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+    ```
 
     ```toml tab="File (TOML)"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
@@ -380,7 +406,7 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
 !!! info "Extracted data"
     
     The delimiters and `\n` will be removed.  
-    If there are more than one certificate, they are separated by a "`;`".
+    If there are more than one certificate, they are separated by a "`,`".
 
 !!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
 
@@ -395,12 +421,12 @@ The value of the header will be an escaped concatenation of all the selected cer
 The following example shows an unescaped result that uses all the available fields: 
 
 ```text
-Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
+Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
 ```
 
 !!! info "Multiple certificates"
 
-    If there are more than one certificate, they are separated by a `;`.
+    If there are more than one certificate, they are separated by a `,`.
 
 #### `info.notAfter`
 
@@ -416,7 +442,7 @@ The data are taken from the following certificate part:
 The escape `notAfter` info part will be like:
 
 ```text
-NA=1607166616
+NA="1607166616"
 ```
 
 #### `info.notBefore`
@@ -433,7 +459,7 @@ Validity
 The escape `notBefore` info part will be like:
 
 ```text
-NB=1544094616
+NB="1544094616"
 ```
 
 #### `info.sans`
@@ -450,7 +476,7 @@ The data are taken from the following certificate part:
 The escape SANs info part will be like:
 
 ```text
-SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
+SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
 ```
 
 !!! info "multiple values"

docs/content/middlewares/ratelimit.md

@@ -28,6 +28,13 @@ spec:
       burst: 50
 ```
 
+```yaml tab="Consul Catalog"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
@@ -85,6 +92,10 @@ spec:
       average: 100
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
@@ -130,6 +141,10 @@ spec:
       burst: 100
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "100",
@@ -138,8 +153,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
-  		
 ```
 
 ```toml tab="File (TOML)"
@@ -204,9 +218,8 @@ spec:
         - 192.168.1.7
 ```
 
-```yaml tab="Rancher"
+```yaml tab="Consul Catalog"
-labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```json tab="Marathon"
@@ -215,6 +228,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]
@@ -268,9 +286,8 @@ spec:
       requestHeaderName: username
 ```
 
-```yaml tab="Rancher"
+```yaml tab="Consul Catalog"
-labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```
 
 ```json tab="Marathon"
@@ -279,6 +296,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]
@@ -315,9 +337,8 @@ spec:
       requestHost: true
 ```
 
-```yaml tab="Rancher"
+```yaml tab="Consul Catalog"
-labels:
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```
 
 ```json tab="Marathon"
@@ -326,6 +347,11 @@ labels:
 }
 ```
 
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+```
+
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]

docs/content/middlewares/redirectregex.md

@@ -31,6 +31,13 @@ spec:
     replacement: http://mydomain/${1}
 ```
 
+```yaml tab="Consul Catalog"
+# Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
+- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-redirectregex.redirectregex.regex": "^http://localhost/(.*)",

docs/content/middlewares/redirectscheme.md

@@ -15,6 +15,7 @@ RedirectScheme redirect request from a scheme to another.
 # Redirect to https
 labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```
 
 ```yaml tab="Kubernetes"
@@ -26,6 +27,137 @@ metadata:
 spec:
   redirectScheme:
     scheme: https
+    permanent: true
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+    permanent = true
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+```
+
+## Configuration Options
+
+### `permanent`
+
+Set the `permanent` option to `true` to apply a permanent redirection.
+
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    # ...
+    permanent: true
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    permanent = true
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        # ...
+        permanent: true
+```
+
+### `scheme`
+
+The `scheme` option defines the scheme of the new url.
+
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    scheme: https
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```
 
 ```json tab="Marathon"
@@ -56,16 +188,64 @@ http:
         scheme: https
 ```
 
-## Configuration Options
-
-### `permanent`
-
-Set the `permanent` option to `true` to apply a permanent redirection.
-
-### `scheme`
-
-The `scheme` option defines the scheme of the new url.
-
 ### `port`
 
 The `port` option defines the port of the new url.
+
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    # ...
+    port: 443
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.port": "443"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    port = 443
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        # ...
+        port: 443
+```

docs/content/middlewares/replacepath.md

@@ -28,6 +28,11 @@ spec:
     path: /foo
 ```
 
+```yaml tab="Consul Catalog"
+# Replace the path by /foo
+- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-replacepath.replacepath.path": "/foo"

docs/content/middlewares/replacepathregex.md

@@ -15,7 +15,7 @@ The ReplaceRegex replace a path from an url to another with regex matching and r
 # Replace path with regex
 labels:
   - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
-  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$$1"
 ```
 
 ```yaml tab="Kubernetes"
@@ -30,6 +30,12 @@ spec:
     replacement: /bar/$1
 ```
 
+```yaml tab="Consul Catalog"
+# Replace path with regex
+- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex": "^/foo/(.*)",

docs/content/middlewares/retry.md

@@ -29,6 +29,11 @@ spec:
     attempts: 4
 ```
 
+```yaml tab="Consul Catalog"
+# Retry to send request 4 times
+- "traefik.http.middlewares.test-retry.retry.attempts=4"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-retry.retry.attempts": "4"

docs/content/middlewares/stripprefix.md

@@ -30,6 +30,11 @@ spec:
       - /fiibar
 ```
 
+```yaml tab="Consul Catalog"
+# Strip prefix /foobar and /fiibar
+- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar,/fiibar"
@@ -85,3 +90,85 @@ If your backend is serving assets (e.g., images or Javascript files), chances ar
 Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
 
 The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
+
+### `forceSlash`
+
+_Optional, Default=true_
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
+  - "traefik.http.middlewares.example.stripprefix.forceslash=false"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: example
+spec:
+  stripPrefix:
+    prefixes:
+      - "/foobar"
+    forceSlash: false
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
+  "traefik.http.middlewares.example.stripprefix.forceslash": "false"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
+  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.example.stripPrefix]
+    prefixes = ["/foobar"]
+    forceSlash = false
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    example:
+      stripPrefix:
+        prefixes:
+          - "/foobar"
+        forceSlash: false
+```
+
+The `forceSlash` option makes sure that the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
+
+This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
+
+It's recommended to explicitly set `forceSlash` to `false`.
+
+??? info "Behavior examples"
+    
+    - `forceSlash=true`
+    
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | `/`    |
+    | `/foo`     | `/foo`          | `/`    |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | `/`    |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |
+    
+    - `forceSlash=false`
+    
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | empty  |
+    | `/foo`     | `/foo`          | empty  |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | empty  |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |

docs/content/middlewares/stripprefixregex.md

@@ -23,6 +23,10 @@ spec:
       - "/foo/[a-z0-9]+/[0-9]+/"
 ```
 
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
+```
+
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex": "/foo/[a-z0-9]+/[0-9]+/"

docs/content/migration/v1-to-v2.md

@@ -104,7 +104,7 @@ Then any router can refer to an instance of the wanted middleware.
 
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the Middleware and IngressRoute kinds.
-    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    # https://docs.traefik.io/v2.1/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
@@ -184,23 +184,23 @@ Then any router can refer to an instance of the wanted middleware.
               - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
     ```
 
-## TLS Configuration Is Now Dynamic, per Router.
+## TLS Configuration is Now Dynamic, per Router.
 
 TLS parameters used to be specified in the static configuration, as an entryPoint field.
 With Traefik v2, a new dynamic TLS section at the root contains all the desired TLS configurations.
 Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one of the [TLS configurations](../https/tls.md) defined at the root, hence defining the [TLS configuration](../https/tls.md) for that router.
 
-!!! example "TLS on web-secure entryPoint becomes TLS option on Router-1"
+!!! example "TLS on websecure entryPoint becomes TLS option on Router-1"
 
     !!! info "v1"
     
     ```toml tab="File (TOML)"
     # static configuration
     [entryPoints]
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     
-        [entryPoints.web-secure.tls]
+        [entryPoints.websecure.tls]
           minVersion = "VersionTLS12"
           cipherSuites = [
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
@@ -209,14 +209,14 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-           ]
+          ]
-          [[entryPoints.web-secure.tls.certificates]]
+          [[entryPoints.websecure.tls.certificates]]
             certFile = "path/to/my.cert"
             keyFile = "path/to/my.key"
     ```
 
     ```bash tab="CLI"
-    --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
+    --entryPoints='Name:websecure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
     ```
 
     !!! info "v2"
@@ -236,19 +236,16 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       keyFile = "/path/to/domain.key"
     
     [tls.options]
-      [tls.options.default]
-        minVersion = "VersionTLS12"
-    
       [tls.options.myTLSOptions]
-        minVersion = "VersionTLS13"
+        minVersion = "VersionTLS12"
         cipherSuites = [
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
-            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            ]
+        ]
     ```
 
     ```yaml tab="File (YAML)"
@@ -267,7 +264,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
           keyFile: /path/to/domain.key
       options:
         myTLSOptions:
-          minVersion: VersionTLS13
+          minVersion: VersionTLS12
           cipherSuites:
 	        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 	        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
@@ -278,7 +275,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
 
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
-    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    # https://docs.traefik.io/v2.1/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: TLSOption
     metadata:
@@ -286,7 +283,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       namespace: default
     
     spec:
-      minVersion: VersionTLS13
+      minVersion: VersionTLS12
       cipherSuites:
 	    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 	    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
@@ -322,50 +319,216 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       - "traefik.http.routers.router0.tls.options=myTLSOptions@file"
     ```
 
-## HTTP to HTTPS Redirection Is Now Configured on Routers
+## HTTP to HTTPS Redirection is Now Configured on Routers
 
 Previously on Traefik v1, the redirection was applied on an entry point or on a frontend.
 With Traefik v2 it is applied on a [Router](../routing/routers/index.md). 
 
 To apply a redirection, one of the redirect middlewares, [RedirectRegex](../middlewares/redirectregex.md) or [RedirectScheme](../middlewares/redirectscheme.md), has to be configured and added to the router middlewares list.
 
-!!! example "HTTP to HTTPS redirection"
+!!! example "Global HTTP to HTTPS redirection"
 
     !!! info "v1"
     
     ```toml tab="File (TOML)"
     # static configuration
-    defaultEntryPoints = ["http", "https"]
+    defaultEntryPoints = ["web", "websecure"]
     
     [entryPoints]
-      [entryPoints.http]
+      [entryPoints.web]
         address = ":80"
-        [entryPoints.http.redirect]
+        [entryPoints.web.redirect]
-          entryPoint = "https"
+          entryPoint = "websecure"
 
-      [entryPoints.https]
+      [entryPoints.websecure]
         address = ":443"
-        [entryPoints.https.tls]
+        [entryPoints.websecure.tls]
-          [[entryPoints.https.tls.certificates]]
+    ```
+
+    ```bash tab="CLI"
+    --entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure
+    --entryPoints='Name:websecure Address::443 TLS'
+    ```
+
+    !!! info "v2"
+    
+    ```yaml tab="Docker"
+    # ...
+      traefik:
+        image: traefik:v2.1
+        command:
+          - --entrypoints.web.address=:80
+          - --entrypoints.websecure.address=:443
+          - --providers.docker=true
+        ports:
+          - 80:80
+          - 443:443
+        labels:
+          traefik.http.routers.http_catchall.rule: HostRegexp(`{any:.+}`)
+          traefik.http.routers.http_catchall.entrypoints: web
+          traefik.http.routers.http_catchall.middlewares: https_redirect
+          traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
+          traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock
+    ```
+    
+    ```yaml tab="K8s IngressRoute"
+    # The entry points web (port 80) and websecure (port 443) must be defined the static configuration.
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: http_catchall
+      namespace: traefik
+    spec:
+      entryPoints:
+        - web
+      routes:
+        - match: HostRegexp(`{any:.+}`)
+          kind: Rule
+          services:
+            # any service in the namespace
+            # the service will be never called
+            - name: noop
+              port: 80
+          middlewares:
+            - name: https_redirect
+              # if the Middleware has distinct namespace
+              namespace: traefik
+    
+    ---
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware 
+    metadata:
+      name: https_redirect
+      namespace: traefik
+    spec:
+      redirectScheme:
+        scheme: https
+        permanent: true
+    ```
+    
+    ```toml tab="File (TOML)"
+    # traefik.toml
+    ## static configuration
+    
+    [entryPoints]
+      [entryPoints.web]
+        address = 80
+      [entryPoints.websecure]
+        address = 443
+    
+    [providers.file]
+      directory = "/dynamic/"
+    
+    ##--------------------##
+    
+    # /dynamic/redirect.toml
+    ## dynamic configuration
+    
+    [http.routers]
+      [http.routers.http_catchall]
+        entryPoints = ["web"]
+        middlewares = ["https_redirect"]
+        rule = "HostRegexp(`{any:.+}`)"
+        service = "noop"
+    
+    [http.services]
+      # noop service, the URL will be never called
+      [http.services.noop.loadBalancer]
+        [[http.services.noop.loadBalancer.servers]]
+          url = "http://192.168.0.1:1337"
+    
+    [http.middlewares]
+      [http.middlewares.https_redirect.redirectScheme]
+        scheme = "https"
+        permanent = true
+    ```
+    
+    ```yaml tab="File (YAML)"
+    # traefik.yaml
+    ## static configuration
+    
+    entryPoints:
+      web:
+        address: 80
+      websecure:
+        address: 443
+    
+    providers:
+      file:
+        directory: /dynamic/
+    
+    ##--------------------##
+    
+    # /dynamic/redirect.yml
+    ## dynamic configuration
+    
+    http:
+      routers:
+        http_catchall:
+          entryPoints:
+            - web
+          middlewares:
+            - https_redirect
+          rule: "HostRegexp(`{any:.+}`)"
+          service: noop
+    
+      services:
+        # noop service, the URL will be never called
+        noop:
+          loadBalancer:
+            servers:
+              - url: http://192.168.0.1:1337
+    
+      middlewares:
+        https_redirect:
+          redirectScheme:
+            scheme: https
+            permanent: true
+    ```
+
+!!! example "HTTP to HTTPS redirection per domain"
+
+    !!! info "v1"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    defaultEntryPoints = ["web", "websecure"]
+    
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+        [entryPoints.web.redirect]
+          entryPoint = "websecure"
+
+      [entryPoints.websecure]
+        address = ":443"
+        [entryPoints.websecure.tls]
+          [[entryPoints.websecure.tls.certificates]]
             certFile = "examples/traefik.crt"
             keyFile = "examples/traefik.key"
     ```
 
     ```bash tab="CLI"
-    --entrypoints=Name:web Address::80 Redirect.EntryPoint:web-secure
+    --entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure
-    --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key'
+    --entryPoints='Name:websecure Address::443 TLS:path/to/my.cert,path/to/my.key'
     ```
 
     !!! info "v2"
 
     ```yaml tab="Docker"
     labels:
-    - traefik.http.routers.web.rule=Host(`foo.com`)
+      traefik.http.routers.app.rule: Host(`foo.com`)
-    - traefik.http.routers.web.entrypoints=web
+      traefik.http.routers.app.entrypoints: web
-    - traefik.http.routers.web.middlewares=redirect@file
+      traefik.http.routers.app.middlewares: https_redirect
-    - traefik.http.routers.web-secured.rule=Host(`foo.com`)
+    
-    - traefik.http.routers.web-secured.entrypoints=web-secure
+      traefik.http.routers.appsecured.rule: Host(`foo.com`)
-    - traefik.http.routers.web-secured.tls=true
+      traefik.http.routers.appsecured.entrypoints: websecure
+      traefik.http.routers.appsecured.tls: true
+    
+      traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
+      traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
     ```
 
     ```yaml tab="K8s IngressRoute"
@@ -384,7 +547,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
             - name: whoami
               port: 80
           middlewares:
-            - name: redirect
+            - name: https_redirect
     
     ---
     apiVersion: traefik.containo.us/v1alpha1
@@ -394,7 +557,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     
     spec:
       entryPoints:
-        - web-secure
+        - websecure
       routes:
         - match: Host(`foo`)
           kind: Rule
@@ -407,11 +570,11 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
-      name: redirect
+      name: https_redirect
     spec:
       redirectScheme:
         scheme: https
-      
+        permanent: true
     ```
 
     ```toml tab="File (TOML)"
@@ -421,7 +584,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     [entryPoints.web]
       address = ":80"
     
-    [entryPoints.web-secure]
+    [entryPoints.websecure]
       address = ":443"
     
     ##---------------------##
@@ -434,12 +597,12 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
         rule = "Host(`foo.com`)"
         service = "my-service"
         entrypoints = ["web"]
-        middlewares = ["redirect"]
+        middlewares = ["https_redirect"]
     
     [http.routers.router1]
         rule = "Host(`foo.com`)"
         service = "my-service"
-        entrypoints = ["web-secure"]
+        entrypoints = ["websecure"]
         [http.routers.router1.tls]
         
     [http.services]
@@ -449,8 +612,9 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
         url = "http://10.10.10.2:80"
     
     [http.middlewares]
-      [http.middlewares.redirect.redirectScheme]
+      [http.middlewares.https_redirect.redirectScheme]
         scheme = "https"
+        permanent = true
     
     [[tls.certificates]]
       certFile = "/path/to/domain.cert"
@@ -465,7 +629,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
       web:
         address: ":80"
     
-      web-secure:
+      websecure:
         address: ":443"
     
     ##---------------------##
@@ -480,13 +644,13 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
           entryPoints:
             - web
           middlewares:
-            - redirect
+            - https_redirect
           service: my-service
     
         router1:
           rule: "Host(`foo.com`)"
           entryPoints:
-            - web-secure
+            - websecure
           service: my-service
           tls: {}
     
@@ -498,9 +662,10 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
               - url: http://10.10.10.2:80
     
       middlewares:
-        redirect:
+        https_redirect:
           redirectScheme:
             scheme: https
+            permanent: true
     
     tls:
       certificates:
@@ -512,14 +677,14 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
 
 With the new core notions of v2 (introduced earlier in the section
 ["Frontends and Backends Are Dead... Long Live Routers, Middlewares, and Services"](#frontends-and-backends-are-dead-long-live-routers-middlewares-and-services)),
-transforming the URL path prefix of incoming requests is configured with [middlewares](../../middlewares/overview/),
+transforming the URL path prefix of incoming requests is configured with [middlewares](../middlewares/overview.md),
-after the routing step with [router rule `PathPrefix`](https://docs.traefik.io/v2.0/routing/routers/#rule).
+after the routing step with [router rule `PathPrefix`](../routing/routers/index.md#rule).
 
 Use Case: Incoming requests to `http://company.org/admin` are forwarded to the webapplication "admin",
 with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, you must:
 
 * First, configure a router named `admin` with a rule matching at least the path prefix with the `PathPrefix` keyword,
-* Then, define a middlware of type [`stripprefix`](../../middlewares/stripprefix/), which remove the prefix `/admin`, associated to the router `admin`.
+* Then, define a middleware of type [`stripprefix`](../middlewares/stripprefix.md), which removes the prefix `/admin`, associated to the router `admin`.
 
 !!! example "Strip Path Prefix When Forwarding to Backend"
 
@@ -560,8 +725,8 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     ```yaml tab="Docker"
     labels:
       - "traefik.http.routers.admin.rule=Host(`company.org`) && PathPrefix(`/admin`)"
+      - "traefik.http.routers.admin.middlewares=admin-stripprefix"
       - "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
-      - "traefik.http.routers.web.middlewares=admin-stripprefix@docker"
     ```
 
     ```yaml tab="Kubernetes IngressRoute"
@@ -650,32 +815,32 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     
     ```toml tab="File (TOML)"
     # static configuration
-    defaultEntryPoints = ["web-secure","web"]
+    defaultEntryPoints = ["websecure","web"]
     
     [entryPoints.web]
     address = ":80"
       [entryPoints.web.redirect]
       entryPoint = "webs"
-    [entryPoints.web-secure]
+    [entryPoints.websecure]
       address = ":443"
-      [entryPoints.https.tls]
+      [entryPoints.websecure.tls]
     
     [acme]
       email = "your-email-here@my-awesome-app.org"
       storage = "acme.json"
-      entryPoint = "web-secure"
+      entryPoint = "websecure"
       onHostRule = true
       [acme.httpChallenge]
         entryPoint = "web"
     ```
 
     ```bash tab="CLI"
-    --defaultentrypoints=web-secure,web
+    --defaultentrypoints=websecure,web
-    --entryPoints=Name:web Address::80 Redirect.EntryPoint:web-secure
+    --entryPoints=Name:web Address::80 Redirect.EntryPoint:websecure
-    --entryPoints=Name:web-secure Address::443 TLS
+    --entryPoints=Name:websecure Address::443 TLS
     --acme.email=your-email-here@my-awesome-app.org
     --acme.storage=acme.json
-    --acme.entryPoint=web-secure
+    --acme.entryPoint=websecure
     --acme.onHostRule=true
     --acme.httpchallenge.entrypoint=http
     ```
@@ -688,13 +853,13 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
       [entryPoints.web]
         address = ":80"
     
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       email = "your-email@your-domain.org"
       storage = "acme.json"
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.myresolver.acme.httpChallenge]
         # used during the challenge
         entryPoint = "web"
     ```
@@ -704,11 +869,11 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
       web:
         address: ":80"
     
-      web-secure:
+      websecure:
         address: ":443"
     
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           email: your-email@your-domain.org
           storage: acme.json
@@ -718,11 +883,11 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     ```
 
     ```bash tab="CLI"
-    --entryPoints.web.address=":80"
+    --entryPoints.web.address=:80
-    --entryPoints.websecure.address=":443"
+    --entryPoints.websecure.address=:443
-    --certificatesResolvers.sample.acme.email: your-email@your-domain.org
+    --certificatesResolvers.myresolver.acme.email=your-email@your-domain.org
-    --certificatesResolvers.sample.acme.storage: acme.json
+    --certificatesResolvers.myresolver.acme.storage=acme.json
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint: web
+    --certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
     ```
 
 ## Traefik Logs
@@ -744,9 +909,9 @@ There is no more log configuration at the root level.
     ```
 
     ```bash tab="CLI"
-    --logLevel="DEBUG"
+    --logLevel=DEBUG
-    --traefikLog.filePath="/path/to/traefik.log"
+    --traefikLog.filePath=/path/to/traefik.log
-    --traefikLog.format="json"
+    --traefikLog.format=json
     ```
 
     !!! info "v2"
@@ -768,9 +933,9 @@ There is no more log configuration at the root level.
     ```
 
     ```bash tab="CLI"
-    --log.level="DEBUG"
+    --log.level=DEBUG
-    --log.filePath="/path/to/traefik.log"
+    --log.filePath=/path/to/traefik.log
-    --log.format="json"
+    --log.format=json
     ```
 
 ## Tracing
@@ -794,12 +959,12 @@ Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is
     ```
 
     ```bash tab="CLI"
-    --tracing.backend="jaeger"
+    --tracing.backend=jaeger
-    --tracing.servicename="tracing"
+    --tracing.servicename=tracing
-    --tracing.jaeger.localagenthostport="12.0.0.1:6831"
+    --tracing.jaeger.localagenthostport=12.0.0.1:6831
-    --tracing.jaeger.samplingparam="1.0"
+    --tracing.jaeger.samplingparam=1.0
-    --tracing.jaeger.samplingserverurl="http://12.0.0.1:5778/sampling"
+    --tracing.jaeger.samplingserverurl=http://12.0.0.1:5778/sampling
-    --tracing.jaeger.samplingtype="const"
+    --tracing.jaeger.samplingtype=const
     ```
 
     !!! info "v2"
@@ -827,11 +992,11 @@ Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is
     ```
 
     ```bash tab="CLI"
-    --tracing.servicename="tracing"
+    --tracing.servicename=tracing
-    --tracing.jaeger.localagenthostport="12.0.0.1:6831"
+    --tracing.jaeger.localagenthostport=12.0.0.1:6831
-    --tracing.jaeger.samplingparam="1.0"
+    --tracing.jaeger.samplingparam=1.0
-    --tracing.jaeger.samplingserverurl="http://12.0.0.1:5778/sampling"
+    --tracing.jaeger.samplingserverurl=http://12.0.0.1:5778/sampling
-    --tracing.jaeger.samplingtype="const"
+    --tracing.jaeger.samplingtype=const
     ```
 
 ## Metrics
@@ -852,7 +1017,7 @@ For a basic configuration, the [metrics configuration](../observability/metrics/
 
     ```bash tab="CLI"
     --metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
-    --metrics.prometheus.entrypoint="traefik"
+    --metrics.prometheus.entrypoint=traefik
     ```
 
     !!! info "v2"
@@ -878,7 +1043,7 @@ For a basic configuration, the [metrics configuration](../observability/metrics/
 
     ```bash tab="CLI"
     --metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
-    --metrics.prometheus.entrypoint="metrics"
+    --metrics.prometheus.entrypoint=metrics
     ```
 
 ## No More Root Level Key/Values
@@ -901,21 +1066,21 @@ Each root item has been moved to a related section or removed.
     providersThrottleDuration = "2s"
     AllowMinWeightZero = true
     debug = true
-    defaultEntryPoints = ["web", "web-secure"]
+    defaultEntryPoints = ["web", "websecure"]
     keepTrailingSlash = false
     ```
 
     ```bash tab="CLI"
     --checknewversion=false
     --sendanonymoususage=true
-    --loglevel="DEBUG"
+    --loglevel=DEBUG
     --insecureskipverify=true
-    --rootcas="/mycert.cert"
+    --rootcas=/mycert.cert
     --maxidleconnsperhost=200
-    --providersthrottleduration="2s"
+    --providersthrottleduration=2s
     --allowminweightzero=true
     --debug=true
-    --defaultentrypoints="web","web-secure"
+    --defaultentrypoints=web,websecure
     --keeptrailingslash=true
     ```
 
@@ -961,9 +1126,9 @@ Each root item has been moved to a related section or removed.
     ```bash tab="CLI"
     --global.checknewversion=true
     --global.sendanonymoususage=true
-    --log.level="DEBUG"
+    --log.level=DEBUG
     --serverstransport.insecureskipverify=true
-    --serverstransport.rootcas="/mycert.cert"
+    --serverstransport.rootcas=/mycert.cert
     --serverstransport.maxidleconnsperhost=42
     --providers.providersthrottleduration=42
     ```
@@ -974,7 +1139,7 @@ You need to activate the API to access the [dashboard](../operations/dashboard.m
 As the dashboard access is now secured by default you can either:
 
 * define a  [specific router](../operations/api.md#configuration) with the `api@internal` service and one authentication middleware like the following example
-* or use the [unsecure](../operations/api.md#insecure) option of the API
+* or use the [insecure](../operations/api.md#insecure) option of the API
 
 !!! info "Dashboard with k8s and dedicated router"
 
@@ -988,21 +1153,21 @@ As the dashboard access is now secured by default you can either:
     ## static configuration
     # traefik.toml
     
-    [entryPoints.web-secure]
+    [entryPoints.websecure]
       address = ":443"
-      [entryPoints.web-secure.tls]
+      [entryPoints.websecure.tls]
-      [entryPoints.web-secure.auth]
+      [entryPoints.websecure.auth]
-        [entryPoints.web-secure.auth.basic]
+        [entryPoints.websecure.auth.basic]
           users = [
             "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
           ]
     
     [api]
-      entryPoint = "web-secure"
+      entryPoint = "websecure"
     ```
 
     ```bash tab="CLI"
-    --entryPoints='Name:web-secure Address::443 TLS Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
+    --entryPoints='Name:websecure Address::443 TLS Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
     --api
     ```
 
@@ -1012,7 +1177,7 @@ As the dashboard access is now secured by default you can either:
     # dynamic configuration
     labels:
       - "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"
-      - "traefik.http.routers.api.entrypoints=web-secured"
+      - "traefik.http.routers.api.entrypoints=websecured"
       - "traefik.http.routers.api.service=api@internal"
       - "traefik.http.routers.api.middlewares=myAuth"
       - "traefik.http.routers.api.tls"
@@ -1023,22 +1188,22 @@ As the dashboard access is now secured by default you can either:
     ## static configuration
     # traefik.toml
     
-    [entryPoints.web-secure]
+    [entryPoints.websecure]
       address = ":443"
     
     [api]
     
     [providers.file]
-        filename = "/dynamic-conf.toml"
+      directory = "/path/to/dynamic/config"
     
     ##---------------------##
     
     ## dynamic configuration
-    # dynamic-conf.toml
+    # /path/to/dynamic/config/dynamic-conf.toml
     
     [http.routers.api]
       rule = "Host(`traefik.docker.localhost`)"
-      entrypoints = ["web-secure"]
+      entrypoints = ["websecure"]
       service = "api@internal"
       middlewares = ["myAuth"]
       [http.routers.api.tls]
@@ -1054,26 +1219,26 @@ As the dashboard access is now secured by default you can either:
     # traefik.yaml
     
     entryPoints:
-      web-secure:
+      websecure:
         address: ':443'
         
     api: {}
     
     providers:
       file:
-        filename: /dynamic-conf.yaml
+        directory: /path/to/dynamic/config
    
     ##---------------------##
     
     ## dynamic configuration
-    # dynamic-conf.yaml
+    # /path/to/dynamic/config/dynamic-conf.yaml
     
      http:
       routers:
         api:
           rule: Host(`traefik.docker.localhost`)
           entrypoints:
-            - web-secure
+            - websecure
           service: api@internal
           middlewares:
             - myAuth
@@ -1093,7 +1258,7 @@ Supported [providers](../providers/overview.md), for now:
 * [ ] Azure Service Fabric
 * [ ] BoltDB
 * [ ] Consul
-* [ ] Consul Catalog
+* [x] Consul Catalog
 * [x] Docker
 * [ ] DynamoDB
 * [ ] ECS

docs/content/migration/v2.md

@@ -0,0 +1,102 @@
+# Migration: Steps needed between the versions
+
+## v2.0 to v2.1
+
+### Kubernetes CRD
+
+In v2.1, a new Kubernetes CRD called `TraefikService` was added.
+While updating an installation to v2.1,
+one should apply that CRD, and update the existing `ClusterRole` definition to allow Traefik to use that CRD.
+
+To add that CRD and enhance the permissions, following definitions need to be applied to the cluster.
+
+```yaml tab="TraefikService"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+```
+
+```yaml tab="ClusterRole"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - ingressroutes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - ingressroutetcps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - tlsoptions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - traefikservices
+    verbs:
+      - get
+      - list
+      - watch
+```
+
+After having both resources applied, Traefik will work properly.

docs/content/observability/access-logs.md

@@ -35,7 +35,7 @@ If the given format is unsupported, the default (CLF) is used instead.
 !!! info "Common Log Format"
     
     ```html
-    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms 
+    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
     ```
 
 ### `bufferingSize`
@@ -61,7 +61,7 @@ accessLog:
 ```bash tab="CLI"
 # Configuring a buffer of 100 lines
 --accesslog=true
---accesslog.filepath="/path/to/access.log"
+--accesslog.filepath=/path/to/access.log
 --accesslog.bufferingsize=100
 ```
 
@@ -104,11 +104,11 @@ accessLog:
 ```bash tab="CLI"
 # Configuring Multiple Filters
 --accesslog=true
---accesslog.filepath="/path/to/access.log"
+--accesslog.filepath=/path/to/access.log
---accesslog.format="json"
+--accesslog.format=json
---accesslog.filters.statuscodes="200, 300-302"
+--accesslog.filters.statuscodes=200,300-302
 --accesslog.filters.retryattempts
---accesslog.filters.minduration="10ms"
+--accesslog.filters.minduration=10ms
 ```
 
 ### Limiting the Fields
@@ -164,14 +164,14 @@ accessLog:
 ```bash tab="CLI"
 # Limiting the Logs to Specific Fields
 --accesslog=true
---accesslog.filepath="/path/to/access.log"
+--accesslog.filepath=/path/to/access.log
---accesslog.format="json"
+--accesslog.format=json
---accesslog.fields.defaultmode="keep"
+--accesslog.fields.defaultmode=keep
---accesslog.fields.names.ClientUsername="drop"
+--accesslog.fields.names.ClientUsername=drop
---accesslog.fields.headers.defaultmode="keep"
+--accesslog.fields.headers.defaultmode=keep
---accesslog.fields.headers.names.User-Agent="redact"
+--accesslog.fields.headers.names.User-Agent=redact
---accesslog.fields.headers.names.Authorization="drop"
+--accesslog.fields.headers.names.Authorization=drop
---accesslog.fields.headers.names.Content-Type="keep"
+--accesslog.fields.headers.names.Content-Type=keep
 ```
 
 ??? info "Available Fields"
@@ -195,6 +195,7 @@ accessLog:
     | `RequestMethod`         | The HTTP method.                                                                                                                                                    |
     | `RequestPath`           | The HTTP request URI, not including the scheme, host or port.                                                                                                       |
     | `RequestProtocol`       | The version of HTTP requested.                                                                                                                                      |
+    | `RequestScheme`         | The HTTP scheme requested `http` or `https`.                                                                                                                        |
     | `RequestLine`           | `RequestMethod` + `RequestPath` + `RequestProtocol`                                                                                                                 |
     | `RequestContentSize`    | The number of bytes in the request entity (a.k.a. body) sent by the client.                                                                                         |
     | `OriginDuration`        | The time taken by the origin server ('upstream') to return its response.                                                                                            |

docs/content/observability/logs.md

@@ -30,7 +30,7 @@ log:
 
 ```bash tab="CLI"
 # Writing Logs to a File
---log.filePath="/path/to/traefik.log"
+--log.filePath=/path/to/traefik.log
 ```
 
 #### `format`
@@ -53,8 +53,8 @@ log:
 
 ```bash tab="CLI"
 # Writing Logs to a File, in JSON
---log.filePath="/path/to/traefik.log"
+--log.filePath=/path/to/traefik.log
---log.format="json"
+--log.format=json
 ```
 
 #### `level`
@@ -72,7 +72,7 @@ log:
 ```
 
 ```bash tab="CLI"
---log.level="DEBUG"
+--log.level=DEBUG
 ```
 
 ## Log Rotation

docs/content/observability/metrics/datadog.md

@@ -35,7 +35,7 @@ metrics:
 ```
 
 ```bash tab="CLI"
---metrics.datadog.address="127.0.0.1:8125"
+--metrics.datadog.address=127.0.0.1:8125
 ```
 
 #### `addEntryPointsLabels`

docs/content/observability/metrics/influxdb.md

@@ -35,7 +35,7 @@ metrics:
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.address="localhost:8089"
+--metrics.influxdb.address=localhost:8089
 ```
 
 #### `protocol`
@@ -57,7 +57,7 @@ metrics:
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.protocol="udp"
+--metrics.influxdb.protocol=udp
 ```
 
 #### `database`
@@ -69,17 +69,17 @@ InfluxDB database used when protocol is http.
 ```toml tab="File (TOML)"
 [metrics]
   [metrics.influxDB]
-    database = ""
+    database = "db"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
-    database: ""
+    database: "db"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.database=""
+--metrics.influxdb.database=db
 ```
 
 #### `retentionPolicy`
@@ -91,17 +91,17 @@ InfluxDB retention policy used when protocol is http.
 ```toml tab="File (TOML)"
 [metrics]
   [metrics.influxDB]
-    retentionPolicy = ""
+    retentionPolicy = "two_hours"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
-    retentionPolicy: ""
+    retentionPolicy: "two_hours"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.retentionPolicy=""
+--metrics.influxdb.retentionPolicy=two_hours
 ```
 
 #### `username`
@@ -113,17 +113,17 @@ InfluxDB username (only with http).
 ```toml tab="File (TOML)"
 [metrics]
   [metrics.influxDB]
-    username = ""
+    username = "john"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
-    username: ""
+    username: "john"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.username=""
+--metrics.influxdb.username=john
 ```
 
 #### `password`
@@ -135,17 +135,17 @@ InfluxDB password (only with http).
 ```toml tab="File (TOML)"
 [metrics]
   [metrics.influxDB]
-    password = ""
+    password = "secret"
 ```
 
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
-    password: ""
+    password: "secret"
 ```
 
 ```bash tab="CLI"
---metrics.influxdb.password=""
+--metrics.influxdb.password=secret
 ```
 
 #### `addEntryPointsLabels`

docs/content/observability/metrics/prometheus.md

@@ -113,6 +113,28 @@ metrics:
 ```
 
 ```bash tab="CLI"
---entryPoints.metrics.address=":8082"
+--entryPoints.metrics.address=:8082
---metrics.prometheus.entryPoint="metrics"
+--metrics.prometheus.entryPoint=metrics
+```
+
+#### `manualRouting`
+
+_Optional, Default=false_
+
+If `manualRouting` is `true`, it disables the default internal router in order to allow one to create a custom router for the `prometheus@internal` service.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    manualRouting = true
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  prometheus:
+    manualRouting: true
+```
+
+```bash tab="CLI"
+--metrics.prometheus.manualrouting=true
 ```

docs/content/observability/metrics/statsd.md

@@ -35,7 +35,7 @@ metrics:
 ```
 
 ```bash tab="CLI"
---metrics.statsd.address="localhost:8125"
+--metrics.statsd.address=localhost:8125
 ```
 
 #### `addEntryPointsLabels`
@@ -103,3 +103,25 @@ metrics:
 ```bash tab="CLI"
 --metrics.statsd.pushInterval=10s
 ```
+
+#### `prefix`
+
+_Optional, Default="traefik"_
+
+The prefix to use for metrics collection.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+    prefix = "traefik"
+```
+
+```yaml tab="File (YAML)"
+metrics:
+  statsD:
+    prefix: traefik
+```
+
+```bash tab="CLI"
+--metrics.statsd.prefix="traefik"
+```

docs/content/observability/tracing/datadog.md

@@ -35,7 +35,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.datadog.localAgentHostPort="127.0.0.1:8126"
+--tracing.datadog.localAgentHostPort=127.0.0.1:8126
 ```
 
 #### `debug`
@@ -79,7 +79,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.datadog.globalTag="sample"
+--tracing.datadog.globalTag=sample
 ```
 
 #### `prioritySampling`

docs/content/observability/tracing/haystack.md

@@ -35,29 +35,29 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.haystack.localAgentHost="127.0.0.1"
+--tracing.haystack.localAgentHost=127.0.0.1
 ```
 
 #### `localAgentPort`
 
-_Require, Default=42699_
+_Require, Default=35000_
 
 Local Agent port instructs reporter to send spans to the haystack-agent at this port.
 
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    localAgentPort = 42699
+    localAgentPort = 35000
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    localAgentPort: 42699
+    localAgentPort: 35000
 ```
 
 ```bash tab="CLI"
---tracing.haystack.localAgentPort=42699
+--tracing.haystack.localAgentPort=35000
 ```
 
 #### `globalTag`
@@ -79,7 +79,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.haystack.globalTag="sample:test"
+--tracing.haystack.globalTag=sample:test
 ```
 
 #### `traceIDHeaderName`
@@ -91,61 +91,61 @@ Specifies the header name that will be used to store the trace ID.
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    traceIDHeaderName = "sample"
+    traceIDHeaderName = "Trace-ID"
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    traceIDHeaderName: sample
+    traceIDHeaderName: Trace-ID
 ```
 
 ```bash tab="CLI"
---tracing.haystack.traceIDHeaderName="sample"
+--tracing.haystack.traceIDHeaderName=Trace-ID
 ```
 
 #### `parentIDHeaderName`
 
 _Optional, Default=empty_
 
+Specifies the header name that will be used to store the parent ID.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    parentIDHeaderName = "Parent-Message-ID"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    parentIDHeaderName: Parent-Message-ID
+```
+
+```bash tab="CLI"
+--tracing.haystack.parentIDHeaderName=Parent-Message-ID
+```
+
+#### `spanIDHeaderName`
+
+_Optional, Default=empty_
+
 Specifies the header name that will be used to store the span ID.
 
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    parentIDHeaderName = "sample"
+    spanIDHeaderName = "Message-ID"
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    parentIDHeaderName: "sample"
+    spanIDHeaderName: Message-ID
 ```
 
 ```bash tab="CLI"
---tracing.haystack.parentIDHeaderName="sample"
+--tracing.haystack.spanIDHeaderName=Message-ID
-```
-
-#### `spanIDHeaderName`
-
-_Optional, Default=empty_
-
-Apply shared tag in a form of Key:Value to all the traces.
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    spanIDHeaderName = "sample:test"
-```
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack:
-    spanIDHeaderName: "sample:test"
-```
-
-```bash tab="CLI"
---tracing.haystack.spanIDHeaderName=sample:test
 ```
 
 #### `baggagePrefixHeaderName`
@@ -168,5 +168,5 @@ tracing:
 
 
 ```bash tab="CLI"
---tracing.haystack.baggagePrefixHeaderName="sample"
+--tracing.haystack.baggagePrefixHeaderName=sample
 ```

docs/content/observability/tracing/instana.md

@@ -35,7 +35,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.instana.localAgentHost="127.0.0.1"
+--tracing.instana.localAgentHost=127.0.0.1
 ```
 
 #### `localAgentPort`
@@ -86,5 +86,5 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.instana.logLevel="info"
+--tracing.instana.logLevel=info
 ```

docs/content/observability/tracing/jaeger.md

@@ -39,7 +39,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.samplingServerURL="http://localhost:5778/sampling"
+--tracing.jaeger.samplingServerURL=http://localhost:5778/sampling
 ```
 
 #### `samplingType`
@@ -61,7 +61,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.samplingType="const"
+--tracing.jaeger.samplingType=const
 ```
 
 #### `samplingParam`
@@ -89,7 +89,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.samplingParam="1.0"
+--tracing.jaeger.samplingParam=1.0
 ```
 
 #### `localAgentHostPort`
@@ -111,7 +111,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.localAgentHostPort="127.0.0.1:6831"
+--tracing.jaeger.localAgentHostPort=127.0.0.1:6831
 ```
 
 #### `gen128Bit`
@@ -159,7 +159,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.propagation="jaeger"
+--tracing.jaeger.propagation=jaeger
 ```
 
 #### `traceContextHeaderName`
@@ -182,7 +182,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.traceContextHeaderName="uber-trace-id"
+--tracing.jaeger.traceContextHeaderName=uber-trace-id
 ```
 
 ### `collector`
@@ -206,7 +206,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.collector.endpoint="http://127.0.0.1:14268/api/traces?format=jaeger.thrift"
+--tracing.jaeger.collector.endpoint=http://127.0.0.1:14268/api/traces?format=jaeger.thrift
 ```
 
 #### `user`
@@ -229,7 +229,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.collector.user="my-user"
+--tracing.jaeger.collector.user=my-user
 ```
 
 #### `password`
@@ -252,5 +252,5 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.jaeger.collector.password="my-password"
+--tracing.jaeger.collector.password=my-password
 ```

docs/content/observability/tracing/overview.md

@@ -52,7 +52,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.serviceName="traefik"
+--tracing.serviceName=traefik
 ```
 
 #### `spanNameLimit`

docs/content/observability/tracing/zipkin.md

@@ -35,7 +35,7 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.zipkin.httpEndpoint="http://localhost:9411/api/v2/spans"
+--tracing.zipkin.httpEndpoint=http://localhost:9411/api/v2/spans
 ```
 
 #### `sameSpan`
@@ -101,5 +101,5 @@ tracing:
 ```
 
 ```bash tab="CLI"
---tracing.zipkin.sampleRate="0.2"
+--tracing.zipkin.sampleRate=0.2
 ```

docs/content/operations/.markdownlint.json

@@ -1,4 +1,5 @@
 {
     "extends": "../../.markdownlint.json",
+    "MD041": false,
     "MD046": false
 }

docs/content/operations/api.md

@@ -43,63 +43,7 @@ api: {}
 And then define a routing configuration on Traefik itself with the
 [dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration):
 
-```yaml tab="Docker"
+--8<-- "content/operations/include-api-examples.md"
-# Dynamic Configuration
-labels:
-  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)
-  - "traefik.http.routers.api.service=api@internal"
-  - "traefik.http.routers.api.middlewares=auth"
-  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.routers.api.rule": "Host(`traefik.domain.com`)",
-  "traefik.http.routers.api.service": "api@internal",
-  "traefik.http.routers.api.middlewares": "auth",
-  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-}
-```
-
-```yaml tab="Rancher"
-# Dynamic Configuration
-labels:
-  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)
-  - "traefik.http.routers.api.service=api@internal"
-  - "traefik.http.routers.api.middlewares=auth"
-  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-```
-
-```toml tab="File (TOML)"
-# Dynamic Configuration
-[http.routers.my-api]
-    rule="Host(`traefik.domain.com`)
-    service="api@internal"
-    middlewares=["auth"]
-
-[http.middlewares.auth.basicAuth]
-    users = [
-      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-    ]
-```
-
-```yaml tab="File (YAML)"
-# Dynamic Configuration
-http:
-  routers:
-    api:
-      rule: Host(`traefik.domain.com`)
-      service: api@internal
-      middlewares:
-        - auth
-  middlewares:
-    auth:
-      basicAuth:
-        users:
-          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-```
 
 ??? warning "The router's [rule](../../routing/routers#rule) must catch requests for the URI path `/api`"
     Using an "Host" rule is recommended, by catching all the incoming traffic on this host domain to the API.

docs/content/operations/dashboard.md

@@ -60,8 +60,8 @@ api:
 --api.dashboard=true
 ```
 
-Then define a routing configuration on Traefik itself, 
+Then define a routing configuration on Traefik itself,
-with a router attached to the service `api@internal` in the 
+with a router attached to the service `api@internal` in the
 [dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration),
 to allow defining:
 
@@ -73,64 +73,7 @@ to allow defining:
   through Traefik itself (sometimes referred as "Traefik-ception").
 
 ??? example "Dashboard Dynamic Configuration Examples"
-
+    --8<-- "content/operations/include-api-examples.md"
-    ```yaml tab="Docker"
-    # Dynamic Configuration
-    labels:
-      - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)
-      - "traefik.http.routers.api.service=api@internal"
-      - "traefik.http.routers.api.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-    ```
-
-    ```json tab="Marathon"
-    "labels": {
-      "traefik.http.routers.api.rule": "Host(`traefik.domain.com`)",
-      "traefik.http.routers.api.service": "api@internal",
-      "traefik.http.routers.api.middlewares": "auth",
-      "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-    }
-    ```
-
-    ```yaml tab="Rancher"
-    # Dynamic Configuration
-    labels:
-      - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)
-      - "traefik.http.routers.api.service=api@internal"
-      - "traefik.http.routers.api.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-    ```
-
-    ```toml tab="File (TOML)"
-    # Dynamic Configuration
-    [http.routers.my-api]
-        rule="Host(`traefik.domain.com`)
-        service="api@internal"
-        middlewares=["auth"]
-
-    [http.middlewares.auth.basicAuth]
-        users = [
-          "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-          "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-        ]
-    ```
-
-    ```yaml tab="File (YAML)"
-    # Dynamic Configuration
-    http:
-      routers:
-        api:
-          rule: Host(`traefik.domain.com`)
-          service: api@internal
-          middlewares:
-            - auth
-      middlewares:
-        auth:
-          basicAuth:
-            users:
-              - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-              - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-    ```
 
 ### Dashboard Router Rule
 
@@ -142,19 +85,17 @@ We recommend to use a "Host Based rule" as ```Host(`traefik.domain.com`)``` to m
 or to make sure that the defined rule captures both prefixes:
 
 ```bash tab="Host Rule"
-# Matches http://traefik.domain.com/api or http://traefik.domain.com/dashboard
+# The dashboard can be accessed on http://traefik.domain.com/dashboard/
 rule = "Host(`traefik.domain.com`)"
 ```
 
 ```bash tab="Path Prefix Rule"
-# Matches http://traefik.domain.com/api , http://domain.com/api or http://traefik.domain.com/dashboard
+# The dashboard can be accessed on http://domain.com/dashboard/ or http://traefik.domain.com/dashboard/
-# but does not match http://traefik.domain.com/hello
 rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
 ```
 
 ```bash tab="Combination of Rules"
-# Matches http://traefik.domain.com/api or http://traefik.domain.com/dashboard
+# The dashboard can be accessed on http://traefik.domain.com/dashboard/
-# but does not match http://traefik.domain.com/hello
 rule = "Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
 ```
 

docs/content/operations/include-api-examples.md

@@ -0,0 +1,101 @@
+```yaml tab="Docker"
+# Dynamic Configuration
+labels:
+  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+  - "traefik.http.routers.api.service=api@internal"
+  - "traefik.http.routers.api.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="Docker (Swarm)"
+# Dynamic Configuration
+deploy:
+  labels:
+    - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+    - "traefik.http.routers.api.service=api@internal"
+    - "traefik.http.routers.api.middlewares=auth"
+    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+    # Dummy service for Swarm port detection. The port can be any valid integer value.
+    - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
+```
+
+```yaml tab="Kubernetes CRD"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+spec:
+  routes:
+  - match: Host(`traefik.domain.com`)
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+    middlewares:
+      - name: auth
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+spec:
+  basicAuth:
+    secret: secretName # Kubernetes secret named "secretName"
+```
+
+```yaml tab="Consul Catalog"
+# Dynamic Configuration
+- "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+- "traefik.http.routers.api.service=api@internal"
+- "traefik.http.routers.api.middlewares=auth"
+- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.routers.api.rule": "Host(`traefik.domain.com`)",
+  "traefik.http.routers.api.service": "api@internal",
+  "traefik.http.routers.api.middlewares": "auth",
+  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Dynamic Configuration
+labels:
+  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+  - "traefik.http.routers.api.service=api@internal"
+  - "traefik.http.routers.api.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Dynamic Configuration
+[http.routers.my-api]
+  rule = "Host(`traefik.domain.com`)"
+  service = "api@internal"
+  middlewares = ["auth"]
+
+[http.middlewares.auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```
+
+```yaml tab="File (YAML)"
+# Dynamic Configuration
+http:
+  routers:
+    api:
+      rule: Host(`traefik.domain.com`)
+      service: api@internal
+      middlewares:
+        - auth
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```

docs/content/operations/ping.md

@@ -55,6 +55,26 @@ ping:
 ```
 
 ```bash tab="CLI"
---entryPoints.ping.address=":8082"
+--entryPoints.ping.address=:8082
---ping.entryPoint="ping"
+--ping.entryPoint=ping
+```
+
+### `manualRouting`
+
+_Optional, Default=false_
+
+If `manualRouting` is `true`, it disables the default internal router in order to allow one to create a custom router for the `ping@internal` service.
+
+```toml tab="File (TOML)"
+[ping]
+  manualRouting = true
+```
+
+```yaml tab="File (YAML)"
+ping:
+  manualRouting: true
+```
+
+```bash tab="CLI"
+--ping.manualrouting=true
 ```

docs/content/providers/consul-catalog.md

@@ -0,0 +1,603 @@
+# Traefik & Consul Catalog
+
+A Story of Tags, Services & Instances
+{: .subtitle }
+
+![Consul Catalog](../assets/img/providers/consul.png)
+
+Attach tags to your services and let Traefik do the rest!
+
+## Configuration Examples
+
+??? example "Configuring Consul Catalog & Deploying / Exposing Services"
+
+    Enabling the consul catalog provider
+
+    ```toml tab="File (TOML)"
+    [providers.consulCatalog]
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      consulCatalog: {}
+    ```
+    
+    ```bash tab="CLI"
+    --providers.consulcatalog=true
+    ```
+
+    Attaching tags to services
+
+    ```yaml
+    - traefik.http.services.my-service.rule=Host(`mydomain.com`)
+    ```
+
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/consul-catalog.md).
+
+## Provider Configuration
+
+### `refreshInterval`
+
+_Optional, Default=15s_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  refreshInterval = "30s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    refreshInterval: 30s
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.refreshInterval=30s
+# ...
+```
+
+Defines the polling interval.
+
+### `prefix`
+
+_required, Default="traefik"_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  prefix = "test"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    prefix: test
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.prefix=test
+# ...
+```
+
+The prefix for Consul Catalog tags defining traefik labels.
+
+### `requireConsistent`
+
+_Optional, Default=false_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  requireConsistent = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    requireConsistent: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.requireConsistent=true
+# ...
+```
+
+Forces the read to be fully consistent.
+
+### `stale`
+
+_Optional, Default=false_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  stale = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    stale: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.stale=true
+# ...
+```
+
+Use stale consistency for catalog reads.
+
+### `cache`
+
+_Optional, Default=false_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  cache = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    cache: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.cache=true
+# ...
+```
+
+Use local agent caching for catalog reads.
+
+### `endpoint`
+
+Defines the Consul server endpoint.
+
+#### `address`
+
+_Optional, Default="http://127.0.0.1:8500"_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    address = "http://127.0.0.1:8500"
+    # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      address: http://127.0.0.1:8500
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.address=http://127.0.0.1:8500
+# ...
+```
+
+Defines the address of the Consul server.
+
+#### `scheme`
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    scheme = "https"
+    # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      scheme: https
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.scheme=https
+# ...
+```
+
+Defines the URI scheme for the Consul server.
+
+#### `datacenter`
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    datacenter = "test"
+    # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      datacenter: test
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.datacenter=test
+# ...
+```
+
+Defines the Data center to use.
+If not provided, the default agent data center is used.
+
+#### `token`
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    token = "test"
+    # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      token: test
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.token=test
+# ...
+```
+
+Token is used to provide a per-request ACL token which overrides the agent's default token.
+
+#### `endpointWaitTime`
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    endpointWaitTime = "15s"
+    # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      endpointWaitTime: 15s
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.endpointwaittime=15s
+# ...
+```
+
+WaitTime limits how long a Watch will block.
+If not provided, the agent default values will be used
+
+#### `httpAuth`
+
+_Optional_
+
+Used to authenticate http client with HTTP Basic Authentication.
+
+##### `username`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.httpAuth]
+  username = "test"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      httpAuth:
+        username: test
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.httpauth.username=test
+```
+
+Username to use for HTTP Basic Authentication
+
+##### `password`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.httpAuth]
+  password = "test"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      httpAuth:
+        password: test
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.httpauth.password=test
+```
+
+Password to use for HTTP Basic Authentication
+
+#### `tls`
+
+_Optional_
+
+Defines TLS options for Consul server endpoint.
+
+##### `ca`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.tls.ca=path/to/ca.crt
+```
+
+`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
+
+##### `caOptional`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      tls:
+        caOptional: true
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.tls.caoptional=true
+```
+
+Policy followed for the secured connection with TLS Client Authentication to Consul.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+##### `cert`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.tls.cert=path/to/foo.cert
+--providers.consulcatalog.endpoint.tls.key=path/to/foo.key
+```
+
+`cert` is the path to the public certificate for Consul communication.
+If this is set then you need to also set `key.
+
+##### `key`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.tls.cert=path/to/foo.cert
+--providers.consulcatalog.endpoint.tls.key=path/to/foo.key
+```
+
+`key` is the path to the private key for Consul communication.
+If this is set then you need to also set `cert`.
+
+##### `insecureSkipVerify`
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    endpoint:
+      tls:
+        insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.endpoint.tls.insecureskipverify=true
+```
+
+If `insecureSkipVerify` is `true`, TLS for the connection to Consul server accepts any certificate presented by the server and any host name in that certificate.
+
+### `exposedByDefault`
+
+_Optional, Default=true_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  exposedByDefault = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    exposedByDefault: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.exposedByDefault=false
+# ...
+```
+
+Expose Consul Catalog services by default in Traefik.
+If set to false, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
+
+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
+### `defaultRule`
+
+_Optional, Default=```Host(`{{ normalize .Name }}`)```_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+# ...
+```
+
+The default host rule for all services.
+
+For a given service if no routing rule was defined by a tag, it is defined by this defaultRule instead.
+It must be a valid [Go template](https://golang.org/pkg/text/template/),
+augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
+The service name can be accessed as the `Name` identifier,
+and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
+
+The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
+
+### `constraints`
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  constraints = "Tag(`a.tag.name`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    constraints: "Tag(`a.tag.name`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.constraints="Tag(`a.tag.name`)"
+# ...
+```
+
+Constraints is an expression that Traefik matches against the service's tags to determine whether to create any route for that service.
+That is to say, if none of the service's tags match the expression, no route for that service is created.
+If the expression is empty, all detected services are included.
+
+The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
+as well as the usual boolean logic, as shown in examples below.
+
+??? example "Constraints Expression Examples"
+
+    ```toml
+    # Includes only services having the tag `a.tag.name=foo`
+    constraints = "Tag(`a.tag.name=foo`)"
+    ```
+    
+    ```toml
+    # Excludes services having any tag `a.tag.name=foo`
+    constraints = "!Tag(`a.tag.name=foo`)"
+    ```
+    
+    ```toml
+    # With logical AND.
+    constraints = "Tag(`a.tag.name`) && Tag(`another.tag.name`)"
+    ```
+    
+    ```toml
+    # With logical OR.
+    constraints = "Tag(`a.tag.name`) || Tag(`another.tag.name`)"
+    ```
+    
+    ```toml
+    # With logical AND and OR, with precedence set by parentheses.
+    constraints = "Tag(`a.tag.name`) && (Tag(`another.tag.name`) || Tag(`yet.another.tag.name`))"
+    ```
+    
+    ```toml
+    # Includes only services having a tag matching the `a\.tag\.t.+` regular expression.
+    constraints = "TagRegex(`a\.tag\.t.+`)"
+    ```
+
+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

docs/content/providers/docker.md

@@ -7,6 +7,9 @@ A Story of Labels & Containers
 
 Attach labels to your containers and let Traefik do the rest!
 
+Traefik works with both [Docker (standalone) Engine](https://docs.docker.com/engine/)
+and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
+
 !!! tip "The Quick Start Uses Docker"
     If you haven't already, maybe you'd like to go through the [quick start](../getting-started/quick-start.md) that uses the docker provider!
 
@@ -64,7 +67,7 @@ Attach labels to your containers and let Traefik do the rest!
     ```
     
     ```bash tab="CLI"
-    --providers.docker.endpoint="tcp://127.0.0.1:2375"
+    --providers.docker.endpoint=tcp://127.0.0.1:2375
     --providers.docker.swarmMode=true
     ```
 
@@ -80,15 +83,136 @@ Attach labels to your containers and let Traefik do the rest!
             - traefik.http.services.my-container-service.loadbalancer.server.port=8080
     ```
 
-    !!! important "Labels in Docker Swarm Mode"
-        While in Swarm Mode, Traefik uses labels found on services, not on individual containers.
-        
-        Therefore, if you use a compose file with Swarm Mode, labels should be defined in the `deploy` part of your service.
-        This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
-
 ## Routing Configuration
 
-See the dedicated section in [routing](../routing/providers/docker.md).
+When using Docker as a [provider](https://docs.traefik.io/providers/overview/),
+Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
+
+See the list of labels in the dedicated [routing](../routing/providers/docker.md) section.
+
+### Routing Configuration with Labels
+
+By default, Traefik watches for [container level labels](https://docs.docker.com/config/labels-custom-metadata/) on a standalone Docker Engine.
+
+When using Docker Compose, labels are specified by the directive
+[`labels`](https://docs.docker.com/compose/compose-file/#labels) from the
+["services" objects](https://docs.docker.com/compose/compose-file/#service-configuration-reference).
+
+!!! tip "Not Only Docker"
+    Please note that any tool like Nomad, Terraform, Ansible, etc.
+    that is able to define a Docker container with labels can work
+    with Traefik & the Docker provider.
+
+### Port Detection
+
+Traefik retrieves the private IP and port of containers from the Docker API.
+
+Ports detection works as follows:
+
+- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) only one port,
+  then Traefik uses this port for private communication.
+- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) multiple ports,
+  or does not expose any port, then you must manually specify which port Traefik should use for communication 
+  by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
+  (Read more on this label in the dedicated section in [routing](../routing/providers/docker.md#port)).
+
+### Docker API Access
+
+Traefik requires access to the docker socket to get its dynamic configuration.
+
+You can specify which Docker API Endpoint to use with the directive [`endpoint`](#endpoint).
+
+!!! warning "Security Note"
+
+    Accessing the Docker API without any restriction is a security concern:
+    If Traefik is attacked, then the attacker might get access to the underlying host.
+    {: #security-note }
+    
+    As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)):
+
+    !!! quote
+        [...] only **trusted** users should be allowed to control your Docker daemon [...]
+
+    ??? success "Solutions"
+
+        Expose the Docker socket over TCP, instead of the default Unix socket file.
+        It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
+
+        - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
+        - Authorize and filter requests to restrict possible actions with [the TecnativaDocker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy).
+        - Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
+        - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
+        - Accounting at container level, by exposing the socket on a another container than Traefik's.
+          With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
+        - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
+
+    ??? info "More Resources and Examples"
+        - ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c)
+        - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.containo.us/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
+        - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
+        - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
+        - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
+        - [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
+        - [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174)
+        - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
+        - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
+        - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
+
+## Docker Swarm Mode
+
+To enable Docker Swarm (instead of standalone Docker) as a configuration provider,
+set the [`swarmMode`](#swarmmode) directive to `true`.
+
+### Routing Configuration with Labels
+
+While in Swarm Mode, Traefik uses labels found on services, not on individual containers.
+
+Therefore, if you use a compose file with Swarm Mode, labels should be defined in the
+[`deploy`](https://docs.docker.com/compose/compose-file/#labels-1) part of your service.
+
+This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file)).
+
+### Port Detection
+
+Docker Swarm does not provide any [port detection](#port-detection) information to Traefik.
+
+Therefore you **must** specify the port to use for communication by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
+(Check the reference for this label in the [routing section for Docker](../routing/providers/docker.md#port)).
+
+### Docker API Access
+
+Docker Swarm Mode follows the same rules as Docker [API Access](#docker-api-access).
+
+As the Swarm API is only exposed on the [manager nodes](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#manager-nodes), you should schedule Traefik on the Swarm manager nodes by default,
+by deploying Traefik with a [constraint](https://success.docker.com/article/using-contraints-and-labels-to-control-the-placement-of-containers) on the node's "role":
+
+```shell tab="With Docker CLI"
+docker service create \
+  --constraint=node.role==manager \
+  #... \
+```
+
+```yml tab="With Docker Compose"
+version: '3'
+
+services:
+  traefik:
+    # ...
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+```
+
+!!! tip "Scheduling Traefik on Worker Nodes"
+    
+    Following the guidelines given in the previous section ["Docker API Access"](#docker-api-access),
+    if you expose the Docker API through TCP, then Traefik can be scheduled on any node if the TCP
+    socket is reachable.
+    
+    Please consider the security implications by reading the [Security Note](#security-note).
+    
+    A good example can be found on [Bret Fisher's repository](https://github.com/BretFisher/dogvscat/blob/master/stack-proxy-global.yml#L124).
 
 ## Provider Configuration
 
@@ -108,51 +232,10 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.docker.endpoint="unix:///var/run/docker.sock"
+--providers.docker.endpoint=unix:///var/run/docker.sock
 ```
 
-Traefik requires access to the docker socket to get its dynamic configuration.
+See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API Access](#docker-api-access_1) for more information.
-
-??? warning "Security Notes"
-
-    Depending on your context, accessing the Docker API without any restriction can be a security concern: If Traefik is attacked, then the attacker might get access to the Docker (or Swarm Mode) backend.
-
-    As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)):
-
-    `[...] only **trusted** users should be allowed to control your Docker daemon [...]`
-
-    !!! tip "Improved Security"
-
-        [TraefikEE](https://containo.us/traefikee) solves this problem by separating the control plane (connected to Docker) and the data plane (handling the requests).
-
-    ??? info "Resources about Docker's Security"
-
-        - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
-        - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
-        - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
-        - [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
-
-??? tip "Security Compensation"
-
-    Expose the Docker socket over TCP, instead of the default Unix socket file.
-    It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
-
-    - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
-    - Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
-    - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
-    - Accounting at container level, by exposing the socket on a another container than Traefik's.
-      With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
-    - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
-
-    ??? info "Additional Resources"
-
-        - [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174)
-        - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
-        - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
-        - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
-
-!!! info "Traefik & Swarm Mode"
-    To let Traefik access the Docker Socket of the Swarm manager, it is mandatory to schedule Traefik on the Swarm manager nodes.
 
 ??? example "Using the docker.sock"
 
@@ -163,7 +246,7 @@ Traefik requires access to the docker socket to get its dynamic configuration.
 
     services:
       traefik:
-         image: traefik:v2.0 # The official v2.0 Traefik docker image
+         image: traefik:v2.1 # The official v2 Traefik docker image
          ports:
            - "80:80"
          volumes:
@@ -186,7 +269,7 @@ Traefik requires access to the docker socket to get its dynamic configuration.
     ```
     
     ```bash tab="CLI"
-    --providers.docker.endpoint="unix:///var/run/docker.sock"
+    --providers.docker.endpoint=unix:///var/run/docker.sock
     # ...
     ```
 
@@ -311,7 +394,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.docker.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+--providers.docker.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
 # ...
 ```
 
@@ -343,7 +426,7 @@ providers:
 # ...
 ```
 
-Activates the Swarm Mode.
+Activates the Swarm Mode (instead of standalone Docker).
 
 ### `swarmModeRefreshSeconds`
 
@@ -369,25 +452,49 @@ providers:
 
 Defines the polling interval (in seconds) in Swarm Mode.
 
-### `constraints`
+### `watch`
 
-_Optional, Default=""_
+_Optional, Default=true_
 
 ```toml tab="File (TOML)"
 [providers.docker]
-  constraints = "Label(`a.label.name`, `foo`)"
+  watch = false
   # ...
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   docker:
-    constraints: "Label(`a.label.name`, `foo`)"
+    watch: false
     # ...
 ```
 
 ```bash tab="CLI"
---providers.docker.constraints="Label(`a.label.name`, `foo`)"
+--providers.docker.watch=false
+# ...
+```
+
+Watch Docker Swarm events.
+
+### `constraints`
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.docker]
+  constraints = "Label(`a.label.name`,`foo`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    constraints: "Label(`a.label.name`,`foo`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.constraints=Label(`a.label.name`,`foo`)
 # ...
 ```
 

docs/content/providers/file.md

@@ -23,17 +23,17 @@ You can write one of these mutually exclusive configuration elements:
     
     ```toml tab="File (TOML)"
     [providers.file]
-      filename = "/my/path/to/dynamic-conf.toml"
+      directory = "/path/to/dynamic/conf"
     ```
     
     ```yaml tab="File (YAML)"
     providers:
       file:
-        filename: "/my/path/to/dynamic-conf.yml"
+        directory: "/path/to/dynamic/conf"
     ```
     
     ```bash tab="CLI"
-    --providers.file.filename=/my/path/to/dynamic_conf.toml
+    --providers.file.directory=/path/to/dynamic/conf
     ```
     
     Declaring Routers, Middlewares & Services:
@@ -100,29 +100,53 @@ You can write one of these mutually exclusive configuration elements:
 
 If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../reference/dynamic-configuration/file.md) references and the [static configuration](../reference/static-configuration/overview.md).
 
+!!! warning "Limitations"
+
+    With the file provider, Traefik listens for file system notifications to update the dynamic configuration.
+    
+    If you use a mounted/bound file system in your orchestrator (like docker or kubernetes), the way the files are linked may be a source of errors.
+    If the link between the file systems is broken, when a source file/directory is changed/renamed, nothing will be reported to the linked file/directory, so the file system notifications will be neither triggered nor caught. 
+    
+    For example, in docker, if the host file is renamed, the link to the mounted file will be broken and the container's file will not be updated.
+    To avoid this kind of issue, a good practice is to:
+        
+    * set the Traefik [**directory**](#directory) configuration with the parent directory
+    * mount/bind the parent directory
+
+    As it is very difficult to listen to all file system notifications, Traefik use [fsnotify](https://github.com/fsnotify/fsnotify).
+    If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.
+    
 ### `filename`
 
-Defines the path of the configuration file.
+Defines the path to the configuration file.
+
+!!! warning ""
+    `filename` and `directory` are mutually exclusive.
+    The recommendation is to use `directory`.
 
 ```toml tab="File (TOML)"
 [providers]
   [providers.file]
-    filename = "dynamic_conf.toml"
+    filename = "/path/to/config/dynamic_conf.toml"
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   file:
-    filename: dynamic_conf.yml
+    filename: /path/to/config/dynamic_conf.yml
 ```
 
 ```bash tab="CLI"
---providers.file.filename=dynamic_conf.toml
+--providers.file.filename=/path/to/config/dynamic_conf.toml
 ```
 
 ### `directory`
 
-Defines the directory that contains the configuration files.
+Defines the path to the directory that contains the configuration files.
+
+!!! warning ""
+    `filename` and `directory` are mutually exclusive.
+    The recommendation is to use `directory`.
 
 ```toml tab="File (TOML)"
 [providers]
@@ -148,19 +172,19 @@ It works with both the `filename` and the `directory` options.
 ```toml tab="File (TOML)"
 [providers]
   [providers.file]
-    filename = "dynamic_conf.toml"
+    directory = "/path/to/dynamic/conf"
     watch = true
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   file:
-    filename: dynamic_conf.yml
+    directory: /path/to/dynamic/conf
     watch: true
 ```
 
 ```bash tab="CLI"
---providers.file.filename=dynamic_conf.toml
+--providers.file.directory=/my/path/to/dynamic/conf
 --providers.file.watch=true
 ```
 
@@ -170,8 +194,11 @@ providers:
     Go Templating only works along with dedicated dynamic configuration files.
     Templating does not work in the Traefik main static configuration file.
 
-Traefik allows using Go templating.  
+Traefik allows using Go templating,
-Thus, it's possible to define easily lot of routers, services and TLS certificates as described in the file `template-rules.toml` :
+it must be a valid [Go template](https://golang.org/pkg/text/template/),
+augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
+
+Thus, it's possible to define easily lot of routers, services and TLS certificates as described in the following examples:
 
 ??? example "Configuring Using Templating"
     
@@ -181,7 +208,7 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
     
       [http.routers]
       {{ range $i, $e := until 100 }}
-        [http.routers.router{{ $e }}]
+        [http.routers.router{{ $e }}-{{ env "MY_ENV_VAR" }}]
         # ...
       {{ end }}  
       
@@ -223,40 +250,38 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
     
     ```yaml tab="YAML"
     http:
-    
-    {{range $i, $e := until 100 }}
       routers:
-        router{{ $e }:
+        {{range $i, $e := until 100 }}
+        router{{ $e }}-{{ env "MY_ENV_VAR" }}:
           # ...
-    {{end}}
+        {{end}}
     
-    {{range $i, $e := until 100 }}
       services:
+        {{range $i, $e := until 100 }}
         application{{ $e }}:
           # ...
-    {{end}}
+        {{end}}
     
     tcp:
-    
-    {{range $i, $e := until 100 }}
       routers:
-        router{{ $e }:
+        {{range $i, $e := until 100 }}
+        router{{ $e }}:
           # ...
-    {{end}}
+        {{end}}
     
-    {{range $i, $e := until 100 }}
       services:
+        {{range $i, $e := until 100 }}
         service{{ $e }}:
           # ...
-    {{end}}
+        {{end}}
     
-    {{ range $i, $e := until 10 }}
     tls:
       certificates:
+      {{ range $i, $e := until 10 }}
       - certFile: "/etc/traefik/cert-{{ $e }}.pem"
         keyFile: "/etc/traefik/cert-{{ $e }}.key"
         store:
         - "my-store-foo-{{ $e }}"
         - "my-store-bar-{{ $e }}"
-    {{end}}
+      {{end}}
     ```

docs/content/providers/kubernetes-crd.md

@@ -8,9 +8,60 @@ Traefik used to support Kubernetes only through the [Kubernetes Ingress provider
 However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
 we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
 
+## Configuration Requirements
+
+!!! tip "All Steps for a Successful Deployment"
+
+    * Add/update **all** the Traefik resources [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions)
+    * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources
+    * Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment 
+        * Enable the kubernetesCRD provider
+        * Apply the needed kubernetesCRD provider [configuration](#provider-configuration)
+    * Add all needed traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
+ 
+??? example "Initializing Resource Definition and RBAC"
+
+    ```yaml tab="Traefik Resource Definition"
+    # All resources definition must be declared
+    --8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
+    ```
+
+    ```yaml tab="RBAC for Traefik CRD"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
+    ```
+
 ## Resource Configuration
 
-See the dedicated section in [routing](../routing/providers/kubernetes-crd.md).
+When using KubernetesCRD as a provider,
+Traefik uses [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to retrieve its routing configuration.
+Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are:
+
+* The usage of `name` **and** `namespace` to refer to another Kubernetes resource.
+* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensible data like:
+    * TLS certificate.
+    * Authentication data.
+* The structure of the configuration.
+* The obligation to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).
+
+The Traefik CRD are building blocks which you can assemble according to your needs.
+See the list of CRDs in the dedicated [routing section](../routing/providers/kubernetes-crd.md).
+
+## LetsEncrypt Support with the Custom Resource Definition Provider
+
+By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
+For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
+
+When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
+Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+
+If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+
+If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot interface directly with the CRDs _yet_, but this is being worked on by our team.
+A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
+Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once created, Cert-Manager will keep the certificate renewed.
 
 ## Provider Configuration
 
@@ -32,7 +83,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.endpoint="http://localhost:8080"
+--providers.kubernetescrd.endpoint=http://localhost:8080
 ```
 
 The Kubernetes server endpoint as URL.
@@ -66,7 +117,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.token="mytoken"
+--providers.kubernetescrd.token=mytoken
 ```
 
 Bearer token used for the Kubernetes client configuration.
@@ -89,7 +140,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.certauthfilepath="/my/ca.crt"
+--providers.kubernetescrd.certauthfilepath=/my/ca.crt
 ```
 
 Path to the certificate authority file.
@@ -115,7 +166,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.namespaces="default,production"
+--providers.kubernetescrd.namespaces=default,production
 ```
 
 Array of namespaces to watch.
@@ -164,7 +215,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.ingressclass="traefik-internal"
+--providers.kubernetescrd.ingressclass=traefik-internal
 ```
 
 Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
@@ -190,7 +241,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.throttleDuration="10s"
+--providers.kubernetescrd.throttleDuration=10s
 ```
 
 ## Further

docs/content/providers/kubernetes-ingress.md

@@ -23,7 +23,9 @@ providers:
 --providers.kubernetesingress=true
 ```
 
-The provider then watches for incoming ingresses events, such as the example below, and derives the corresponding dynamic configuration from it, which in turn will create the resulting routers, services, handlers, etc.
+The provider then watches for incoming ingresses events, such as the example below,
+and derives the corresponding dynamic configuration from it,
+which in turn will create the resulting routers, services, handlers, etc.
 
 ```yaml tab="File (YAML)"
 kind: Ingress
@@ -47,6 +49,29 @@ spec:
               servicePort: 80
 ```
 
+## LetsEncrypt Support with the Ingress Provider
+
+By design, Traefik is a stateless application,
+meaning that it only derives its configuration from the environment it runs in,
+without additional configuration.
+For this reason, users can run multiple instances of Traefik at the same time to achieve HA,
+as is a common pattern in the kubernetes ecosystem.
+
+When using a single instance of Traefik with LetsEncrypt, no issues should be encountered,
+however this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled,
+because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
+Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this,
+but due to sub-optimal performance was dropped as a feature in 2.0.
+
+If you require LetsEncrypt with HA in a kubernetes environment,
+we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+
+If you are wanting to continue to run Traefik Community Edition,
+LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+When using Cert-Manager to manage certificates,
+it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+
 ## Provider Configuration
 
 ### `endpoint`
@@ -67,7 +92,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.endpoint="http://localhost:8080"
+--providers.kubernetesingress.endpoint=http://localhost:8080
 ```
 
 The Kubernetes server endpoint as URL, which is only used when the behavior based on environment variables described below does not apply.
@@ -79,7 +104,8 @@ They are both provided automatically as mounts in the pod where Traefik is deplo
 
 When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
 In which case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication
+and authorization of the associated kubeconfig.
 
 ### `token`
 
@@ -99,7 +125,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.token="mytoken"
+--providers.kubernetesingress.token=mytoken
 ```
 
 Bearer token used for the Kubernetes client configuration.
@@ -122,7 +148,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.certauthfilepath="/my/ca.crt"
+--providers.kubernetesingress.certauthfilepath=/my/ca.crt
 ```
 
 Path to the certificate authority file.
@@ -171,7 +197,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.namespaces="default,production"
+--providers.kubernetesingress.namespaces=default,production
 ```
 
 Array of namespaces to watch.
@@ -220,7 +246,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressclass="traefik-internal"
+--providers.kubernetesingress.ingressclass=traefik-internal
 ```
 
 Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
@@ -249,7 +275,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.hostname="foo.com"
+--providers.kubernetesingress.ingressendpoint.hostname=foo.com
 ```
 
 Hostname used for Kubernetes Ingress endpoints.
@@ -273,7 +299,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.ip="1.2.3.4"
+--providers.kubernetesingress.ingressendpoint.ip=1.2.3.4
 ```
 
 IP used for Kubernetes Ingress endpoints.
@@ -284,7 +310,7 @@ _Optional, Default: empty_
 
 ```toml tab="File (TOML)"
 [providers.kubernetesIngress.ingressEndpoint]
-  publishedService = "foo-service"
+  publishedService = "namespace/foo-service"
   # ...
 ```
 
@@ -292,15 +318,16 @@ _Optional, Default: empty_
 providers:
   kubernetesIngress:
     ingressEndpoint:
-      publishedService: "foo-service"
+      publishedService: "namespace/foo-service"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.publishedservice="foo-service"
+--providers.kubernetesingress.ingressendpoint.publishedservice=namespace/foo-service
 ```
 
 Published Kubernetes Service to copy status from.
+Format: `namespace/servicename`.
 
 ### `throttleDuration`
 
@@ -320,9 +347,10 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.throttleDuration="10s"
+--providers.kubernetesingress.throttleDuration=10s
 ```
 
 ## Further
 
-If one wants to know more about the various aspects of the Ingress spec that Traefik supports, many examples of Ingresses definitions are located in the tests [data](https://github.com/containous/traefik/tree/v2.0/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+If one wants to know more about the various aspects of the Ingress spec that Traefik supports,
+many examples of Ingresses definitions are located in the tests [data](https://github.com/containous/traefik/tree/v2.1/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

docs/content/providers/marathon.md

@@ -74,8 +74,8 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.basic.httpbasicauthuser="foo"
+--providers.marathon.basic.httpbasicauthuser=foo
---providers.marathon.basic.httpbasicpassword="bar"
+--providers.marathon.basic.httpbasicpassword=bar
 ```
 
 Enables Marathon basic authentication.
@@ -98,7 +98,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.dcosToken="xxxxxx"
+--providers.marathon.dcosToken=xxxxxx
 ```
 
 DCOSToken for DCOS environment.
@@ -123,7 +123,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+--providers.marathon.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
 # ...
 ```
 
@@ -182,7 +182,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.endpoint="http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
+--providers.marathon.endpoint=http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080
 ```
 
 Marathon server endpoint.
@@ -223,19 +223,19 @@ _Optional, Default=""_
 
 ```toml tab="File (TOML)"
 [providers.marathon]
-  constraints = "Label(`a.label.name`, `foo`)"
+  constraints = "Label(`a.label.name`,`foo`)"
   # ...
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   marathon:
-    constraints: "Label(`a.label.name`, `foo`)"
+    constraints: "Label(`a.label.name`,`foo`)"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.marathon.constraints="Label(`a.label.name`, `foo`)"
+--providers.marathon.constraints=Label(`a.label.name`,`foo`)
 # ...
 ```
 
@@ -389,7 +389,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.responseHeaderTimeout="66s"
+--providers.marathon.responseHeaderTimeout=66s
 # ...
 ```
 
@@ -532,7 +532,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.marathon.responseHeaderTimeout="10s"
+--providers.marathon.responseHeaderTimeout=10s
 # ...
 ```
 

docs/content/providers/overview.md

@@ -26,13 +26,14 @@ Even if each provider is different, we can categorize them in four groups:
 
 Below is the list of the currently supported providers in Traefik. 
 
-| Provider                          | Type         | Configuration Type |
+| Provider                              | Type         | Configuration Type |
-|-----------------------------------|--------------|--------------------|
+|---------------------------------------|--------------|--------------------|
-| [Docker](./docker.md)             | Orchestrator | Label              |
+| [Docker](./docker.md)                 | Orchestrator | Label              |
-| [Kubernetes](./kubernetes-crd.md) | Orchestrator | Custom Resource    |
+| [Kubernetes](./kubernetes-crd.md)     | Orchestrator | Custom Resource    |
-| [Marathon](./marathon.md)         | Orchestrator | Label              |
+| [Consul Catalog](./consul-catalog.md) | Orchestrator | Label              |
-| [Rancher](./rancher.md)           | Orchestrator | Label              |
+| [Marathon](./marathon.md)             | Orchestrator | Label              |
-| [File](./file.md)                 | Manual       | TOML/YAML format   |
+| [Rancher](./rancher.md)               | Orchestrator | Label              |
+| [File](./file.md)                     | Manual       | TOML/YAML format   |
 
 !!! info "More Providers"
 
@@ -90,6 +91,7 @@ or with a finer granularity mechanism based on constraints.
 List of providers that support that feature:
 
 - [Docker](./docker.md#exposedbydefault)
+- [Consul Catalog](./consul-catalog.md#exposedbydefault)
 - [Rancher](./rancher.md#exposedbydefault)
 - [Marathon](./marathon.md#exposedbydefault)
 
@@ -98,6 +100,7 @@ List of providers that support that feature:
 List of providers that support constraints:
 
 - [Docker](./docker.md#constraints)
+- [Consul Catalog](./consul-catalog.md#constraints)
 - [Rancher](./rancher.md#constraints)
 - [Marathon](./marathon.md#constraints)
 - [Kubernetes CRD](./kubernetes-crd.md#labelselector)

docs/content/providers/rancher.md

@@ -104,7 +104,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.rancher.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+--providers.rancher.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
 # ...
 ```
 
@@ -209,7 +209,7 @@ providers:
 ```
 
 ```bash tab="CLI"
---providers.rancher.prefix="/test"
+--providers.rancher.prefix=/test
 # ...
 ```
 
@@ -221,19 +221,19 @@ _Optional, Default=""_
 
 ```toml tab="File (TOML)"
 [providers.rancher]
-  constraints = "Label(`a.label.name`, `foo`)"
+  constraints = "Label(`a.label.name`,`foo`)"
   # ...
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   rancher:
-    constraints: "Label(`a.label.name`, `foo`)"
+    constraints: "Label(`a.label.name`,`foo`)"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.rancher.constraints="Label(`a.label.name`, `foo`)"
+--providers.rancher.constraints=Label(`a.label.name`,`foo`)
 # ...
 ```
 

docs/content/providers/rancher.txt

@@ -17,4 +17,4 @@
 --providers.rancher.intervalPoll=false
 
 # Prefix used for accessing the Rancher metadata service
---providers.rancher.prefix="/latest"
+--providers.rancher.prefix=/latest

docs/content/providers/rancher.yml

@@ -18,4 +18,4 @@ providers:
   intervalPoll: false
 
   # Prefix used for accessing the Rancher metadata service
-  prefix: "/latest"
+  prefix: /latest

docs/content/reference/dynamic-configuration/consul-catalog.md

@@ -0,0 +1,11 @@
+# Consul Catalog Configuration Reference
+
+Dynamic configuration with Consul Catalog
+{: .subtitle }
+
+The labels are case insensitive.
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/consul-catalog.yml"
+--8<-- "content/reference/dynamic-configuration/docker-labels.yml"
+```

docs/content/reference/dynamic-configuration/consul-catalog.yml

@@ -0,0 +1 @@
+- "traefik.enable=true"

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -12,99 +12,102 @@
 - "traefik.http.middlewares.middleware03.chain.middlewares=foobar, foobar"
 - "traefik.http.middlewares.middleware04.circuitbreaker.expression=foobar"
 - "traefik.http.middlewares.middleware05.compress=true"
-- "traefik.http.middlewares.middleware06.digestauth.headerfield=foobar"
+- "traefik.http.middlewares.middleware05.compress.excludedcontenttypes=foobar, foobar"
-- "traefik.http.middlewares.middleware06.digestauth.realm=foobar"
+- "traefik.http.middlewares.middleware06.contenttype.autodetect=true"
-- "traefik.http.middlewares.middleware06.digestauth.removeheader=true"
+- "traefik.http.middlewares.middleware07.digestauth.headerfield=foobar"
-- "traefik.http.middlewares.middleware06.digestauth.users=foobar, foobar"
+- "traefik.http.middlewares.middleware07.digestauth.realm=foobar"
-- "traefik.http.middlewares.middleware06.digestauth.usersfile=foobar"
+- "traefik.http.middlewares.middleware07.digestauth.removeheader=true"
-- "traefik.http.middlewares.middleware07.errors.query=foobar"
+- "traefik.http.middlewares.middleware07.digestauth.users=foobar, foobar"
-- "traefik.http.middlewares.middleware07.errors.service=foobar"
+- "traefik.http.middlewares.middleware07.digestauth.usersfile=foobar"
-- "traefik.http.middlewares.middleware07.errors.status=foobar, foobar"
+- "traefik.http.middlewares.middleware08.errors.query=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.address=foobar"
+- "traefik.http.middlewares.middleware08.errors.service=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.authresponseheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware08.errors.status=foobar, foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.ca=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.address=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.caoptional=true"
+- "traefik.http.middlewares.middleware09.forwardauth.authresponseheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.cert=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.ca=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.insecureskipverify=true"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional=true"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.key=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.cert=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.trustforwardheader=true"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify=true"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolallowcredentials=true"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.key=foobar"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolallowheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.trustforwardheader=true"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolallowmethods=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolallowcredentials=true"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolalloworigin=foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolallowheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolexposeheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolmaxage=42"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin=foobar"
-- "traefik.http.middlewares.middleware09.headers.addvaryheader=true"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.allowedhosts=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolmaxage=42"
-- "traefik.http.middlewares.middleware09.headers.browserxssfilter=true"
+- "traefik.http.middlewares.middleware10.headers.addvaryheader=true"
-- "traefik.http.middlewares.middleware09.headers.contentsecuritypolicy=foobar"
+- "traefik.http.middlewares.middleware10.headers.allowedhosts=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.contenttypenosniff=true"
+- "traefik.http.middlewares.middleware10.headers.browserxssfilter=true"
-- "traefik.http.middlewares.middleware09.headers.custombrowserxssvalue=foobar"
+- "traefik.http.middlewares.middleware10.headers.contentsecuritypolicy=foobar"
-- "traefik.http.middlewares.middleware09.headers.customframeoptionsvalue=foobar"
+- "traefik.http.middlewares.middleware10.headers.contenttypenosniff=true"
-- "traefik.http.middlewares.middleware09.headers.customrequestheaders.name0=foobar"
+- "traefik.http.middlewares.middleware10.headers.custombrowserxssvalue=foobar"
-- "traefik.http.middlewares.middleware09.headers.customrequestheaders.name1=foobar"
+- "traefik.http.middlewares.middleware10.headers.customframeoptionsvalue=foobar"
-- "traefik.http.middlewares.middleware09.headers.customresponseheaders.name0=foobar"
+- "traefik.http.middlewares.middleware10.headers.customrequestheaders.name0=foobar"
-- "traefik.http.middlewares.middleware09.headers.customresponseheaders.name1=foobar"
+- "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1=foobar"
-- "traefik.http.middlewares.middleware09.headers.featurepolicy=foobar"
+- "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0=foobar"
-- "traefik.http.middlewares.middleware09.headers.forcestsheader=true"
+- "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1=foobar"
-- "traefik.http.middlewares.middleware09.headers.framedeny=true"
+- "traefik.http.middlewares.middleware10.headers.featurepolicy=foobar"
-- "traefik.http.middlewares.middleware09.headers.hostsproxyheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.forcestsheader=true"
-- "traefik.http.middlewares.middleware09.headers.isdevelopment=true"
+- "traefik.http.middlewares.middleware10.headers.framedeny=true"
-- "traefik.http.middlewares.middleware09.headers.publickey=foobar"
+- "traefik.http.middlewares.middleware10.headers.hostsproxyheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.referrerpolicy=foobar"
+- "traefik.http.middlewares.middleware10.headers.isdevelopment=true"
-- "traefik.http.middlewares.middleware09.headers.sslforcehost=true"
+- "traefik.http.middlewares.middleware10.headers.publickey=foobar"
-- "traefik.http.middlewares.middleware09.headers.sslhost=foobar"
+- "traefik.http.middlewares.middleware10.headers.referrerpolicy=foobar"
-- "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name0=foobar"
+- "traefik.http.middlewares.middleware10.headers.sslforcehost=true"
-- "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name1=foobar"
+- "traefik.http.middlewares.middleware10.headers.sslhost=foobar"
-- "traefik.http.middlewares.middleware09.headers.sslredirect=true"
+- "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0=foobar"
-- "traefik.http.middlewares.middleware09.headers.ssltemporaryredirect=true"
+- "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1=foobar"
-- "traefik.http.middlewares.middleware09.headers.stsincludesubdomains=true"
+- "traefik.http.middlewares.middleware10.headers.sslredirect=true"
-- "traefik.http.middlewares.middleware09.headers.stspreload=true"
+- "traefik.http.middlewares.middleware10.headers.ssltemporaryredirect=true"
-- "traefik.http.middlewares.middleware09.headers.stsseconds=42"
+- "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
-- "traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware10.headers.stspreload=true"
-- "traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.stsseconds=42"
-- "traefik.http.middlewares.middleware10.ipwhitelist.sourcerange=foobar, foobar"
+- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth=42"
-- "traefik.http.middlewares.middleware11.inflightreq.amount=42"
+- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware11.ipwhitelist.sourcerange=foobar, foobar"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware12.inflightreq.amount=42"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requestheadername=foobar"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth=42"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requesthost=true"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.commonname=true"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requestheadername=foobar"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.country=true"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requesthost=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.domaincomponent=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.commonname=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.locality=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.country=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.organization=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.domaincomponent=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.province=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.locality=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.serialnumber=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.organization=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.notafter=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.province=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.notbefore=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.serialnumber=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.sans=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.notafter=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.commonname=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.notbefore=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.country=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.sans=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.domaincomponent=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.commonname=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.locality=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.country=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.organization=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.domaincomponent=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.province=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.locality=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.serialnumber=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organization=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.pem=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.province=true"
-- "traefik.http.middlewares.middleware13.ratelimit.average=42"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.serialnumber=true"
-- "traefik.http.middlewares.middleware13.ratelimit.burst=42"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.pem=true"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware14.ratelimit.average=42"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware14.ratelimit.burst=42"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requestheadername=foobar"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.depth=42"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requesthost=true"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
-- "traefik.http.middlewares.middleware14.redirectregex.permanent=true"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requestheadername=foobar"
-- "traefik.http.middlewares.middleware14.redirectregex.regex=foobar"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requesthost=true"
-- "traefik.http.middlewares.middleware14.redirectregex.replacement=foobar"
+- "traefik.http.middlewares.middleware15.redirectregex.permanent=true"
-- "traefik.http.middlewares.middleware15.redirectscheme.permanent=true"
+- "traefik.http.middlewares.middleware15.redirectregex.regex=foobar"
-- "traefik.http.middlewares.middleware15.redirectscheme.port=foobar"
+- "traefik.http.middlewares.middleware15.redirectregex.replacement=foobar"
-- "traefik.http.middlewares.middleware15.redirectscheme.scheme=foobar"
+- "traefik.http.middlewares.middleware16.redirectscheme.permanent=true"
-- "traefik.http.middlewares.middleware16.replacepath.path=foobar"
+- "traefik.http.middlewares.middleware16.redirectscheme.port=foobar"
-- "traefik.http.middlewares.middleware17.replacepathregex.regex=foobar"
+- "traefik.http.middlewares.middleware16.redirectscheme.scheme=foobar"
-- "traefik.http.middlewares.middleware17.replacepathregex.replacement=foobar"
+- "traefik.http.middlewares.middleware17.replacepath.path=foobar"
-- "traefik.http.middlewares.middleware18.retry.attempts=42"
+- "traefik.http.middlewares.middleware18.replacepathregex.regex=foobar"
-- "traefik.http.middlewares.middleware19.stripprefix.prefixes=foobar, foobar"
+- "traefik.http.middlewares.middleware18.replacepathregex.replacement=foobar"
-- "traefik.http.middlewares.middleware20.stripprefixregex.regex=foobar, foobar"
+- "traefik.http.middlewares.middleware19.retry.attempts=42"
+- "traefik.http.middlewares.middleware20.stripprefix.forceslash=true"
+- "traefik.http.middlewares.middleware20.stripprefix.prefixes=foobar, foobar"
+- "traefik.http.middlewares.middleware21.stripprefixregex.regex=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
 - "traefik.http.routers.router0.middlewares=foobar, foobar"
 - "traefik.http.routers.router0.priority=42"
@@ -129,38 +132,22 @@
 - "traefik.http.routers.router1.tls.domains[1].main=foobar"
 - "traefik.http.routers.router1.tls.domains[1].sans=foobar, foobar"
 - "traefik.http.routers.router1.tls.options=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.headers.name0=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.headers.name0=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.headers.name1=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.headers.name1=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.hostname=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.hostname=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.interval=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.interval=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.path=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.path=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.port=42"
+- "traefik.http.services.service01.loadbalancer.healthcheck.port=42"
-- "traefik.http.services.service0.loadbalancer.healthcheck.scheme=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.scheme=foobar"
-- "traefik.http.services.service0.loadbalancer.healthcheck.timeout=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.timeout=foobar"
-- "traefik.http.services.service0.loadbalancer.passhostheader=true"
+- "traefik.http.services.service01.loadbalancer.passhostheader=true"
-- "traefik.http.services.service0.loadbalancer.responseforwarding.flushinterval=foobar"
+- "traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval=foobar"
-- "traefik.http.services.service0.loadbalancer.sticky=true"
+- "traefik.http.services.service01.loadbalancer.sticky=true"
-- "traefik.http.services.service0.loadbalancer.sticky.cookie.httponly=true"
+- "traefik.http.services.service01.loadbalancer.sticky.cookie.httponly=true"
-- "traefik.http.services.service0.loadbalancer.sticky.cookie.name=foobar"
+- "traefik.http.services.service01.loadbalancer.sticky.cookie.name=foobar"
-- "traefik.http.services.service0.loadbalancer.sticky.cookie.secure=true"
+- "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
-- "traefik.http.services.service0.loadbalancer.server.port=foobar"
+- "traefik.http.services.service01.loadbalancer.server.port=foobar"
-- "traefik.http.services.service0.loadbalancer.server.scheme=foobar"
+- "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.headers.name0=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.headers.name1=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.hostname=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.interval=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.path=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.port=42"
-- "traefik.http.services.service1.loadbalancer.healthcheck.scheme=foobar"
-- "traefik.http.services.service1.loadbalancer.healthcheck.timeout=foobar"
-- "traefik.http.services.service1.loadbalancer.passhostheader=true"
-- "traefik.http.services.service1.loadbalancer.responseforwarding.flushinterval=foobar"
-- "traefik.http.services.service1.loadbalancer.sticky=true"
-- "traefik.http.services.service1.loadbalancer.sticky.cookie.httponly=true"
-- "traefik.http.services.service1.loadbalancer.sticky.cookie.name=foobar"
-- "traefik.http.services.service1.loadbalancer.sticky.cookie.secure=true"
-- "traefik.http.services.service1.loadbalancer.server.port=foobar"
-- "traefik.http.services.service1.loadbalancer.server.scheme=foobar"
 - "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
 - "traefik.tcp.routers.tcprouter0.rule=foobar"
 - "traefik.tcp.routers.tcprouter0.service=foobar"
@@ -183,7 +170,5 @@
 - "traefik.tcp.routers.tcprouter1.tls.domains[1].sans=foobar, foobar"
 - "traefik.tcp.routers.tcprouter1.tls.options=foobar"
 - "traefik.tcp.routers.tcprouter1.tls.passthrough=true"
-- "traefik.tcp.services.tcpservice0.loadbalancer.server.port=foobar"
+- "traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay=42"
-- "traefik.tcp.services.tcpservice0.loadbalancer.terminationdelay=100"
+- "traefik.tcp.services.tcpservice01.loadbalancer.server.port=foobar"
-- "traefik.tcp.services.tcpservice1.loadbalancer.server.port=foobar"
-- "traefik.tcp.services.tcpservice1.loadbalancer.terminationdelay=100"

docs/content/reference/dynamic-configuration/file.toml

@@ -113,31 +113,35 @@
         expression = "foobar"
     [http.middlewares.Middleware05]
       [http.middlewares.Middleware05.compress]
+        excludedContentTypes = ["foobar", "foobar"]
     [http.middlewares.Middleware06]
-      [http.middlewares.Middleware06.digestAuth]
+      [http.middlewares.Middleware06.contentType]
+        autoDetect = true
+    [http.middlewares.Middleware07]
+      [http.middlewares.Middleware07.digestAuth]
         users = ["foobar", "foobar"]
         usersFile = "foobar"
         removeHeader = true
         realm = "foobar"
         headerField = "foobar"
-    [http.middlewares.Middleware07]
+    [http.middlewares.Middleware08]
-      [http.middlewares.Middleware07.errors]
+      [http.middlewares.Middleware08.errors]
         status = ["foobar", "foobar"]
         service = "foobar"
         query = "foobar"
-    [http.middlewares.Middleware08]
+    [http.middlewares.Middleware09]
-      [http.middlewares.Middleware08.forwardAuth]
+      [http.middlewares.Middleware09.forwardAuth]
         address = "foobar"
         trustForwardHeader = true
         authResponseHeaders = ["foobar", "foobar"]
-        [http.middlewares.Middleware08.forwardAuth.tls]
+        [http.middlewares.Middleware09.forwardAuth.tls]
           ca = "foobar"
           caOptional = true
           cert = "foobar"
           key = "foobar"
           insecureSkipVerify = true
-    [http.middlewares.Middleware09]
+    [http.middlewares.Middleware10]
-      [http.middlewares.Middleware09.headers]
+      [http.middlewares.Middleware10.headers]
         accessControlAllowCredentials = true
         accessControlAllowHeaders = ["foobar", "foobar"]
         accessControlAllowMethods = ["foobar", "foobar"]
@@ -165,38 +169,38 @@
         referrerPolicy = "foobar"
         featurePolicy = "foobar"
         isDevelopment = true
-        [http.middlewares.Middleware09.headers.customRequestHeaders]
+        [http.middlewares.Middleware10.headers.customRequestHeaders]
           name0 = "foobar"
           name1 = "foobar"
-        [http.middlewares.Middleware09.headers.customResponseHeaders]
+        [http.middlewares.Middleware10.headers.customResponseHeaders]
           name0 = "foobar"
           name1 = "foobar"
-        [http.middlewares.Middleware09.headers.sslProxyHeaders]
+        [http.middlewares.Middleware10.headers.sslProxyHeaders]
           name0 = "foobar"
           name1 = "foobar"
-    [http.middlewares.Middleware10]
+    [http.middlewares.Middleware11]
-      [http.middlewares.Middleware10.ipWhiteList]
+      [http.middlewares.Middleware11.ipWhiteList]
         sourceRange = ["foobar", "foobar"]
-        [http.middlewares.Middleware10.ipWhiteList.ipStrategy]
+        [http.middlewares.Middleware11.ipWhiteList.ipStrategy]
           depth = 42
           excludedIPs = ["foobar", "foobar"]
-    [http.middlewares.Middleware11]
+    [http.middlewares.Middleware12]
-      [http.middlewares.Middleware11.inFlightReq]
+      [http.middlewares.Middleware12.inFlightReq]
         amount = 42
-        [http.middlewares.Middleware11.inFlightReq.sourceCriterion]
+        [http.middlewares.Middleware12.inFlightReq.sourceCriterion]
           requestHeaderName = "foobar"
           requestHost = true
-          [http.middlewares.Middleware11.inFlightReq.sourceCriterion.ipStrategy]
+          [http.middlewares.Middleware12.inFlightReq.sourceCriterion.ipStrategy]
             depth = 42
             excludedIPs = ["foobar", "foobar"]
-    [http.middlewares.Middleware12]
+    [http.middlewares.Middleware13]
-      [http.middlewares.Middleware12.passTLSClientCert]
+      [http.middlewares.Middleware13.passTLSClientCert]
         pem = true
-        [http.middlewares.Middleware12.passTLSClientCert.info]
+        [http.middlewares.Middleware13.passTLSClientCert.info]
           notAfter = true
           notBefore = true
           sans = true
-          [http.middlewares.Middleware12.passTLSClientCert.info.subject]
+          [http.middlewares.Middleware13.passTLSClientCert.info.subject]
             country = true
             province = true
             locality = true
@@ -204,7 +208,7 @@
             commonName = true
             serialNumber = true
             domainComponent = true
-          [http.middlewares.Middleware12.passTLSClientCert.info.issuer]
+          [http.middlewares.Middleware13.passTLSClientCert.info.issuer]
             country = true
             province = true
             locality = true
@@ -212,41 +216,42 @@
             commonName = true
             serialNumber = true
             domainComponent = true
-    [http.middlewares.Middleware13]
+    [http.middlewares.Middleware14]
-      [http.middlewares.Middleware13.rateLimit]
+      [http.middlewares.Middleware14.rateLimit]
         average = 42
         burst = 42
-        [http.middlewares.Middleware13.rateLimit.sourceCriterion]
+        [http.middlewares.Middleware14.rateLimit.sourceCriterion]
           requestHeaderName = "foobar"
           requestHost = true
-          [http.middlewares.Middleware13.rateLimit.sourceCriterion.ipStrategy]
+          [http.middlewares.Middleware14.rateLimit.sourceCriterion.ipStrategy]
             depth = 42
             excludedIPs = ["foobar", "foobar"]
-    [http.middlewares.Middleware14]
+    [http.middlewares.Middleware15]
-      [http.middlewares.Middleware14.redirectRegex]
+      [http.middlewares.Middleware15.redirectRegex]
         regex = "foobar"
         replacement = "foobar"
         permanent = true
-    [http.middlewares.Middleware15]
+    [http.middlewares.Middleware16]
-      [http.middlewares.Middleware15.redirectScheme]
+      [http.middlewares.Middleware16.redirectScheme]
         scheme = "foobar"
         port = "foobar"
         permanent = true
-    [http.middlewares.Middleware16]
-      [http.middlewares.Middleware16.replacePath]
-        path = "foobar"
     [http.middlewares.Middleware17]
-      [http.middlewares.Middleware17.replacePathRegex]
+      [http.middlewares.Middleware17.replacePath]
+        path = "foobar"
+    [http.middlewares.Middleware18]
+      [http.middlewares.Middleware18.replacePathRegex]
         regex = "foobar"
         replacement = "foobar"
-    [http.middlewares.Middleware18]
-      [http.middlewares.Middleware18.retry]
-        attempts = 42
     [http.middlewares.Middleware19]
-      [http.middlewares.Middleware19.stripPrefix]
+      [http.middlewares.Middleware19.retry]
-        prefixes = ["foobar", "foobar"]
+        attempts = 42
     [http.middlewares.Middleware20]
-      [http.middlewares.Middleware20.stripPrefixRegex]
+      [http.middlewares.Middleware20.stripPrefix]
+        prefixes = ["foobar", "foobar"]
+        forceSlash = true
+    [http.middlewares.Middleware21]
+      [http.middlewares.Middleware21.stripPrefixRegex]
         regex = ["foobar", "foobar"]
 
 [tcp]
@@ -284,25 +289,25 @@
           main = "foobar"
           sans = ["foobar", "foobar"]
   [tcp.services]
-    [tcp.services.TCPService0]
+    [tcp.services.TCPService01]
-      [tcp.services.TCPService0.loadBalancer]
+      [tcp.services.TCPService01.loadBalancer]
-        terminationDelay = 100
+        terminationDelay = 42
 
-        [[tcp.services.TCPService0.loadBalancer.servers]]
+        [[tcp.services.TCPService01.loadBalancer.servers]]
           address = "foobar"
 
-        [[tcp.services.TCPService0.loadBalancer.servers]]
+        [[tcp.services.TCPService01.loadBalancer.servers]]
           address = "foobar"
+    [tcp.services.TCPService02]
+      [tcp.services.TCPService02.weighted]
 
-    [tcp.services.TCPService1]
+        [[tcp.services.TCPService02.weighted.services]]
-      [tcp.services.TCPService1.loadBalancer]
+          name = "foobar"
-        terminationDelay = 100
+          weight = 42
 
-        [[tcp.services.TCPService1.loadBalancer.servers]]
+        [[tcp.services.TCPService02.weighted.services]]
-          address = "foobar"
+          name = "foobar"
-
+          weight = 42
-        [[tcp.services.TCPService1.loadBalancer.servers]]
-          address = "foobar"
 
 [tls]
 
@@ -318,14 +323,18 @@
   [tls.options]
     [tls.options.Options0]
       minVersion = "foobar"
+      maxVersion = "foobar"
       cipherSuites = ["foobar", "foobar"]
+      curvePreferences = ["foobar", "foobar"]
       sniStrict = true
       [tls.options.Options0.clientAuth]
         caFiles = ["foobar", "foobar"]
         clientAuthType = "foobar"
     [tls.options.Options1]
       minVersion = "foobar"
+      maxVersion = "foobar"
       cipherSuites = ["foobar", "foobar"]
+      curvePreferences = ["foobar", "foobar"]
       sniStrict = true
       [tls.options.Options1.clientAuth]
         caFiles = ["foobar", "foobar"]

docs/content/reference/dynamic-configuration/file.yaml

@@ -2,11 +2,11 @@ http:
   routers:
     Router0:
       entryPoints:
-        - foobar
+      - foobar
-        - foobar
+      - foobar
       middlewares:
-        - foobar
+      - foobar
-        - foobar
+      - foobar
       service: foobar
       rule: foobar
       priority: 42
@@ -14,21 +14,21 @@ http:
         options: foobar
         certResolver: foobar
         domains:
-          - main: foobar
+        - main: foobar
-            sans:
+          sans:
-              - foobar
+          - foobar
-              - foobar
+          - foobar
-          - main: foobar
+        - main: foobar
-            sans:
+          sans:
-              - foobar
+          - foobar
-              - foobar
+          - foobar
     Router1:
       entryPoints:
-        - foobar
+      - foobar
-        - foobar
+      - foobar
       middlewares:
-        - foobar
+      - foobar
-        - foobar
+      - foobar
       service: foobar
       rule: foobar
       priority: 42
@@ -36,14 +36,14 @@ http:
         options: foobar
         certResolver: foobar
         domains:
-          - main: foobar
+        - main: foobar
-            sans:
+          sans:
-              - foobar
+          - foobar
-              - foobar
+          - foobar
-          - main: foobar
+        - main: foobar
-            sans:
+          sans:
-              - foobar
+          - foobar
-              - foobar
+          - foobar
   services:
     Service01:
       loadBalancer:
@@ -53,8 +53,8 @@ http:
             secure: true
             httpOnly: true
         servers:
-          - url: foobar
+        - url: foobar
-          - url: foobar
+        - url: foobar
         healthCheck:
           scheme: foobar
           path: foobar
@@ -72,17 +72,17 @@ http:
       mirroring:
         service: foobar
         mirrors:
-          - name: foobar
+        - name: foobar
-            percent: 42
+          percent: 42
-          - name: foobar
+        - name: foobar
-            percent: 42
+          percent: 42
     Service03:
       weighted:
         services:
-          - name: foobar
+        - name: foobar
-            weight: 42
+          weight: 42
-          - name: foobar
+        - name: foobar
-            weight: 42
+          weight: 42
         sticky:
           cookie:
             name: foobar
@@ -95,8 +95,8 @@ http:
     Middleware01:
       basicAuth:
         users:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
         usersFile: foobar
         realm: foobar
         removeHeader: true
@@ -111,30 +111,36 @@ http:
     Middleware03:
       chain:
         middlewares:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
     Middleware04:
       circuitBreaker:
         expression: foobar
     Middleware05:
-      compress: {}
+      compress:
+        excludedContentTypes:
+        - foobar
+        - foobar
     Middleware06:
+      contentType:
+        autoDetect: true
+    Middleware07:
       digestAuth:
         users:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
         usersFile: foobar
         removeHeader: true
         realm: foobar
         headerField: foobar
-    Middleware07:
+    Middleware08:
       errors:
         status:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
         service: foobar
         query: foobar
-    Middleware08:
+    Middleware09:
       forwardAuth:
         address: foobar
         tls:
@@ -145,9 +151,9 @@ http:
           insecureSkipVerify: true
         trustForwardHeader: true
         authResponseHeaders:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
-    Middleware09:
+    Middleware10:
       headers:
         customRequestHeaders:
           name0: foobar
@@ -157,23 +163,23 @@ http:
           name1: foobar
         accessControlAllowCredentials: true
         accessControlAllowHeaders:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
         accessControlAllowMethods:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
         accessControlAllowOrigin: foobar
         accessControlExposeHeaders:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
         accessControlMaxAge: 42
         addVaryHeader: true
         allowedHosts:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
         hostsProxyHeaders:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
         sslRedirect: true
         sslTemporaryRedirect: true
         sslHost: foobar
@@ -195,28 +201,28 @@ http:
         referrerPolicy: foobar
         featurePolicy: foobar
         isDevelopment: true
-    Middleware10:
+    Middleware11:
       ipWhiteList:
         sourceRange:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
         ipStrategy:
           depth: 42
           excludedIPs:
-            - foobar
+          - foobar
-            - foobar
+          - foobar
-    Middleware11:
+    Middleware12:
       inFlightReq:
         amount: 42
         sourceCriterion:
           ipstrategy:
             depth: 42
             excludedIPs:
-              - foobar
+            - foobar
-              - foobar
+            - foobar
           requestHeaderName: foobar
           requestHost: true
-    Middleware12:
+    Middleware13:
       passTLSClientCert:
         pem: true
         info:
@@ -239,7 +245,7 @@ http:
             commonName: true
             serialNumber: true
             domainComponent: true
-    Middleware13:
+    Middleware14:
       rateLimit:
         average: 42
         burst: 42
@@ -247,46 +253,47 @@ http:
           ipstrategy:
             depth: 42
             excludedIPs:
-              - foobar
+            - foobar
-              - foobar
+            - foobar
           requestHeaderName: foobar
           requestHost: true
-    Middleware14:
+    Middleware15:
       redirectRegex:
         regex: foobar
         replacement: foobar
         permanent: true
-    Middleware15:
+    Middleware16:
       redirectScheme:
         scheme: foobar
         port: foobar
         permanent: true
-    Middleware16:
+    Middleware17:
       replacePath:
         path: foobar
-    Middleware17:
+    Middleware18:
       replacePathRegex:
         regex: foobar
         replacement: foobar
-    Middleware18:
+    Middleware19:
       retry:
         attempts: 42
-    Middleware19:
+    Middleware20:
       stripPrefix:
         prefixes:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
-    Middleware20:
+        forceSlash: true
+    Middleware21:
       stripPrefixRegex:
         regex:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
 tcp:
   routers:
     TCPRouter0:
       entryPoints:
-        - foobar
+      - foobar
-        - foobar
+      - foobar
       service: foobar
       rule: foobar
       tls:
@@ -294,18 +301,18 @@ tcp:
         options: foobar
         certResolver: foobar
         domains:
-          - main: foobar
+        - main: foobar
-            sans:
+          sans:
-              - foobar
+          - foobar
-              - foobar
+          - foobar
-          - main: foobar
+        - main: foobar
-            sans:
+          sans:
-              - foobar
+          - foobar
-              - foobar
+          - foobar
     TCPRouter1:
       entryPoints:
-        - foobar
+      - foobar
-        - foobar
+      - foobar
       service: foobar
       rule: foobar
       tls:
@@ -313,60 +320,69 @@ tcp:
         options: foobar
         certResolver: foobar
         domains:
-          - main: foobar
+        - main: foobar
-            sans:
+          sans:
-              - foobar
+          - foobar
-              - foobar
+          - foobar
-          - main: foobar
+        - main: foobar
-            sans:
+          sans:
-              - foobar
+          - foobar
-              - foobar
+          - foobar
   services:
-    TCPService0:
+    TCPService01:
       loadBalancer:
-        terminationDelay: 100
+        terminationDelay: 42
         servers:
-          - address: foobar
+        - address: foobar
-          - address: foobar
+        - address: foobar
-    TCPService1:
+    TCPService02:
-      loadBalancer:
+      weighted:
-        terminationDelay: 100
+        services:
-        servers:
+        - name: foobar
-          - address: foobar
+          weight: 42
-          - address: foobar
+        - name: foobar
+          weight: 42
 tls:
   certificates:
-    - certFile: foobar
+  - certFile: foobar
-      keyFile: foobar
+    keyFile: foobar
-      stores:
+    stores:
-        - foobar
+    - foobar
-        - foobar
+    - foobar
-    - certFile: foobar
+  - certFile: foobar
-      keyFile: foobar
+    keyFile: foobar
-      stores:
+    stores:
-        - foobar
+    - foobar
-        - foobar
+    - foobar
   options:
     Options0:
       minVersion: foobar
+      maxVersion: foobar
       cipherSuites:
-        - foobar
+      - foobar
-        - foobar
+      - foobar
+      curvePreferences:
+      - foobar
+      - foobar
       clientAuth:
         caFiles:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
         clientAuthType: foobar
       sniStrict: true
     Options1:
       minVersion: foobar
+      maxVersion: foobar
       cipherSuites:
-        - foobar
+      - foobar
-        - foobar
+      - foobar
+      curvePreferences:
+      - foobar
+      - foobar
       clientAuth:
         caFiles:
-          - foobar
+        - foobar
-          - foobar
+        - foobar
         clientAuthType: foobar
       sniStrict: true
   stores:

docs/content/reference/dynamic-configuration/kubernetes-crd-definition.yml

@@ -0,0 +1,73 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutes.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRoute
+    plural: ingressroutes
+    singular: ingressroute
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: Middleware
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutetcps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteTCP
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced

docs/content/reference/dynamic-configuration/kubernetes-crd-ingressroutetcp-definition.yml

@@ -0,0 +1,13 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutetcps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteTCP
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced

docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

@@ -0,0 +1,57 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - tlsoptions
+    verbs:
+      - get
+      - list
+      - watch
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik-ingress-controller
+    namespace: default

docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml

@@ -0,0 +1,157 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: wrr2
+  namespace: default
+
+spec:
+  weighted:
+    services:
+      - name: s1
+        weight: 1
+        port: 80
+        # Optional, as it is the default value
+        kind: Service
+      - name: s3
+        weight: 1
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: wrr1
+  namespace: default
+
+spec:
+  weighted:
+    services:
+      - name: wrr2
+        kind: TraefikService
+        weight: 1
+      - name: s3
+        weight: 1
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: mirror1
+  namespace: default
+
+spec:
+  mirroring:
+    name: s1
+    port: 80
+    mirrors:
+      - name: s3
+        percent: 20
+        port: 80
+      - name: mirror2
+        kind: TraefikService
+        percent: 20
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: mirror2
+  namespace: default
+
+spec:
+  mirroring:
+    name: wrr2
+    kind: TraefikService
+    mirrors:
+      - name: s2
+        # Optional, as it is the default value
+        kind: Service
+        percent: 20
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ingressroute
+spec:
+  entryPoints:
+    - web
+    - websecure
+  routes:
+    - match: Host(`foo.com`) && PathPrefix(`/bar`)
+      kind: Rule
+      priority: 12
+      # defining several services is possible and allowed, but for now the servers of
+      # all the services (for a given route) get merged altogether under the same
+      # load-balancing strategy.
+      services:
+        - name: s1
+          port: 80
+          healthCheck:
+            path: /health
+            host: baz.com
+            intervalSeconds: 7
+            timeoutSeconds: 60
+          # strategy defines the load balancing strategy between the servers. It defaults
+          # to Round Robin, and for now only Round Robin is supported anyway.
+          strategy: RoundRobin
+        - name: s2
+          port: 433
+          healthCheck:
+            path: /health
+            host: baz.com
+            intervalSeconds: 7
+            timeoutSeconds: 60
+    - match: PathPrefix(`/misc`)
+      services:
+        - name: s3
+          port: 80
+      middlewares:
+        - name: stripprefix
+        - name: addprefix
+    - match: PathPrefix(`/misc`)
+      services:
+        - name: s3
+          # Optional, as it is the default value
+          kind: Service
+          port: 8443
+          # scheme allow to override the scheme for the service. (ex: https or h2c)
+          scheme: https
+    - match: PathPrefix(`/lb`)
+      services:
+        - name: wrr1
+          kind: TraefikService
+    - match: PathPrefix(`/mirrored`)
+      services:
+        - name: mirror1
+          kind: TraefikService
+  # use an empty tls object for TLS with Let's Encrypt
+  tls:
+    secretName: supersecret
+    options:
+      name: myTLSOption
+      namespace: default
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: ingressroutetcp.crd
+  namespace: default
+
+spec:
+  entryPoints:
+    - footcp
+  routes:
+    - match: HostSNI(`bar.com`)
+      services:
+        - name: whoamitcp
+          port: 8080
+  tls:
+    secretName: foosecret
+    passthrough: false
+    options:
+      name: myTLSOption
+      namespace: default

docs/content/reference/dynamic-configuration/kubernetes-crd.md

@@ -3,6 +3,20 @@
 Dynamic configuration with Kubernetes Custom Resource
 {: .subtitle }
 
+## Definitions
+
 ```yaml
---8<-- "content/reference/dynamic-configuration/kubernetes-crd.yml"
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
+```
+
+## Resources
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-resource.yml"
+```
+
+## RBAC
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
 ```

docs/content/reference/dynamic-configuration/kubernetes-crd.yml

@@ -56,6 +56,94 @@ spec:
     singular: ingressroutetcp
   scope: Namespaced
 
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: wrr2
+  namespace: default
+
+spec:
+  weighted:
+    services:
+      - name: s1
+        weight: 1
+        port: 80
+        # Optional, as it is the default value
+        kind: Service
+      - name: s3
+        weight: 1
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: wrr1
+  namespace: default
+
+spec:
+  weighted:
+    services:
+      - name: wrr2
+        kind: TraefikService
+        weight: 1
+      - name: s3
+        weight: 1
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: mirror1
+  namespace: default
+
+spec:
+  mirroring:
+    name: s1
+    port: 80
+    mirrors:
+      - name: s3
+        percent: 20
+        port: 80
+      - name: mirror2
+        kind: TraefikService
+        percent: 20
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: mirror2
+  namespace: default
+
+spec:
+  mirroring:
+    name: wrr2
+    kind: TraefikService
+    mirrors:
+      - name: s2
+        # Optional, as it is the default value
+        kind: Service
+        percent: 20
+        port: 80
+
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
@@ -64,7 +152,7 @@ metadata:
 spec:
   entryPoints:
     - web
-    - web-secure
+    - websecure
   routes:
     - match: Host(`foo.com`) && PathPrefix(`/bar`)
       kind: Rule
@@ -100,9 +188,19 @@ spec:
     - match: PathPrefix(`/misc`)
       services:
         - name: s3
+          # Optional, as it is the default value
+          kind: Service
           port: 8443
           # scheme allow to override the scheme for the service. (ex: https or h2c)
           scheme: https
+    - match: PathPrefix(`/lb`)
+      services:
+        - name: wrr1
+          kind: TraefikService
+    - match: PathPrefix(`/mirrored`)
+      services:
+        - name: mirror1
+          kind: TraefikService
   # use an empty tls object for TLS with Let's Encrypt
   tls:
     secretName: supersecret

docs/content/reference/dynamic-configuration/marathon-labels.json

@@ -12,105 +12,107 @@
 "traefik.http.middlewares.middleware03.chain.middlewares": "foobar, foobar",
 "traefik.http.middlewares.middleware04.circuitbreaker.expression": "foobar",
 "traefik.http.middlewares.middleware05.compress": "true",
-"traefik.http.middlewares.middleware06.digestauth.headerfield": "foobar",
+"traefik.http.middlewares.middleware05.compress.excludedcontenttypes": "foobar, foobar",
-"traefik.http.middlewares.middleware06.digestauth.realm": "foobar",
+"traefik.http.middlewares.middleware06.contenttype.autodetect": "true",
-"traefik.http.middlewares.middleware06.digestauth.removeheader": "true",
+"traefik.http.middlewares.middleware07.digestauth.headerfield": "foobar",
-"traefik.http.middlewares.middleware06.digestauth.users": "foobar, foobar",
+"traefik.http.middlewares.middleware07.digestauth.realm": "foobar",
-"traefik.http.middlewares.middleware06.digestauth.usersfile": "foobar",
+"traefik.http.middlewares.middleware07.digestauth.removeheader": "true",
-"traefik.http.middlewares.middleware07.errors.query": "foobar",
+"traefik.http.middlewares.middleware07.digestauth.users": "foobar, foobar",
-"traefik.http.middlewares.middleware07.errors.service": "foobar",
+"traefik.http.middlewares.middleware07.digestauth.usersfile": "foobar",
-"traefik.http.middlewares.middleware07.errors.status": "foobar, foobar",
+"traefik.http.middlewares.middleware08.errors.query": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.address": "foobar",
+"traefik.http.middlewares.middleware08.errors.service": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.authresponseheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware08.errors.status": "foobar, foobar",
-"traefik.http.middlewares.middleware08.forwardauth.tls.ca": "foobar",
+"traefik.http.middlewares.middleware09.forwardauth.address": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.tls.caoptional": "true",
+"traefik.http.middlewares.middleware09.forwardauth.authresponseheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware08.forwardauth.tls.cert": "foobar",
+"traefik.http.middlewares.middleware09.forwardauth.tls.ca": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.tls.insecureskipverify": "true",
+"traefik.http.middlewares.middleware09.forwardauth.tls.caoptional": "true",
-"traefik.http.middlewares.middleware08.forwardauth.tls.key": "foobar",
+"traefik.http.middlewares.middleware09.forwardauth.tls.cert": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.trustforwardheader": "true",
+"traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify": "true",
-"traefik.http.middlewares.middleware09.headers.accesscontrolallowcredentials": "true",
+"traefik.http.middlewares.middleware09.forwardauth.tls.key": "foobar",
-"traefik.http.middlewares.middleware09.headers.accesscontrolallowheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware09.forwardauth.trustforwardheader": "true",
-"traefik.http.middlewares.middleware09.headers.accesscontrolallowmethods": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolallowcredentials": "true",
-"traefik.http.middlewares.middleware09.headers.accesscontrolalloworigin": "foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolallowheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.accesscontrolexposeheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.accesscontrolmaxage": "42",
+"traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin": "foobar",
-"traefik.http.middlewares.middleware09.headers.addvaryheader": "true",
+"traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.allowedhosts": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolmaxage": "42",
-"traefik.http.middlewares.middleware09.headers.browserxssfilter": "true",
+"traefik.http.middlewares.middleware10.headers.addvaryheader": "true",
-"traefik.http.middlewares.middleware09.headers.contentsecuritypolicy": "foobar",
+"traefik.http.middlewares.middleware10.headers.allowedhosts": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.contenttypenosniff": "true",
+"traefik.http.middlewares.middleware10.headers.browserxssfilter": "true",
-"traefik.http.middlewares.middleware09.headers.custombrowserxssvalue": "foobar",
+"traefik.http.middlewares.middleware10.headers.contentsecuritypolicy": "foobar",
-"traefik.http.middlewares.middleware09.headers.customframeoptionsvalue": "foobar",
+"traefik.http.middlewares.middleware10.headers.contenttypenosniff": "true",
-"traefik.http.middlewares.middleware09.headers.customrequestheaders.name0": "foobar",
+"traefik.http.middlewares.middleware10.headers.custombrowserxssvalue": "foobar",
-"traefik.http.middlewares.middleware09.headers.customrequestheaders.name1": "foobar",
+"traefik.http.middlewares.middleware10.headers.customframeoptionsvalue": "foobar",
-"traefik.http.middlewares.middleware09.headers.customresponseheaders.name0": "foobar",
+"traefik.http.middlewares.middleware10.headers.customrequestheaders.name0": "foobar",
-"traefik.http.middlewares.middleware09.headers.customresponseheaders.name1": "foobar",
+"traefik.http.middlewares.middleware10.headers.customrequestheaders.name1": "foobar",
-"traefik.http.middlewares.middleware09.headers.featurepolicy": "foobar",
+"traefik.http.middlewares.middleware10.headers.customresponseheaders.name0": "foobar",
-"traefik.http.middlewares.middleware09.headers.forcestsheader": "true",
+"traefik.http.middlewares.middleware10.headers.customresponseheaders.name1": "foobar",
-"traefik.http.middlewares.middleware09.headers.framedeny": "true",
+"traefik.http.middlewares.middleware10.headers.featurepolicy": "foobar",
-"traefik.http.middlewares.middleware09.headers.hostsproxyheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.forcestsheader": "true",
-"traefik.http.middlewares.middleware09.headers.isdevelopment": "true",
+"traefik.http.middlewares.middleware10.headers.framedeny": "true",
-"traefik.http.middlewares.middleware09.headers.publickey": "foobar",
+"traefik.http.middlewares.middleware10.headers.hostsproxyheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.referrerpolicy": "foobar",
+"traefik.http.middlewares.middleware10.headers.isdevelopment": "true",
-"traefik.http.middlewares.middleware09.headers.sslforcehost": "true",
+"traefik.http.middlewares.middleware10.headers.publickey": "foobar",
-"traefik.http.middlewares.middleware09.headers.sslhost": "foobar",
+"traefik.http.middlewares.middleware10.headers.referrerpolicy": "foobar",
-"traefik.http.middlewares.middleware09.headers.sslproxyheaders.name0": "foobar",
+"traefik.http.middlewares.middleware10.headers.sslforcehost": "true",
-"traefik.http.middlewares.middleware09.headers.sslproxyheaders.name1": "foobar",
+"traefik.http.middlewares.middleware10.headers.sslhost": "foobar",
-"traefik.http.middlewares.middleware09.headers.sslredirect": "true",
+"traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0": "foobar",
-"traefik.http.middlewares.middleware09.headers.ssltemporaryredirect": "true",
+"traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1": "foobar",
-"traefik.http.middlewares.middleware09.headers.stsincludesubdomains": "true",
+"traefik.http.middlewares.middleware10.headers.sslredirect": "true",
-"traefik.http.middlewares.middleware09.headers.stspreload": "true",
+"traefik.http.middlewares.middleware10.headers.ssltemporaryredirect": "true",
-"traefik.http.middlewares.middleware09.headers.stsseconds": "42",
+"traefik.http.middlewares.middleware10.headers.stsincludesubdomains": "true",
-"traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware10.headers.stspreload": "true",
-"traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.stsseconds": "42",
-"traefik.http.middlewares.middleware10.ipwhitelist.sourcerange": "foobar, foobar",
+"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth": "42",
-"traefik.http.middlewares.middleware11.inflightreq.amount": "42",
+"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware11.ipwhitelist.sourcerange": "foobar, foobar",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware12.inflightreq.amount": "42",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requestheadername": "foobar",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth": "42",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requesthost": "true",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.commonname": "true",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requestheadername": "foobar",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.country": "true",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requesthost": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.domaincomponent": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.commonname": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.locality": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.country": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.organization": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.domaincomponent": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.province": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.locality": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.serialnumber": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.organization": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.notafter": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.province": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.notbefore": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.serialnumber": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.sans": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.notafter": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.commonname": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.notbefore": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.country": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.sans": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.domaincomponent": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.commonname": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.locality": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.country": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.organization": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.domaincomponent": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.province": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.locality": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.serialnumber": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organization": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.pem": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.province": "true",
-"traefik.http.middlewares.middleware13.ratelimit.average": "42",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.serialnumber": "true",
-"traefik.http.middlewares.middleware13.ratelimit.burst": "42",
+"traefik.http.middlewares.middleware13.passtlsclientcert.pem": "true",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware14.ratelimit.average": "42",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware14.ratelimit.burst": "42",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requestheadername": "foobar",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.depth": "42",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requesthost": "true",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
-"traefik.http.middlewares.middleware14.redirectregex.permanent": "true",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requestheadername": "foobar",
-"traefik.http.middlewares.middleware14.redirectregex.regex": "foobar",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requesthost": "true",
-"traefik.http.middlewares.middleware14.redirectregex.replacement": "foobar",
+"traefik.http.middlewares.middleware15.redirectregex.permanent": "true",
-"traefik.http.middlewares.middleware15.redirectscheme.permanent": "true",
+"traefik.http.middlewares.middleware15.redirectregex.regex": "foobar",
-"traefik.http.middlewares.middleware15.redirectscheme.port": "foobar",
+"traefik.http.middlewares.middleware15.redirectregex.replacement": "foobar",
-"traefik.http.middlewares.middleware15.redirectscheme.scheme": "foobar",
+"traefik.http.middlewares.middleware16.redirectscheme.permanent": "true",
-"traefik.http.middlewares.middleware16.replacepath.path": "foobar",
+"traefik.http.middlewares.middleware16.redirectscheme.port": "foobar",
-"traefik.http.middlewares.middleware17.replacepathregex.regex": "foobar",
+"traefik.http.middlewares.middleware16.redirectscheme.scheme": "foobar",
-"traefik.http.middlewares.middleware17.replacepathregex.replacement": "foobar",
+"traefik.http.middlewares.middleware17.replacepath.path": "foobar",
-"traefik.http.middlewares.middleware18.retry.attempts": "42",
+"traefik.http.middlewares.middleware18.replacepathregex.regex": "foobar",
-"traefik.http.middlewares.middleware19.stripprefix.prefixes": "foobar, foobar",
+"traefik.http.middlewares.middleware18.replacepathregex.replacement": "foobar",
-"traefik.http.middlewares.middleware20.stripprefixregex.regex": "foobar, foobar",
+"traefik.http.middlewares.middleware19.retry.attempts": "42",
+"traefik.http.middlewares.middleware20.stripprefix.forceslash": "true",
+"traefik.http.middlewares.middleware20.stripprefix.prefixes": "foobar, foobar",
+"traefik.http.middlewares.middleware21.stripprefixregex.regex": "foobar, foobar",
 "traefik.http.routers.router0.entrypoints": "foobar, foobar",
 "traefik.http.routers.router0.middlewares": "foobar, foobar",
 "traefik.http.routers.router0.priority": "42",
 "traefik.http.routers.router0.rule": "foobar",
 "traefik.http.routers.router0.service": "foobar",
-"traefik.http.routers.router0.tls": "true",
 "traefik.http.routers.router0.tls.certresolver": "foobar",
 "traefik.http.routers.router0.tls.domains[0].main": "foobar",
 "traefik.http.routers.router0.tls.domains[0].sans": "foobar, foobar",
@@ -122,49 +124,30 @@
 "traefik.http.routers.router1.priority": "42",
 "traefik.http.routers.router1.rule": "foobar",
 "traefik.http.routers.router1.service": "foobar",
-"traefik.http.routers.router1.tls": "true",
 "traefik.http.routers.router1.tls.certresolver": "foobar",
 "traefik.http.routers.router1.tls.domains[0].main": "foobar",
 "traefik.http.routers.router1.tls.domains[0].sans": "foobar, foobar",
 "traefik.http.routers.router1.tls.domains[1].main": "foobar",
 "traefik.http.routers.router1.tls.domains[1].sans": "foobar, foobar",
 "traefik.http.routers.router1.tls.options": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.headers.name0": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.headers.name0": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.headers.name1": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.headers.name1": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.hostname": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.hostname": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.interval": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.interval": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.path": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.path": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.port": "42",
+"traefik.http.services.service01.loadbalancer.healthcheck.port": "42",
-"traefik.http.services.service0.loadbalancer.healthcheck.scheme": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.scheme": "foobar",
-"traefik.http.services.service0.loadbalancer.healthcheck.timeout": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.timeout": "foobar",
-"traefik.http.services.service0.loadbalancer.passhostheader": "true",
+"traefik.http.services.service01.loadbalancer.passhostheader": "true",
-"traefik.http.services.service0.loadbalancer.responseforwarding.flushinterval": "foobar",
+"traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval": "foobar",
-"traefik.http.services.service0.loadbalancer.sticky": "true",
+"traefik.http.services.service01.loadbalancer.sticky.cookie.httponly": "true",
-"traefik.http.services.service0.loadbalancer.sticky.cookie.httponly": "true",
+"traefik.http.services.service01.loadbalancer.sticky.cookie.name": "foobar",
-"traefik.http.services.service0.loadbalancer.sticky.cookie.name": "foobar",
+"traefik.http.services.service01.loadbalancer.sticky.cookie.secure": "true",
-"traefik.http.services.service0.loadbalancer.sticky.cookie.secure": "true",
+"traefik.http.services.service01.loadbalancer.server.port": "foobar",
-"traefik.http.services.service0.loadbalancer.server.port": "foobar",
+"traefik.http.services.service01.loadbalancer.server.scheme": "foobar",
-"traefik.http.services.service0.loadbalancer.server.scheme": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.headers.name0": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.headers.name1": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.hostname": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.interval": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.path": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.port": "42",
-"traefik.http.services.service1.loadbalancer.healthcheck.scheme": "foobar",
-"traefik.http.services.service1.loadbalancer.healthcheck.timeout": "foobar",
-"traefik.http.services.service1.loadbalancer.passhostheader": "true",
-"traefik.http.services.service1.loadbalancer.responseforwarding.flushinterval": "foobar",
-"traefik.http.services.service1.loadbalancer.sticky": "true",
-"traefik.http.services.service1.loadbalancer.sticky.cookie.httponly": "true",
-"traefik.http.services.service1.loadbalancer.sticky.cookie.name": "foobar",
-"traefik.http.services.service1.loadbalancer.sticky.cookie.secure": "true",
-"traefik.http.services.service1.loadbalancer.server.port": "foobar",
-"traefik.http.services.service1.loadbalancer.server.scheme": "foobar",
 "traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",
 "traefik.tcp.routers.tcprouter0.rule": "foobar",
 "traefik.tcp.routers.tcprouter0.service": "foobar",
-"traefik.tcp.routers.tcprouter0.tls": "true",
 "traefik.tcp.routers.tcprouter0.tls.certresolver": "foobar",
 "traefik.tcp.routers.tcprouter0.tls.domains[0].main": "foobar",
 "traefik.tcp.routers.tcprouter0.tls.domains[0].sans": "foobar, foobar",
@@ -175,7 +158,6 @@
 "traefik.tcp.routers.tcprouter1.entrypoints": "foobar, foobar",
 "traefik.tcp.routers.tcprouter1.rule": "foobar",
 "traefik.tcp.routers.tcprouter1.service": "foobar",
-"traefik.tcp.routers.tcprouter1.tls": "true",
 "traefik.tcp.routers.tcprouter1.tls.certresolver": "foobar",
 "traefik.tcp.routers.tcprouter1.tls.domains[0].main": "foobar",
 "traefik.tcp.routers.tcprouter1.tls.domains[0].sans": "foobar, foobar",
@@ -183,7 +165,5 @@
 "traefik.tcp.routers.tcprouter1.tls.domains[1].sans": "foobar, foobar",
 "traefik.tcp.routers.tcprouter1.tls.options": "foobar",
 "traefik.tcp.routers.tcprouter1.tls.passthrough": "true",
-"traefik.tcp.services.tcpservice0.loadbalancer.server.port": "foobar",
+"traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay": "42",
-"traefik.tcp.services.tcpservice0.loadbalancer.terminationDelay": "100",
+"traefik.tcp.services.tcpservice01.loadbalancer.server.port": "foobar",
-"traefik.tcp.services.tcpservice1.loadbalancer.server.port": "foobar"
-"traefik.tcp.services.tcpservice1.loadbalancer.terminationDelay": "100",

docs/content/reference/static-configuration/cli-ref.md

@@ -213,6 +213,9 @@ Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000
 `--metrics.prometheus.entrypoint`:  
 EntryPoint (Default: ```traefik```)
 
+`--metrics.prometheus.manualrouting`:  
+Manual routing (Default: ```false```)
+
 `--metrics.statsd`:  
 StatsD metrics exporter type. (Default: ```false```)
 
@@ -225,6 +228,9 @@ StatsD address. (Default: ```localhost:8125```)
 `--metrics.statsd.addserviceslabels`:  
 Enable metrics on services. (Default: ```true```)
 
+`--metrics.statsd.prefix`:  
+Prefix to use for metrics collection. (Default: ```traefik```)
+
 `--metrics.statsd.pushinterval`:  
 StatsD push interval. (Default: ```10```)
 
@@ -234,6 +240,69 @@ Enable ping. (Default: ```false```)
 `--ping.entrypoint`:  
 EntryPoint (Default: ```traefik```)
 
+`--ping.manualrouting`:  
+Manual routing (Default: ```false```)
+
+`--providers.consulcatalog.cache`:  
+Use local agent caching for catalog reads. (Default: ```false```)
+
+`--providers.consulcatalog.constraints`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`--providers.consulcatalog.defaultrule`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`--providers.consulcatalog.endpoint.address`:  
+The address of the Consul server (Default: ```http://127.0.0.1:8500```)
+
+`--providers.consulcatalog.endpoint.datacenter`:  
+Data center to use. If not provided, the default agent data center is used
+
+`--providers.consulcatalog.endpoint.endpointwaittime`:  
+WaitTime limits how long a Watch will block. If not provided, the agent default values will be used (Default: ```0```)
+
+`--providers.consulcatalog.endpoint.httpauth.password`:  
+Basic Auth password
+
+`--providers.consulcatalog.endpoint.httpauth.username`:  
+Basic Auth username
+
+`--providers.consulcatalog.endpoint.scheme`:  
+The URI scheme for the Consul server
+
+`--providers.consulcatalog.endpoint.tls.ca`:  
+TLS CA
+
+`--providers.consulcatalog.endpoint.tls.caoptional`:  
+TLS CA.Optional (Default: ```false```)
+
+`--providers.consulcatalog.endpoint.tls.cert`:  
+TLS cert
+
+`--providers.consulcatalog.endpoint.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--providers.consulcatalog.endpoint.tls.key`:  
+TLS key
+
+`--providers.consulcatalog.endpoint.token`:  
+Token is used to provide a per-request ACL token which overrides the agent's default token
+
+`--providers.consulcatalog.exposedbydefault`:  
+Expose containers by default. (Default: ```true```)
+
+`--providers.consulcatalog.prefix`:  
+Prefix for consul service tags. Default 'traefik' (Default: ```traefik```)
+
+`--providers.consulcatalog.refreshinterval`:  
+Interval for check Consul API. Default 100ms (Default: ```15```)
+
+`--providers.consulcatalog.requireconsistent`:  
+Forces the read to be fully consistent. (Default: ```false```)
+
+`--providers.consulcatalog.stale`:  
+Use stale consistency for catalog reads. (Default: ```false```)
+
 `--providers.docker`:  
 Enable Docker backend with default settings. (Default: ```false```)
 
@@ -277,7 +346,7 @@ TLS key
 Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
 
 `--providers.docker.watch`:  
-Watch provider. (Default: ```true```)
+Watch Docker Swarm events. (Default: ```true```)
 
 `--providers.file.debugloggeneratedtemplate`:  
 Enable debug logging of generated configuration template. (Default: ```false```)
@@ -511,7 +580,7 @@ Specifies the header name prefix that will be used to store baggage items in a m
 Key:Value tag to be set on all the spans.
 
 `--tracing.haystack.localagenthost`:  
-Set haystack-agent's host that the reporter will used. (Default: ```LocalAgentHost```)
+Set haystack-agent's host that the reporter will used. (Default: ```127.0.0.1```)
 
 `--tracing.haystack.localagentport`:  
 Set haystack-agent's port that the reporter will used. (Default: ```35000```)

docs/content/reference/static-configuration/env-ref.md

@@ -213,6 +213,9 @@ Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000
 `TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT`:  
 EntryPoint (Default: ```traefik```)
 
+`TRAEFIK_METRICS_PROMETHEUS_MANUALROUTING`:  
+Manual routing (Default: ```false```)
+
 `TRAEFIK_METRICS_STATSD`:  
 StatsD metrics exporter type. (Default: ```false```)
 
@@ -225,6 +228,9 @@ StatsD address. (Default: ```localhost:8125```)
 `TRAEFIK_METRICS_STATSD_ADDSERVICESLABELS`:  
 Enable metrics on services. (Default: ```true```)
 
+`TRAEFIK_METRICS_STATSD_PREFIX`:  
+Prefix to use for metrics collection. (Default: ```traefik```)
+
 `TRAEFIK_METRICS_STATSD_PUSHINTERVAL`:  
 StatsD push interval. (Default: ```10```)
 
@@ -234,6 +240,69 @@ Enable ping. (Default: ```false```)
 `TRAEFIK_PING_ENTRYPOINT`:  
 EntryPoint (Default: ```traefik```)
 
+`TRAEFIK_PING_MANUALROUTING`:  
+Manual routing (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_CACHE`:  
+Use local agent caching for catalog reads. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_CONSTRAINTS`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_DEFAULTRULE`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_ADDRESS`:  
+The address of the Consul server (Default: ```http://127.0.0.1:8500```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_DATACENTER`:  
+Data center to use. If not provided, the default agent data center is used
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_ENDPOINTWAITTIME`:  
+WaitTime limits how long a Watch will block. If not provided, the agent default values will be used (Default: ```0```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_HTTPAUTH_PASSWORD`:  
+Basic Auth password
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_HTTPAUTH_USERNAME`:  
+Basic Auth username
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_SCHEME`:  
+The URI scheme for the Consul server
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CAOPTIONAL`:  
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_KEY`:  
+TLS key
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TOKEN`:  
+Token is used to provide a per-request ACL token which overrides the agent's default token
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_EXPOSEDBYDEFAULT`:  
+Expose containers by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_PREFIX`:  
+Prefix for consul service tags. Default 'traefik' (Default: ```traefik```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_REFRESHINTERVAL`:  
+Interval for check Consul API. Default 100ms (Default: ```15```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_REQUIRECONSISTENT`:  
+Forces the read to be fully consistent. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_STALE`:  
+Use stale consistency for catalog reads. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_DOCKER`:  
 Enable Docker backend with default settings. (Default: ```false```)
 
@@ -277,7 +346,7 @@ TLS key
 Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
 
 `TRAEFIK_PROVIDERS_DOCKER_WATCH`:  
-Watch provider. (Default: ```true```)
+Watch Docker Swarm events. (Default: ```true```)
 
 `TRAEFIK_PROVIDERS_FILE_DEBUGLOGGENERATEDTEMPLATE`:  
 Enable debug logging of generated configuration template. (Default: ```false```)
@@ -511,7 +580,7 @@ Specifies the header name prefix that will be used to store baggage items in a m
 Key:Value tag to be set on all the spans.
 
 `TRAEFIK_TRACING_HAYSTACK_LOCALAGENTHOST`:  
-Set haystack-agent's host that the reporter will used. (Default: ```LocalAgentHost```)
+Set haystack-agent's host that the reporter will used. (Default: ```127.0.0.1```)
 
 `TRAEFIK_TRACING_HAYSTACK_LOCALAGENTPORT`:  
 Set haystack-agent's port that the reporter will used. (Default: ```35000```)

docs/content/reference/static-configuration/file.toml

@@ -96,7 +96,7 @@
     namespaces = ["foobar", "foobar"]
     labelSelector = "foobar"
     ingressClass = "foobar"
-    throttleDuration = "10s"
+    throttleDuration = 42
   [providers.rest]
     insecure = true
   [providers.rancher]
@@ -108,6 +108,30 @@
     refreshSeconds = 42
     intervalPoll = true
     prefix = "foobar"
+  [providers.consulCatalog]
+    constraints = "foobar"
+    prefix = "foobar"
+    refreshInterval = 42
+    requireConsistent = true
+    stale = true
+    cache = true
+    exposedByDefault = true
+    defaultRule = "foobar"
+    [providers.consulCatalog.endpoint]
+      address = "foobar"
+      scheme = "foobar"
+      datacenter = "foobar"
+      token = "foobar"
+      endpointWaitTime = 42
+      [providers.consulCatalog.endpoint.tls]
+        ca = "foobar"
+        caOptional = true
+        cert = "foobar"
+        key = "foobar"
+        insecureSkipVerify = true
+      [providers.consulCatalog.endpoint.httpAuth]
+        username = "foobar"
+        password = "foobar"
 
 [api]
   insecure = true
@@ -120,20 +144,22 @@
     addEntryPointsLabels = true
     addServicesLabels = true
     entryPoint = "foobar"
+    manualRouting = true
   [metrics.datadog]
     address = "foobar"
-    pushInterval = "10s"
+    pushInterval = "42s"
     addEntryPointsLabels = true
     addServicesLabels = true
   [metrics.statsD]
     address = "foobar"
-    pushInterval = "10s"
+    pushInterval = "42s"
     addEntryPointsLabels = true
     addServicesLabels = true
+    prefix = "foobar"
   [metrics.influxDB]
     address = "foobar"
     protocol = "foobar"
-    pushInterval = "10s"
+    pushInterval = "42s"
     database = "foobar"
     retentionPolicy = "foobar"
     username = "foobar"
@@ -143,6 +169,7 @@
 
 [ping]
   entryPoint = "foobar"
+  manualRouting = true
 
 [log]
   level = "foobar"

docs/content/reference/static-configuration/file.yaml

@@ -88,7 +88,7 @@ providers:
     - foobar
     labelSelector: foobar
     ingressClass: foobar
-    throttleDuration: 10s
+      throttleDuration: 42s
     ingressEndpoint:
       ip: foobar
       hostname: foobar
@@ -115,6 +115,30 @@ providers:
     refreshSeconds: 42
     intervalPoll: true
     prefix: foobar
+  consulCatalog:
+    constraints: foobar
+    prefix: foobar
+    refreshInterval: 42s
+    requireConsistent: true
+    stale: true
+    cache: true
+    exposedByDefault: true
+    defaultRule: foobar
+    endpoint:
+      address: foobar
+      scheme: foobar
+      datacenter: foobar
+      token: foobar
+      endpointWaitTime: 42s
+      tls:
+        ca: foobar
+        caOptional: true
+        cert: foobar
+        key: foobar
+        insecureSkipVerify: true
+      httpAuth:
+        username: foobar
+        password: foobar
 api:
   insecure: true
   dashboard: true
@@ -127,6 +151,7 @@ metrics:
     addEntryPointsLabels: true
     addServicesLabels: true
     entryPoint: foobar
+    manualRouting: true
   datadog:
     address: foobar
     pushInterval: 42
@@ -137,6 +162,7 @@ metrics:
     pushInterval: 42
     addEntryPointsLabels: true
     addServicesLabels: true
+    prefix: foobar
   influxDB:
     address: foobar
     protocol: foobar
@@ -149,6 +175,7 @@ metrics:
     addServicesLabels: true
 ping:
   entryPoint: foobar
+  manualRouting: true
 log:
   level: foobar
   filePath: foobar

docs/content/routing/entrypoints.md

@@ -41,7 +41,7 @@ They define the port which will receive the requests (whether HTTP or TCP).
       [entryPoints.web]
         address = ":80"
     
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     ```
     
@@ -51,18 +51,18 @@ They define the port which will receive the requests (whether HTTP or TCP).
       web:
         address: ":80"
      
-      web-secure:
+      websecure:
         address: ":443"
     ```
     
     ```bash tab="CLI"
     ## Static configuration
     --entryPoints.web.address=:80
-    --entryPoints.web-secure.address=:443
+    --entryPoints.websecure.address=:443
     ```
 
-    - Two entrypoints are defined: one called `web`, and the other called `web-secure`.
+    - Two entrypoints are defined: one called `web`, and the other called `websecure`.
-    - `web` listens on port `80`, and `web-secure` on port `443`. 
+    - `web` listens on port `80`, and `websecure` on port `443`. 
 
 ## Configuration
 
@@ -128,9 +128,9 @@ You can define them using a toml file, CLI arguments, or a key-value store.
     --entryPoints.name.transport.respondingTimeouts.writeTimeout=42
     --entryPoints.name.transport.respondingTimeouts.idleTimeout=42
     --entryPoints.name.proxyProtocol.insecure=true
-    --entryPoints.name.proxyProtocol.trustedIPs="127.0.0.1,192.168.0.1"
+    --entryPoints.name.proxyProtocol.trustedIPs=127.0.0.1,192.168.0.1
     --entryPoints.name.forwardedHeaders.insecure=true
-    --entryPoints.name.forwardedHeaders.trustedIPs="127.0.0.1,192.168.0.1"
+    --entryPoints.name.forwardedHeaders.trustedIPs=127.0.0.1,192.168.0.1
     ```
 
 ### Forwarded Header