Prepare release v2.3.0

Co-authored-by: jbdoumenjou <jb.doumenjou@gmail.com>

.dockerignore

@@ -1,3 +1,5 @@
 dist/
 !dist/traefik
 site/
+vendor/
+.idea/

.github/CODEOWNERS

@@ -1,24 +0,0 @@
-provider/kubernetes/**  @containous/kubernetes
-provider/rancher/**     @containous/rancher
-provider/marathon/**    @containous/marathon
-provider/docker/**      @containous/docker
-
-docs/user-guide/kubernetes.md       @containous/kubernetes
-docs/user-guide/marathon.md         @containous/marathon
-docs/user-guide/swarm.md            @containous/docker
-docs/user-guide/swarm-mode.md       @containous/docker
-
-docs/configuration/backends/docker.md       @containous/docker
-docs/configuration/backends/kubernetes.md   @containous/kubernetes
-docs/configuration/backends/marathon.md     @containous/marathon
-docs/configuration/backends/rancher.md      @containous/rancher
-
-examples/k8s/                   @containous/kubernetes
-examples/compose-k8s.yaml       @containous/kubernetes
-examples/k8s.namespace.yaml     @containous/kubernetes
-examples/compose-rancher.yml    @containous/rancher
-examples/compose-marathon.yml   @containous/marathon
-
-vendor/github.com/gambol99/go-marathon  @containous/marathon
-vendor/github.com/rancher               @containous/rancher
-vendor/k8s.io/                          @containous/kubernetes

.github/ISSUE_TEMPLATE.md

@@ -17,7 +17,7 @@ Bug
 <!--
 
 The configurations between 1.X and 2.X are NOT compatible.
-Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.
 
 -->
 

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -22,7 +22,7 @@ Bug
 <!--
 
 The configurations between 1.X and 2.X are NOT compatible.
-Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.
 
 -->
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,17 +3,17 @@ PLEASE READ THIS MESSAGE.
 
 Documentation fixes or enhancements:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.1
+- for Traefik v2: use branch v2.2
 
 Bug fixes:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.1
+- for Traefik v2: use branch v2.2
 
 Enhancements:
 - for Traefik v1: we only accept bug fixes
 - for Traefik v2: use branch master
 
-HOW TO WRITE A GOOD PULL REQUEST? https://docs.traefik.io/contributing/submitting-pull-requests/
+HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
 
 -->
 

.gitignore

@@ -16,3 +16,4 @@
 *.exe
 cover.out
 vendor/
+plugins-storage/

.golangci.toml

@@ -47,7 +47,14 @@
     "gocognit",
     "bodyclose", # Too many false-positive and panics.
     "wsl", # Too strict
+    "gomnd", # Too strict
     "stylecheck", # skip because report issues related to some generated files.
+    "testpackage", # Too strict
+    "goerr113", # Too strict
+    "nestif", # Too many false-positive.
+    "noctx", # Too strict
+    "exhaustive", # Too strict
+    "nlreturn", # Too strict
   ]
 
 [issues]
@@ -61,7 +68,7 @@
   ]
  [[issues.exclude-rules]]
     path = "(.+)_test.go"
-    linters = ["goconst", "funlen"]
+    linters = ["goconst", "funlen", "godot"]
  [[issues.exclude-rules]]
     path = "integration/.+_test.go"
     text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
@@ -92,6 +99,18 @@
  [[issues.exclude-rules]]
     path = "cmd/configuration.go"
     text = "string `traefik` has (\\d) occurrences, make it a constant"
+ [[issues.exclude-rules]]
+    path = "pkg/server/middleware/middlewares.go"
+    text = "Function 'buildConstructor' has too many statements"
  [[issues.exclude-rules]] # FIXME must be fixed
     path = "cmd/context.go"
     text = "S1000: should use a simple channel send/receive instead of `select` with a single case"
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/haystack/logger.go"
+    linters = ["goprintffuncname"]
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/tracing.go"
+    text = "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
+ [[issues.exclude-rules]]
+    path = "pkg/log/deprecated.go"
+    linters = ["godot"]

.goreleaser.yml

@@ -7,11 +7,11 @@ before:
 builds:
   - binary: traefik
 
-    main: ./cmd/traefik/traefik.go
+    main: ./cmd/traefik/
     env:
       - CGO_ENABLED=0
     ldflags:
-      - -s -w -X github.com/containous/traefik/v2/pkg/version.Version={{.Version}} -X github.com/containous/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/containous/traefik/v2/pkg/version.BuildDate={{.Date}}
+      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}
 
     goos:
       - linux
@@ -34,8 +34,10 @@ builds:
         goarch: 386
       - goos: openbsd
         goarch: arm
+      - goos: openbsd
+        goarch: arm64
       - goos: freebsd
-        goarch: arm
+        goarch: arm64
 
 changelog:
   skip: true

.semaphoreci/setup.sh

@@ -1,6 +1,6 @@
 # For personnal CI
-# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/containous/
-# cd /home/runner/workspace/src/github.com/containous/traefik/
+# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/traefik/
+# cd /home/runner/workspace/src/github.com/traefik/traefik/
 for s in apache2 cassandra elasticsearch memcached mysql mongod postgresql sphinxsearch rethinkdb rabbitmq-server redis-server; do sudo service $s stop; done
 sudo swapoff -a
 sudo dd if=/dev/zero of=/swapfile bs=1M count=3072
@@ -10,7 +10,7 @@ sudo rm -rf /home/runner/.rbenv
 sudo rm -rf /usr/local/golang/{1.4.3,1.5.4,1.6.4,1.7.6,1.8.6,1.9.7,1.10.3,1.11}
 #export DOCKER_VERSION=18.06.3
 source .semaphoreci/vars
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
+if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/traefik/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
 echo ${SHOULD_TEST}
 if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
 echo ${TEMP_STORAGE}
@@ -18,9 +18,9 @@ echo ${SHOULD_TEST}
 #if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
 #if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
 if [ -n "$SHOULD_TEST" ]; then docker version; fi
-export GO_VERSION=1.12
+export GO_VERSION=1.13
 if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
-#if [ "${GO_VERSION}" == '1.13' ]; then export GO_VERSION=1.13rc2; fi
+#if [ "${GO_VERSION}" == '1.15' ]; then export GO_VERSION=1.15rc2; fi
 echo "Selected Go version: ${GO_VERSION}"
 
 if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi

.semaphoreci/vars

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -e
 
-export REPO='containous/traefik'
+export REPO='traefik/traefik'
 
 if VERSION=$(git describe --exact-match --abbrev=0 --tags);
 then
@@ -10,7 +10,7 @@ else
   export VERSION=''
 fi
 
-export CODENAME=cantal
+export CODENAME=picodon
 
 export N_MAKE_JOBS=2
 

.travis.yml

@@ -11,7 +11,7 @@ env:
   global:
     - REPO=$TRAVIS_REPO_SLUG
     - VERSION=$TRAVIS_TAG
-    - CODENAME=cantal
+    - CODENAME=picodon
     - GO111MODULE=on
 
 script:
@@ -29,8 +29,9 @@ before_deploy:
       if [ "$TRAVIS_TAG" ]; then
         make release-packages;
       fi;
-      curl -sfL https://raw.githubusercontent.com/containous/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
-      structor -o containous -r traefik --dockerfile-url="https://raw.githubusercontent.com/containous/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/containous/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/containous/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug;
+      curl -sfL https://raw.githubusercontent.com/traefik/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
+      curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b "${GOPATH}/bin" ${MIXTUS_VERSION}
+      structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug;
     fi
 
 deploy:
@@ -40,19 +41,17 @@ deploy:
     skip_cleanup: true
     file_glob: true
     on:
-      repo: containous/traefik
+      repo: traefik/traefik
       tags: true
   - provider: script
     script: sh script/deploy.sh
     skip_cleanup: true
     on:
-      repo: containous/traefik
+      repo: traefik/traefik
       tags: true
-  - provider: pages
-    edge: false
-    github_token: ${GITHUB_TOKEN}
-    local_dir: site
+  - provider: script
+    script: mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
     skip_cleanup: true
     on:
-      repo: containous/traefik
-      all_branches: true
+      repo: traefik/traefik
+      all_branches: true

CONTRIBUTING.md

@@ -1,4 +1,4 @@
 # Contributing
 
-- https://docs.traefik.io/contributing/submitting-pull-requests/
-- https://docs.traefik.io/contributing/submitting-issues/
+- https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
+- https://doc.traefik.io/traefik/contributing/submitting-issues/

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2018 Containous SAS
+Copyright (c) 2016-2020 Containous SAS; 2020 Traefik Labs
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -13,7 +13,7 @@ GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/nul
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
 
 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
-TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
+TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")
 
 INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
@@ -29,13 +29,16 @@ TRAEFIK_ENVS := \
 	-e CI \
 	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.
 
-TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/containous/traefik/$(BIND_DIR)"
+TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/traefik/traefik/$(BIND_DIR)"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
-DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) -it $(DOCKER_RUN_OPTS)
-DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) -i $(DOCKER_RUN_OPTS)
+DOCKER_NON_INTERACTIVE ?= false
+DOCKER_RUN_TRAEFIK := docker run --add-host=host.docker.internal:127.0.0.1 $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)
 
 PRE_TARGET ?= build-dev-image
 
+PLATFORM_URL := $(if $(PLATFORM_URL),$(PLATFORM_URL),"https://pilot.traefik.io")
+
 default: binary
 
 ## Build Dev Docker image
@@ -52,7 +55,7 @@ dist:
 
 ## Build WebUI Docker image
 build-webui-image:
-	docker build -t traefik-webui -f webui/Dockerfile webui
+	docker build -t traefik-webui --build-arg ARG_PLATFORM_URL=$(PLATFORM_URL) -f webui/Dockerfile webui
 
 ## Generate WebUI
 generate-webui: build-webui-image

README.md

@@ -4,10 +4,10 @@
 </p>
 
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
-[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
-[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](http://goreportcard.com/report/containous/traefik)
+[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
+[![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
-[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
 [![Join the community support forum at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
 
@@ -33,7 +33,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo
 
 ---
 
-:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/).
+:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://doc.traefik.io/traefik/).
 
 ## Overview
 
@@ -69,15 +69,15 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 ## Supported Backends
 
-- [Docker](https://docs.traefik.io/providers/docker/) / [Swarm mode](https://docs.traefik.io/providers/docker/)
-- [Kubernetes](https://docs.traefik.io/providers/kubernetes-crd/)
-- [Marathon](https://docs.traefik.io/providers/marathon/)
-- [Rancher](https://docs.traefik.io/providers/rancher/) (Metadata)
-- [File](https://docs.traefik.io/providers/file/)
+- [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
+- [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
+- [Marathon](https://doc.traefik.io/traefik/providers/marathon/)
+- [Rancher](https://doc.traefik.io/traefik/providers/rancher/) (Metadata)
+- [File](https://doc.traefik.io/traefik/providers/file/)
 
 ## Quickstart
 
-To get your hands on Traefik, you can use the [5-Minute Quickstart](https://docs.traefik.io/getting-started/quick-start/) in our documentation (you will need Docker).
+To get your hands on Traefik, you can use the [5-Minute Quickstart](https://doc.traefik.io/traefik/getting-started/quick-start/) in our documentation (you will need Docker).
 
 ## Web UI
 
@@ -87,9 +87,9 @@ You can access the simple HTML frontend of Traefik.
 
 ## Documentation
 
-You can find the complete documentation of Traefik v2 at [https://docs.traefik.io](https://docs.traefik.io).
+You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
 
-If you are using Traefik v1, you can find the complete documentation at [https://docs.traefik.io/v1.7/](https://docs.traefik.io/v1.7/)
+If you are using Traefik v1, you can find the complete documentation at [https://doc.traefik.io/traefik/v1.7/](https://doc.traefik.io/traefik/v1.7/).
 
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
@@ -102,13 +102,13 @@ If you need commercial support, please contact [Containo.us](https://containo.us
 
 ## Download
 
-- Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/master/traefik.sample.toml):
 
 ```shell
 ./traefik --configFile=traefik.toml
 ```
 
-- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/master/traefik.sample.toml):
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
@@ -117,12 +117,12 @@ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.to
 - Or get the sources:
 
 ```shell
-git clone https://github.com/containous/traefik
+git clone https://github.com/traefik/traefik
 ```
 
 ## Introductory Videos
 
-You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us)
+You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us).
 
 ## Maintainers
 
@@ -138,16 +138,16 @@ By participating in this project, you agree to abide by its terms.
 ## Release Cycle
 
 - We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
-- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0)
-- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only)
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
 
-Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out)
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).
 
-We use [Semantic Versioning](http://semver.org/)
+We use [Semantic Versioning](https://semver.org/).
 
-## Mailing lists
+## Mailing Lists
 
-- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news)
+- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news).
 - Security announcements: mail at security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
 
 ## Credits
@@ -156,5 +156,5 @@ Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on t
 
 Traefik's logo is licensed under the Creative Commons 3.0 Attributions license.
 
-Traefik's logo was inspired by the gopher stickers made by Takuya Ueda (https://twitter.com/tenntenn).
-The original Go gopher was designed by Renee French (http://reneefrench.blogspot.com/).
+Traefik's logo was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
+The original Go gopher was designed by [Renee French](https://reneefrench.blogspot.com/).

build.Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.13-alpine
+FROM golang:1.15-alpine
 
 RUN apk --update upgrade \
     && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
@@ -19,19 +19,19 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.20.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.31.0
 
-# Download golangci-lint and misspell binary to bin folder in $GOPATH
-RUN GO111MODULE=off go get github.com/client9/misspell/cmd/misspell
+# Download misspell binary to bin folder in $GOPATH
+RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
 
 # Download goreleaser binary to bin folder in $GOPATH
 RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh
 
-WORKDIR /go/src/github.com/containous/traefik
+WORKDIR /go/src/github.com/traefik/traefik
 
 # Download go modules
 COPY go.mod .
 COPY go.sum .
 RUN GO111MODULE=on GOPROXY=https://proxy.golang.org go mod download
 
-COPY . /go/src/github.com/containous/traefik
+COPY . /go/src/github.com/traefik/traefik

cmd/configuration.go

@@ -3,8 +3,8 @@ package cmd
 import (
 	"time"
 
-	"github.com/containous/traefik/v2/pkg/config/static"
-	"github.com/containous/traefik/v2/pkg/types"
+	ptypes "github.com/traefik/paerser/types"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )
 
 // TraefikCmdConfiguration wraps the static configuration and extra parameters.
@@ -23,7 +23,7 @@ func NewTraefikConfiguration() *TraefikCmdConfiguration {
 			},
 			EntryPoints: make(static.EntryPoints),
 			Providers: &static.Providers{
-				ProvidersThrottleDuration: types.Duration(2 * time.Second),
+				ProvidersThrottleDuration: ptypes.Duration(2 * time.Second),
 			},
 			ServersTransport: &static.ServersTransport{
 				MaxIdleConnsPerHost: 200,

cmd/context.go

@@ -7,7 +7,7 @@ import (
 	"syscall"
 )
 
-// ContextWithSignal creates a context canceled when SIGINT or SIGTERM are notified
+// ContextWithSignal creates a context canceled when SIGINT or SIGTERM are notified.
 func ContextWithSignal(ctx context.Context) context.Context {
 	newCtx, cancel := context.WithCancel(ctx)
 	signals := make(chan os.Signal)

cmd/healthcheck/healthcheck.go

@@ -7,8 +7,8 @@ import (
 	"os"
 	"time"
 
-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/config/static"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )
 
 // NewCmd builds a new HealthCheck command.
@@ -45,7 +45,7 @@ func runCmd(traefikConfiguration *static.Configuration) func(_ []string) error {
 	}
 }
 
-// Do try to do a healthcheck
+// Do try to do a healthcheck.
 func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 	if staticConfiguration.Ping == nil {
 		return nil, errors.New("please enable `ping` to use health check")
@@ -75,5 +75,5 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 
 	path := "/"
 
-	return client.Head(protocol + "://" + pingEntryPoint.Address + path + "ping")
+	return client.Head(protocol + "://" + pingEntryPoint.GetAddress() + path + "ping")
 }

cmd/traefik/plugins.go

@@ -0,0 +1,40 @@
+package main
+
+import (
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/plugins"
+)
+
+const outputDir = "./plugins-storage/"
+
+func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, *plugins.DevPlugin, error) {
+	if !isPilotEnabled(staticCfg) || !hasPlugins(staticCfg) {
+		return nil, map[string]plugins.Descriptor{}, nil, nil
+	}
+
+	opts := plugins.ClientOptions{
+		Output: outputDir,
+		Token:  staticCfg.Pilot.Token,
+	}
+
+	client, err := plugins.NewClient(opts)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	err = plugins.Setup(client, staticCfg.Experimental.Plugins, staticCfg.Experimental.DevPlugin)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	return client, staticCfg.Experimental.Plugins, staticCfg.Experimental.DevPlugin, nil
+}
+
+func isPilotEnabled(staticCfg *static.Configuration) bool {
+	return staticCfg.Pilot != nil && staticCfg.Pilot.Token != ""
+}
+
+func hasPlugins(staticCfg *static.Configuration) bool {
+	return staticCfg.Experimental != nil &&
+		(len(staticCfg.Experimental.Plugins) > 0 || staticCfg.Experimental.DevPlugin != nil)
+}

cmd/traefik/traefik.go

@@ -7,33 +7,38 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"time"
 
-	"github.com/containous/traefik/v2/autogen/genstatic"
-	"github.com/containous/traefik/v2/cmd"
-	"github.com/containous/traefik/v2/cmd/healthcheck"
-	cmdVersion "github.com/containous/traefik/v2/cmd/version"
-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/collector"
-	"github.com/containous/traefik/v2/pkg/config/dynamic"
-	"github.com/containous/traefik/v2/pkg/config/static"
-	"github.com/containous/traefik/v2/pkg/log"
-	"github.com/containous/traefik/v2/pkg/metrics"
-	"github.com/containous/traefik/v2/pkg/middlewares/accesslog"
-	"github.com/containous/traefik/v2/pkg/provider/acme"
-	"github.com/containous/traefik/v2/pkg/provider/aggregator"
-	"github.com/containous/traefik/v2/pkg/provider/traefik"
-	"github.com/containous/traefik/v2/pkg/safe"
-	"github.com/containous/traefik/v2/pkg/server"
-	"github.com/containous/traefik/v2/pkg/server/middleware"
-	"github.com/containous/traefik/v2/pkg/server/service"
-	traefiktls "github.com/containous/traefik/v2/pkg/tls"
-	"github.com/containous/traefik/v2/pkg/types"
-	"github.com/containous/traefik/v2/pkg/version"
 	"github.com/coreos/go-systemd/daemon"
 	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/sirupsen/logrus"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/autogen/genstatic"
+	"github.com/traefik/traefik/v2/cmd"
+	"github.com/traefik/traefik/v2/cmd/healthcheck"
+	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
+	tcli "github.com/traefik/traefik/v2/pkg/cli"
+	"github.com/traefik/traefik/v2/pkg/collector"
+	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	"github.com/traefik/traefik/v2/pkg/config/runtime"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/metrics"
+	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
+	"github.com/traefik/traefik/v2/pkg/pilot"
+	"github.com/traefik/traefik/v2/pkg/plugins"
+	"github.com/traefik/traefik/v2/pkg/provider/acme"
+	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
+	"github.com/traefik/traefik/v2/pkg/provider/traefik"
+	"github.com/traefik/traefik/v2/pkg/safe"
+	"github.com/traefik/traefik/v2/pkg/server"
+	"github.com/traefik/traefik/v2/pkg/server/middleware"
+	"github.com/traefik/traefik/v2/pkg/server/service"
+	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/types"
+	"github.com/traefik/traefik/v2/pkg/version"
 	"github.com/vulcand/oxy/roundrobin"
 )
 
@@ -41,7 +46,7 @@ func main() {
 	// traefik config inits
 	tConfig := cmd.NewTraefikConfiguration()
 
-	loaders := []cli.ResourceLoader{&cli.FileLoader{}, &cli.FlagLoader{}, &cli.EnvLoader{}}
+	loaders := []cli.ResourceLoader{&tcli.FileLoader{}, &tcli.FlagLoader{}, &tcli.EnvLoader{}}
 
 	cmdTraefik := &cli.Command{
 		Name: "traefik",
@@ -116,6 +121,12 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	ctx := cmd.ContextWithSignal(context.Background())
 
+	if staticConfiguration.Experimental != nil && staticConfiguration.Experimental.DevPlugin != nil {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithTimeout(ctx, 30*time.Minute)
+		defer cancel()
+	}
+
 	if staticConfiguration.Ping != nil {
 		staticConfiguration.Ping.WithContext(ctx)
 	}
@@ -172,7 +183,12 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
 
-	serverEntryPointsTCP, err := server.NewTCPEntryPoints(*staticConfiguration)
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
+	if err != nil {
+		return nil, err
+	}
+
+	serverEntryPointsUDP, err := server.NewUDPEntryPoints(staticConfiguration.EntryPoints)
 	if err != nil {
 		return nil, err
 	}
@@ -180,13 +196,58 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	ctx := context.Background()
 	routinesPool := safe.NewPool(ctx)
 
-	metricsRegistry := registerMetricClients(staticConfiguration.Metrics)
+	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
+
+	var aviator *pilot.Pilot
+	if isPilotEnabled(staticConfiguration) {
+		pilotRegistry := metrics.RegisterPilot()
+
+		aviator = pilot.New(staticConfiguration.Pilot.Token, pilotRegistry, routinesPool)
+		routinesPool.GoCtx(func(ctx context.Context) {
+			aviator.Tick(ctx)
+		})
+
+		metricRegistries = append(metricRegistries, pilotRegistry)
+	}
+
+	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
 	accessLog := setupAccessLog(staticConfiguration.AccessLog)
 	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
 	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry)
-	tcpRouterFactory := server.NewTCPRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder)
 
-	watcher := server.NewConfigurationWatcher(routinesPool, providerAggregator, time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration))
+	client, plgs, devPlugin, err := initPlugins(staticConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	pluginBuilder, err := plugins.NewBuilder(client, plgs, devPlugin)
+	if err != nil {
+		return nil, err
+	}
+
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder)
+
+	var defaultEntryPoints []string
+	for name, cfg := range staticConfiguration.EntryPoints {
+		protocol, err := cfg.GetProtocol()
+		if err != nil {
+			// Should never happen because Traefik should not start if protocol is invalid.
+			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+		}
+
+		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
+			defaultEntryPoints = append(defaultEntryPoints, name)
+		}
+	}
+
+	sort.Strings(defaultEntryPoints)
+
+	watcher := server.NewConfigurationWatcher(
+		routinesPool,
+		providerAggregator,
+		time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration),
+		defaultEntryPoints,
+	)
 
 	watcher.AddListener(func(conf dynamic.Configuration) {
 		ctx := context.Background()
@@ -198,7 +259,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
 	})
 
-	watcher.AddListener(switchRouter(tcpRouterFactory, acmeProviders, serverEntryPointsTCP))
+	watcher.AddListener(switchRouter(routerFactory, acmeProviders, serverEntryPointsTCP, serverEntryPointsUDP, aviator))
 
 	watcher.AddListener(func(conf dynamic.Configuration) {
 		if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
@@ -229,12 +290,15 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		}
 	})
 
-	return server.NewServer(routinesPool, serverEntryPointsTCP, watcher, chainBuilder, accessLog), nil
+	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog), nil
 }
 
-func switchRouter(tcpRouterFactory *server.TCPRouterFactory, acmeProviders []*acme.Provider, serverEntryPointsTCP server.TCPEntryPoints) func(conf dynamic.Configuration) {
+func switchRouter(routerFactory *server.RouterFactory, acmeProviders []*acme.Provider, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints, aviator *pilot.Pilot) func(conf dynamic.Configuration) {
 	return func(conf dynamic.Configuration) {
-		routers := tcpRouterFactory.CreateTCPRouters(conf)
+		rtConf := runtime.NewConfig(conf)
+
+		routers, udpRouters := routerFactory.CreateRouters(rtConf)
+
 		for entryPointName, rt := range routers {
 			for _, p := range acmeProviders {
 				if p != nil && p.HTTPChallenge != nil && p.HTTPChallenge.EntryPoint == entryPointName {
@@ -243,11 +307,17 @@ func switchRouter(tcpRouterFactory *server.TCPRouterFactory, acmeProviders []*ac
 				}
 			}
 		}
+
+		if aviator != nil {
+			aviator.SetRuntimeConfiguration(rtConf)
+		}
+
 		serverEntryPointsTCP.Switch(routers)
+		serverEntryPointsUDP.Switch(udpRouters)
 	}
 }
 
-// initACMEProvider creates an acme provider from the ACME part of globalConfiguration
+// initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
 	challengeStore := acme.NewLocalChallengeStore()
 	localStores := map[string]*acme.LocalStore{}
@@ -267,23 +337,27 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 			}
 
 			if err := providerAggregator.AddProvider(p); err != nil {
-				log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
+				log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
 				continue
 			}
+
 			p.SetTLSManager(tlsManager)
+
 			if p.TLSChallenge != nil {
 				tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
 			}
+
 			p.SetConfigListenerChan(make(chan dynamic.Configuration))
+
 			resolvers = append(resolvers, p)
 		}
 	}
 	return resolvers
 }
 
-func registerMetricClients(metricsConfig *types.Metrics) metrics.Registry {
+func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
-		return metrics.NewVoidRegistry()
+		return nil
 	}
 
 	var registries []metrics.Registry
@@ -318,7 +392,7 @@ func registerMetricClients(metricsConfig *types.Metrics) metrics.Registry {
 			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
 	}
 
-	return metrics.NewMultiRegistry(registries)
+	return registries
 }
 
 func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
@@ -372,7 +446,7 @@ func configureLogging(staticConfiguration *static.Configuration) {
 	if len(logFile) > 0 {
 		dir := filepath.Dir(logFile)
 
-		if err := os.MkdirAll(dir, 0755); err != nil {
+		if err := os.MkdirAll(dir, 0o755); err != nil {
 			log.WithoutContext().Errorf("Failed to create log path %s: %s", dir, err)
 		}
 
@@ -404,13 +478,13 @@ func stats(staticConfiguration *static.Configuration) {
 		logger.Info(`Stats collection is enabled.`)
 		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
 		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://docs.traefik.io/v2.0/contributing/data-collection/`)
+		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
 		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://docs.traefik.io/v2.0/contributing/data-collection/
+More details on: https://doc.traefik.io/traefik/contributing/data-collection/
 `)
 	}
 }

cmd/version/version.go

@@ -7,8 +7,8 @@ import (
 	"runtime"
 	"text/template"
 
-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/version"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/pkg/version"
 )
 
 var versionTemplate = `Version:      {{.Version}}
@@ -17,7 +17,7 @@ Go version:   {{.GoVersion}}
 Built:        {{.BuildTime}}
 OS/Arch:      {{.Os}}/{{.Arch}}`
 
-// NewCmd builds a new Version command
+// NewCmd builds a new Version command.
 func NewCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "version",
@@ -33,7 +33,7 @@ func NewCmd() *cli.Command {
 	}
 }
 
-// GetPrint write Printable version
+// GetPrint write Printable version.
 func GetPrint(wr io.Writer) error {
 	tmpl, err := template.New("").Parse(versionTemplate)
 	if err != nil {

contrib/systemd/traefik.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Traefik
-Documentation=https://docs.traefik.io
+Documentation=https://doc.traefik.io/traefik/
 #After=network-online.target
 #AssertFileIsExecutable=/usr/bin/traefik
 #AssertPathExists=/etc/traefik/traefik.toml

docs/content/CNAME

@@ -1 +0,0 @@
-docs.traefik.io

docs/content/assets/styles/content.css

@@ -0,0 +1,70 @@
+.md-container {
+  padding-top: 0;
+}
+
+.md-content h1 {
+  color: var(--dark) !important;
+  font-weight: bold !important;
+}
+
+.md-content a {
+  color: var(--blue) !important;
+}
+
+.md-content a:hover {
+  font-weight: bold !important;
+}
+
+.md-typeset p code,
+.md-typeset .codehilite,
+.md-typeset .highlight {
+  background-color: var(--light-blue) !important;
+}
+
+.md-typeset table:not([class]) th {
+  background: var(--dark) !important;
+  color: white !important;
+}
+
+/* Front page image size */
+img[src$='#small'] {
+  width: 150px;
+}
+img[src$='#medium'] {
+  width: 300px;
+}
+
+/* Center table and objects */
+.center,
+img,
+.md-typeset__table {
+  display: block !important;
+  margin: 0 auto;
+}
+
+.md-typeset table:not([class]) tr td:first-child {
+  text-align: left;
+}
+.md-typeset table:not([class]) th:not([align]),
+.md-typeset table:not([class]) td:not([align]) {
+  text-align: center;
+}
+article p:not([class]),
+article ul:not([class]),
+article ol:not([class]) {
+  padding-left: 0.8em !important;
+}
+
+/* Fix for Chrome */
+.md-typeset__table td code {
+  word-break: unset;
+}
+
+.md-typeset__table tr :nth-child(1) {
+  word-wrap: break-word;
+  max-width: 30em;
+}
+
+p {
+  text-align: justify;
+}

docs/content/assets/styles/extra.css

@@ -1,63 +0,0 @@
-@import url('https://fonts.googleapis.com/css?family=Noto+Sans|Noto+Serif');
-
-.md-logo img {
-    background-color: white;
-    border-radius: 50%;
-    width: 30px;
-    height: 30px;
-}
-
-/* Fix for Chrome */
-.md-typeset__table td code {
-    word-break: unset;
-}
-
-.md-typeset__table tr :nth-child(1) {
-    word-wrap: break-word;
-    max-width: 30em;
-}
-
-body {
-    font-family: 'Noto Sans', sans-serif;
-}
-
-h1 {
-    font-weight: bold !important;
-    color: rgba(0,0,0,.9) !important;
-}
-
-h2 {
-    font-weight: bold !important;
-}
-
-h3 {
-    font-weight: bold !important;
-}
-
-.md-typeset h5 {
-    text-transform: none;
-}
-
-figcaption {
-    text-align: center;
-    font-size: 0.8em;
-    font-style: italic;
-    color: #8D909F;
-}
-
-p.subtitle {
-    color: rgba(0,0,0,.54);
-    padding-top: 0;
-    margin-top: -2em;
-    font-weight: bold;
-    font-size: 1.25em;
-}
-
-.markdown-body .task-list-item {
-    list-style-type: none !important;
-}
-
-.markdown-body .task-list-item input[type="checkbox"] {
-    margin: 0 4px 0.25em -20px;
-    vertical-align: middle;
-}

docs/content/assets/styles/footer.css

@@ -0,0 +1,10 @@
+.md-footer-meta {
+  background-color: var(--dark);
+}
+
+.md-footer-privacy-policy {
+  margin: 0 .6rem;
+  padding: .4rem 0;
+  color: hsla(0,0%,100%,.3);
+  font-size: .64rem;
+}

docs/content/assets/styles/header.css

@@ -0,0 +1,484 @@
+@import url('https://fonts.googleapis.com/css?family=Rubik:300i,400,400i,500,500i,700&display=swap');
+
+.wrapper-1200 {
+  width: 100%;
+  max-width: 61rem;
+  margin: 0 auto;
+  padding: 0 .6rem;
+}
+
+@media (max-width: 700px) {
+  .wrapper-1200 {
+    padding: 0 20px;
+  }
+}
+
+.btn-type-1 {
+  outline: none;
+  border: none;
+  background-color: #1e54d5;
+  line-height: 1em;
+  border-radius: 8px;
+  padding: 12px 15px;
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+  font-size: 1.25rem;
+  background-image: linear-gradient(to top, rgba(0, 0, 0, 0.28) 1%, #1e54d5 99%);
+  font-weight: 500;
+  text-align: center;
+  color: white;
+  transition: all 0.2s;
+}
+
+.button--secondary {
+  outline: none;
+  border: 2px solid #1e54d5 !important;
+  background: transparent;
+  line-height: 1em;
+  border-radius: 8px;
+  padding: 9px 13px;
+  letter-spacing: 0;
+  font-size: 1.3rem;
+  font-weight: 500;
+  text-align: center;
+  color: #1e54d5;
+  transition: all 0.2s;
+  display: inline-block;
+}
+.button--secondary:hover {
+  color: white !important;
+  background: #1e54d5;
+}
+.button--secondary:focus {
+  color: white !important;
+  background: #1e54d5;
+}
+
+.site-header-and-placeholder-wrapper {
+  position: relative;
+  height: 64px;
+}
+
+.site-header {
+  position: fixed;
+  width: 100%;
+  top: 0;
+  left: 0;
+  transition: height 0.1s;
+  z-index: 100;
+  background: white;
+  box-shadow: 0 0 7px 0 #00000021;
+  border-bottom: 1px solid #e2e2e2;
+  height: 64px;
+  display: flex;
+  align-items: center;
+  font-size: 10px;
+  font-family: 'Rubik', -apple-system, 'BlinkMacSystemFont', 'Segoe UI',
+    'Helvetica Neue', sans-serif;
+  color: #06102a;
+  -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
+}
+
+.site-header.scrolled {
+  box-shadow: 0 0 5px 0 #00000028;
+  position: fixed;
+  top: 0;
+  height: 52px;
+}
+.site-header.scrolled .site-header__title a {
+  font-size: 2.2em;
+}
+
+.header-placeholder {
+  background: none;
+  width: 100%;
+  height: 64px;
+  position: absolute;
+}
+.header-placeholder.active {
+  display: block;
+}
+
+.site-header .wrapper-1200 {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+}
+.site-header .wrapper-1200 .left {
+  display: flex;
+  align-items: center;
+  justify-content: flex-start;
+}
+
+.site-header__logo {
+  max-width: 145px;
+}
+
+.site-header__title a {
+  color: #06102a;
+  font-size: 2.2em;
+  font-weight: 500;
+  transition: all 0.2s;
+  text-transform: uppercase;
+  letter-spacing: 0.02em;
+}
+
+/* Navigation */
+.site-header__nav .menu-item-wrapper {
+  display: inline-block;
+  padding-left: 30px;
+}
+.site-header__nav .menu-item {
+  color: #06102a;
+  transition: all 0.05s;
+  font-size: 1.45em;
+  line-height: 1em;
+  font-weight: 500;
+}
+.site-header__nav .menu-item:hover {
+  color: #8a959e;
+}
+.site-header__nav .menu-item--with-icon {
+  display: flex;
+  align-items: center;
+  justify-content: flex-start;
+}
+.site-header__nav .menu-item--with-icon .title {
+  margin-right: 3px;
+}
+.site-header__nav .menu-item--with-icon .icon {
+  width: 20px;
+  height: 20px;
+  transition: all 0.1s;
+}
+.site-header__nav .menu-item--with-icon .icon svg {
+  stroke-width: 2.5 !important;
+  width: 100%;
+  height: 100%;
+}
+.site-header__nav .menu-item-wrapper--dropdown {
+  position: relative;
+}
+.site-header__nav .menu-item-wrapper--dropdown:hover .nav-dropdown-menu {
+  display: block;
+}
+.site-header__nav .nav-dropdown-menu {
+  display: none;
+}
+
+.nav-dropdown-menu {
+  position: absolute;
+  z-index: 500;
+  background: transparent;
+}
+
+.nav-dropdown-menu-wrapper {
+  border-radius: 8px;
+  box-shadow: 0 12px 40px 0 rgba(1, 10, 32, 0.24);
+  background: white;
+  margin: 8px 0;
+  overflow: hidden;
+}
+
+/* Products, Solutions dropdown menu */
+.nav-dropdown-menu--products,
+.nav-dropdown-menu--solutions {
+  width: 500px;
+}
+.nav-dropdown-menu--products .nav-dropdown-menu-wrapper,
+.nav-dropdown-menu--solutions .nav-dropdown-menu-wrapper {
+  padding: 20px;
+}
+.nav-dropdown-menu--products .nav-dropdown-menu-wrapper {
+  height: 430px;
+}
+
+.nav-dropdown-menu--products .dm-header,
+.nav-dropdown-menu--solutions .dm-header {
+  font-size: 1.1em;
+  font-weight: 500;
+  font-stretch: normal;
+  font-style: normal;
+  line-height: normal;
+  letter-spacing: 3.67px;
+  color: #505769;
+  margin-bottom: 20px;
+  text-transform: uppercase;
+}
+.nav-dropdown-menu--products .dm-item,
+.nav-dropdown-menu--solutions .dm-item {
+  border: none;
+  margin: 0 0 24px;
+  color: #06102a;
+  transition: all 0.1s;
+  position: relative;
+  width: 100%;
+}
+.nav-dropdown-menu--products .dm-item:last-child,
+.nav-dropdown-menu--solutions .dm-item:last-child {
+  margin-bottom: 0;
+}
+.nav-dropdown-menu--products .dm-item .dmi-image {
+  width: 104px;
+  height: 72px;
+  position: absolute;
+  /*background: #f4f4f4;*/
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  padding: 20px;
+  border-radius: 4px;
+  z-index: 0;
+}
+
+.nav-dropdown-menu--solutions .dm-item .dmi-image {
+  width: 65px;
+  padding: 10px;
+  background: white;
+  height: auto;
+  position: absolute;
+  z-index: 0;
+}
+
+.nav-dropdown-menu--solutions .dm-item .dmi-image img {
+  width: 100%;
+}
+.nav-dropdown-menu--products .dm-item .dmi-details,
+.nav-dropdown-menu--solutions .dm-item .dmi-details {
+  padding: 6px 0 0 127px;
+  width: 100%;
+  background: transparent;
+  display: block;
+  color: #06102a;
+  position: relative;
+  z-index: 1;
+}
+.nav-dropdown-menu--products .dm-item .dmi-details:hover,
+.nav-dropdown-menu--solutions .dm-item .dmi-details:hover {
+  color: #1e54d5;
+}
+.nav-dropdown-menu--products .dm-item .dmi-title,
+.nav-dropdown-menu--solutions .dm-item .dmi-title {
+  font-size: 1.6em;
+  font-weight: 500;
+  margin: 0 0 2px;
+}
+.nav-dropdown-menu--products .dm-item .dmi-description,
+.nav-dropdown-menu--solutions .dm-item .dmi-description {
+  font-size: 1.4em;
+  opacity: 0.7;
+  line-height: 1.6em;
+}
+.nav-dropdown-menu--products .dm-item--traefikee .dmi-image img,
+.nav-dropdown-menu--solutions .dm-item--traefikee .dmi-image img {
+  transform: scale(1.1);
+}
+
+.nav-dropdown-menu--solutions .dm-item .dmi-details {
+  padding: 5px 0 0 80px;
+}
+.nav-dropdown-menu--solutions .dm-item:last-child {
+  margin-bottom: 10px;
+}
+
+/* Dropdown menu: Learn and Company */
+.nav-dropdown-menu--learn {
+  width: 250px;
+}
+.nav-dropdown-menu--company {
+  width: 500px;
+}
+.nav-dropdown-menu--company .nav-dropdown-menu-wrapper {
+  display: grid;
+  grid-template-columns: 50% 50%;
+}
+.nav-dropdown-menu--learn .dm-left,
+.nav-dropdown-menu--company .dm-left {
+  padding: 25px;
+}
+.nav-dropdown-menu--learn .dm-header,
+.nav-dropdown-menu--company .dm-header {
+  font-size: 1.1em;
+  font-weight: 500;
+  font-stretch: normal;
+  font-style: normal;
+  line-height: normal;
+  letter-spacing: 3.67px;
+  color: #505769;
+  margin-bottom: 20px;
+  text-transform: uppercase;
+}
+.nav-dropdown-menu--learn .dm-item,
+.nav-dropdown-menu--company .dm-item {
+  display: block;
+  font-size: 1.6em;
+  font-weight: 500;
+  color: #06102a;
+  margin-bottom: 15px;
+}
+.nav-dropdown-menu--learn .dm-item:last-child,
+.nav-dropdown-menu--company .dm-item:last-child {
+  margin-bottom: 0;
+}
+.nav-dropdown-menu--learn .dm-item:hover,
+.nav-dropdown-menu--company .dm-item:hover {
+  color: #1e54d5;
+}
+
+.dm-preview {
+  background: #edeff4;
+  overflow: hidden;
+  height: 100%;
+  display: flex;
+  flex-direction: column;
+}
+
+.dm-preview__feature-image {
+  overflow: hidden;
+  display: block;
+}
+
+.dm-preview__feature-image img {
+  width: 100%;
+  height: 145px;
+  background: #ffffff no-repeat 50%;
+  object-fit: cover;
+  vertical-align: middle;
+}
+
+.dm-preview__content {
+  padding: 15px;
+  display: flex;
+  justify-content: flex-start;
+  align-items: flex-start;
+  flex-direction: column;
+  flex: 1;
+  position: relative;
+}
+
+.dm-preview__tag {
+  display: block;
+  font-size: 1.2em;
+  color: #db7d11;
+  letter-spacing: 2.5px;
+  font-weight: 500;
+  margin: 0 0;
+  text-transform: uppercase;
+}
+
+.dm-preview__title {
+  font-size: 1.6em;
+  font-weight: 500;
+  line-height: 1.6em;
+  margin: 0;
+  color: #06102a;
+  display: block;
+  flex: 1;
+  position: relative;
+  z-index: 1;
+  padding-bottom: 20px;
+}
+
+.dm-preview .arrow-link {
+  justify-content: flex-start;
+  font-size: 1.4em;
+  position: absolute;
+  bottom: 12px;
+  z-index: 0;
+}
+
+/* Dropdown menu: Company */
+.nav-dropdown-menu--company {
+  width: 450px;
+}
+
+.nav-dropdown-menu--company .dm-right {
+  background: #06102a;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  flex-direction: column;
+  color: white;
+  padding: 20px;
+}
+.nav-dropdown-menu--company .dm-right p {
+  font-size: 1.6em;
+  font-weight: 500;
+  margin: 0 0 15px;
+  text-align: center;
+}
+.nav-dropdown-menu--company .dm-right a {
+  text-transform: uppercase;
+  line-height: 1.5em;
+  padding: 9px 12px;
+  font-size: 1.2em;
+}
+
+/* Demo */
+.site-header__demo-button .button--secondary {
+  font-size: 1.4em;
+  padding: 8px 12px;
+  border-radius: 6px;
+}
+
+/* Drawer */
+.site-header .drawer {
+  display: none;
+}
+
+@media (max-width: 1219px) {
+  .site-header__nav .menu-item-wrapper {
+    padding-left: 20px;
+  }
+}
+@media (max-width: 980px) {
+  .site-header__nav {
+    display: none;
+  }
+
+  .site-header .drawer {
+    display: block;
+  }
+
+  .site-header .right .site-header__demo-button {
+    display: none;
+  }
+
+  html [data-md-color-primary=indigo] .md-nav--primary .md-nav__title--site {
+    background-color: #06102a;
+  }
+
+  html .md-nav--primary .md-nav__title {
+    padding: 64px .8rem .2rem;
+  }
+
+  .md-search__inner {
+    top: 64px;
+    right: 0;
+  }
+}
+
+.md-header .md-search {
+  margin-right: 12.1rem;
+}
+
+.site-header__main {
+  display: flex;
+  align-items: center;
+}
+
+.dmi-image.proxy {
+  background-color: #24a1c1;
+}
+
+.dmi-image.mesh {
+  background-color: #9d0fb0;
+}
+
+.dmi-image.enterprise {
+  background-color: #0060e0;
+}
+
+.dmi-image.pilot {
+  background-color: #db7d11;
+}

docs/content/assets/styles/menu.css

@@ -0,0 +1,101 @@
+.md-nav__link {
+  margin-left: -0.4rem;
+  padding: 0 0.4rem;
+  line-height: 32px;
+  color: var(--dark) !important;
+}
+
+.md-nav__link::after {
+  font-size: 16px;
+  vertical-align: -.25em;
+}
+
+.md-nav__toggle:checked + .md-nav__link,
+.md-nav__link--active,
+.md-nav__link:hover {
+  border-radius: 8px;
+  background-color: var(--light-blue) !important;
+  color: var(--dark) !important;
+  transition: background-color 0.3s ease;
+}
+
+.md-nav__link--active {
+  color: var(--blue) !important;
+  font-weight: bold;
+}
+
+.md-sidebar--primary {
+  background-color: white;
+}
+
+.md-sidebar--secondary .md-nav__title {
+  font-size: 12px;
+  text-transform: uppercase;
+  margin-bottom: 0.4rem;
+  padding: 0;
+}
+
+.md-sidebar--secondary .md-sidebar__scrollwrap {
+  border-radius: 8px;
+  background-color: var(--light-blue) !important;
+}
+
+.md-sidebar--secondary .md-nav__title {
+  padding: 0.8rem 0.4rem 0.8rem;
+}
+
+.md-sidebar--secondary .md-nav__list {
+  padding: 0 0.4rem 0.8rem 1.2rem;
+}
+
+.md-sidebar--secondary .md-sidebar__scrollwrap .md-nav__link {
+  font-weight: 300;
+}
+
+.md-sidebar--secondary
+  .md-sidebar__scrollwrap
+  .md-nav__link[data-md-state='blur'],
+.md-sidebar--secondary .md-sidebar__scrollwrap .md-nav__link:hover {
+  color: var(--blue) !important;
+  font-weight: bold;
+}
+
+.md-sidebar--secondary .md-nav__item {
+  padding: 0 0 0 0.4rem;
+}
+
+.md-sidebar--secondary .md-nav__link {
+  margin-top: 0.225em;
+  padding: 0.1rem 0.2rem;
+}
+
+.md-sidebar--secondary li {
+  list-style-type: disc;
+}
+
+.md-sidebar--secondary .repo_url {
+  padding: 10px 0 14px 0;
+}
+
+
+.md-search__inner {
+  width: inherit;
+  float: inherit;
+}
+
+.md-search__input {
+  margin-bottom: 10px;
+  border-radius: 4px; 
+  background-color: inherit;
+  border: 1px solid rgba(0,0,0,.07);
+}
+
+.md-search__input::placeholder {
+  color: rgba(0,0,0,.07);
+}
+
+@media only screen and (min-width: 60em) {
+  [data-md-toggle=search]:checked~.md-header .md-search__inner {
+    margin-top: 100px;
+  }
+}

docs/content/assets/styles/product-switcher.css

@@ -0,0 +1,24 @@
+.product-switcher {
+  font-size: 10px;
+  font-family: 'Rubik', -apple-system, 'BlinkMacSystemFont', 'Segoe UI',
+    'Helvetica Neue', sans-serif;
+  color: #06102a;
+  -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
+}
+
+.product-switcher .menu-item-wrapper {
+  padding-left: 15px;
+}
+
+.product-switcher img {
+  margin-right: 10px;
+}
+
+.product-switcher img.gopher {
+  margin: 0 2px 0 16px;
+}
+
+.product-switcher .nav-dropdown-menu--products .nav-dropdown-menu-wrapper {
+  width: auto;
+  height: auto;
+}

docs/content/assets/styles/root.css

@@ -0,0 +1,10 @@
+:root {
+  --dark: #06102a;
+  --blue: #04B5D1;
+  --light-blue: #E4F7FA;
+
+  --input-bg-color: white;
+  --input-color: black;
+  --input-placeholder-color: #bbb;
+  --input-border-color: #dcdcdc;
+}

docs/content/contributing/advocating.md

@@ -5,6 +5,6 @@ Spread the Love & Tell Us about It
 
 There are many ways to contribute to the project, and there is one that always spark joy: when we see/read about users talking about how Traefik helps them solve their problems.
 
-If you're talking about Traefik, [let us know](https://blog.containo.us/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
+If you're talking about Traefik, [let us know](https://blog.traefik.io/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
 
-Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/containous/traefik/wiki/Awesome-Traefik).
+Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/traefik/traefik/wiki/Awesome-Traefik).

docs/content/contributing/building-testing.md

@@ -16,6 +16,8 @@ For changes to its dependencies, the `dep` dependency management tool is require
 Run make with the `binary` target.
 This will create binaries for the Linux platform in the `dist` folder.
 
+In case when you run build on CI, you may probably want to run docker in non-interactive mode. To achieve that define `DOCKER_NON_INTERACTIVE=true` environment variable.
+
 ```bash
 $ make binary
 docker build -t traefik-webui -f webui/Dockerfile webui
@@ -28,12 +30,12 @@ Successfully tagged traefik-webui:latest
 [...]
 docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
 Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.13-alpine
+Step 1/10 : FROM golang:1.14-alpine
  ---> f4bfb3d22bda
 [...]
 Successfully built 5c3c1a911277
 Successfully tagged traefik-dev:4475--feature-documentation
-docker run  -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER		 -v "/home/ldez/sources/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
+docker run  -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER		 -v "/home/ldez/sources/go/src/github.com/traefik/traefik/"dist":/go/src/github.com/traefik/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
 ---> Making bundle: generate (in .)
 removed 'autogen/genstatic/gen.go'
 
@@ -60,13 +62,13 @@ PRE_TARGET= make test-unit
 
 Requirements:
 
-- `go` v1.13+
+- `go` v1.14+
 - environment variable `GO111MODULE=on`
-- go-bindata `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
+- [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
 
 !!! tip "Source Directory"
 
-    It is recommended that you clone Traefik into the `~/go/src/github.com/containous/traefik` directory.
+    It is recommended that you clone Traefik into the `~/go/src/github.com/traefik/traefik` directory.
     This is the official golang workspace hierarchy that will allow dependencies to be properly resolved.
 
 !!! note "Environment"
@@ -98,29 +100,31 @@ Requirements:
 #### Build Traefik
 
 Once you've set up your go environment and cloned the source repository, you can build Traefik.
-Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process).
+
+Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).
 
 ```bash
-cd ~/go/src/github.com/containous/traefik
+cd ~/go/src/github.com/traefik/traefik
 
 # Get go-bindata. (Important: the ellipses are required.)
 GO111MODULE=off go get github.com/containous/go-bindata/...
+```
 
-# Let's build
+```bash
+# Generate UI static files
+rm -rf static/ autogen/; make generate-webui
 
-# generate
-# (required to merge non-code components into the final binary, such as the web dashboard and the provider's templates)
+# required to merge non-code components into the final binary,
+# such as the web dashboard/UI
 go generate
+```
 
+```bash
 # Standard go build
 go build ./cmd/traefik
 ```
 
-You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
-
-### Updating the templates
-
-If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.
+You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/traefik/traefik` directory.
 
 ## Testing
 
@@ -134,13 +138,13 @@ Run all tests (unit and integration) using the `test` target.
 $ make test-unit
 docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
 # […]
-docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
+docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/traefik/traefik/dist:/go/src/github.com/traefik/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
 ---> Making bundle: generate (in .)
 removed 'gen.go'
 
 ---> Making bundle: test-unit (in .)
 + go test -cover -coverprofile=cover.out .
-ok      github.com/containous/traefik   0.005s  coverage: 4.1% of statements
+ok      github.com/traefik/traefik   0.005s  coverage: 4.1% of statements
 
 Test success
 ```
@@ -168,7 +172,7 @@ More: https://labix.org/gocheck
 Unit tests can be run from the cloned directory using `$ go test ./...` which should return `ok`, similar to:
 
 ```test
-ok      _/home/user/go/src/github/containous/traefik    0.004s
+ok      _/home/user/go/src/github/traefik/traefik    0.004s
 ```
 
 Integration tests must be run from the `integration/` directory and require the `-integration` switch: `$ cd integration && go test -integration ./...`.

docs/content/contributing/data-collection.md

@@ -29,7 +29,7 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to
 
 ## Collected Data
 
-This feature comes from the public proposal [here](https://github.com/containous/traefik/issues/2369).
+This feature comes from the public proposal [here](https://github.com/traefik/traefik/issues/2369).
 
 In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
 Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
@@ -85,11 +85,11 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
     ca = "xxxx"
     cert = "xxxx"
     key = "xxxx"
-    insecureSkipVerify = false
+    insecureSkipVerify = true
 ```
 
 ## The Code for Data Collection
 
-If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/pkg/collector/collector.go)
+If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)
 
 By default we anonymize all configuration fields, except fields tagged with `export=true`.

docs/content/contributing/documentation.md

@@ -10,7 +10,7 @@ Let's see how.
 
 ### General
 
-This [documentation](https://docs.traefik.io/) is built with [mkdocs](https://mkdocs.org/).
+This [documentation](https://doc.traefik.io/traefik/) is built with [mkdocs](https://mkdocs.org/).
 
 ### Method 1: `Docker` and `make`
 
@@ -20,7 +20,7 @@ You can build the documentation and test it locally (with live reloading), using
 $ make docs
 docker build -t traefik-docs -f docs.Dockerfile .
 # […]
-docker run  --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
+docker run  --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
 # […]
 [I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000
 [I 170828 20:47:48 handlers:60] Start watching changes
@@ -75,7 +75,7 @@ To check that the documentation meets standard expectations (no dead links, html
 $ make docs-verify
 docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image
 ...
-docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
+docker run --rm -v /home/travis/build/traefik/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
 === Checking HTML content...
 Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html...
 ```

docs/content/contributing/maintainers.md

@@ -15,12 +15,12 @@
 * Michaël Matur [@mmatur](https://github.com/mmatur)
 * Gérald Croës [@geraldcroes](https://github.com/geraldcroes)
 * Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou)
-* Damien Duportal [@dduportal](https://github.com/dduportal)
 * Mathieu Lonjaret [@mpl](https://github.com/mpl)
+* Romain Tribotté [@rtribotte](https://github.com/rtribotte)
 
 ## Contributions Daily Meeting
 
-* 3 Maintainers should attend to a Contributions Daily Meeting where we sort and label new issues ([is:issue label:status/0-needs-triage](https://github.com/containous/traefik/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Astatus%2F0-needs-triage+)), and review every Pull Requests
+* 3 Maintainers should attend to a Contributions Daily Meeting where we sort and label new issues ([is:issue label:status/0-needs-triage](https://github.com/traefik/traefik/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Astatus%2F0-needs-triage+)), and review every Pull Requests
 * Every pull request should be checked during the Contributions Daily Meeting
     * Even if it’s already assigned
     * Even PR labelled with `contributor/waiting-for-corrections` or `contributor/waiting-for-feedback`
@@ -43,7 +43,7 @@ We use [PRM](https://github.com/ldez/prm) to manage locally pull requests.
 
 ## Bots
 
-### [Myrmica Lobicornis](https://github.com/containous/lobicornis/)
+### [Myrmica Lobicornis](https://github.com/traefik/lobicornis/)
 
 Update and Merge Pull Request.
 
@@ -67,12 +67,12 @@ This label is used when:
 * Merging branches into the master
 * Preparing the release
 
-### [Myrmica Bibikoffi](https://github.com/containous/bibikoffi/)
+### [Myrmica Bibikoffi](https://github.com/traefik/bibikoffi/)
 
 * closes stale issues [cron]
     * use some criterion as number of days between creation, last update, labels, ...
 
-### [Myrmica Aloba](https://github.com/containous/aloba)
+### [Myrmica Aloba](https://github.com/traefik/aloba)
 
 Manage GitHub labels.
 

docs/content/contributing/submitting-issues.md

@@ -3,7 +3,7 @@
 Help Us Help You!
 {: .subtitle }
 
-We use the [GitHub issue tracker](https://github.com/containous/traefik/issues) to keep track of issues in Traefik. 
+We use the [GitHub issue tracker](https://github.com/traefik/traefik/issues) to keep track of issues in Traefik. 
 
 The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting).
 To save us some time and get quicker feedback, be sure to follow the guide lines below.
@@ -14,7 +14,7 @@ To save us some time and get quicker feedback, be sure to follow the guide lines
 
     For end-user related support questions, try using first:
 
-    - the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+    - the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 
 ## Issue Title
 
@@ -22,7 +22,7 @@ The title must be short and descriptive. (~60 characters)
 
 ## Description
 
-Follow the [issue template](https://github.com/containous/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible.
+Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible.
 
 Explain us in which conditions you encountered the issue, what is your context.
 

docs/content/contributing/submitting-pull-requests.md

@@ -3,11 +3,11 @@
 A Quick Guide for Efficient Contributions
 {: .subtitle }
 
-So you've decide to improve Traefik? 
+So you've decided to improve Traefik? 
 Thank You! 
 Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.
 
-Let's go though the classic pitfalls to make sure everything is right. 
+Let's go through the classic pitfalls to make sure everything is right. 
 
 ## Title
 
@@ -15,7 +15,7 @@ The title must be short and descriptive. (~60 characters)
 
 ## Description
 
-Follow the [pull request template](https://github.com/containous/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible.
+Follow the [pull request template](https://github.com/traefik/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible.
 
 Explain the conditions which led you to write this PR: give us context.
 The context should lead to something, an idea or a problem that you’re facing.
@@ -36,7 +36,7 @@ Help the readers focus on what matters, and help them understand the structure o
 - Add tests.
 - Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
 
-!!! note "third-party dependencies"
+!!! note "Third-Party Dependencies"
 
     If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
 

docs/content/contributing/thank-you.md

@@ -3,8 +3,8 @@
 _You_ Made It
 {: .subtitle}
 
-Traefik truly is an [open-source project](https://github.com/containous/traefik/),
-and wouldn't have become what it is today without the help of our [many contributors](https://github.com/containous/traefik/graphs/contributors) (at the time of writing this),
+Traefik truly is an [open-source project](https://github.com/traefik/traefik/),
+and wouldn't have become what it is today without the help of our [many contributors](https://github.com/traefik/traefik/graphs/contributors) (at the time of writing this),
 not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.
 
 So once again, thank you for your invaluable help on making Traefik such a good product.

docs/content/getting-started/configuration-overview.md

@@ -74,7 +74,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:2.0 --help
+# ex: docker run traefik:2.1 --help
 ```
 
 All available arguments can also be found [here](../reference/static-configuration/cli.md).

docs/content/getting-started/install-traefik.md

@@ -3,17 +3,17 @@
 You can install Traefik with the following flavors:
 
 * [Use the official Docker image](./#use-the-official-docker-image)
-* [(Experimental) Use the Helm Chart](./#use-the-helm-chart)
+* [Use the Helm Chart](./#use-the-helm-chart)
 * [Use the binary distribution](./#use-the-binary-distribution)
 * [Compile your binary from the sources](./#compile-your-binary-from-the-sources)
 
 ## Use the Official Docker Image
 
-Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.0/traefik.sample.toml):
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/v2.3/traefik.sample.toml):
 
 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.0
+    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.3
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -21,77 +21,114 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.0.0`
+    ex: `traefik:v2.1.4`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
-    * All the orchestrator using docker images could fetch the official Traefik docker image.
+    * Any orchestrator using docker images can fetch the official Traefik docker image.
 
 ## Use the Helm Chart
 
-!!! warning "Experimental Helm Chart"
+!!! warning
     
-    Please note that the Helm Chart for Traefik v2 is still experimental.
-    
-    The Traefik Stable Chart from 
-    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://docs.traefik.io/v1.7).
+    The Traefik Chart from 
+    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://doc.traefik.io/traefik/v1.7).
 
-Traefik can be installed in Kubernetes using the v2.0 Helm chart from <https://github.com/containous/traefik-helm-chart>.
+Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/traefik/traefik-helm-chart>.
 
 Ensure that the following requirements are met:
 
 * Kubernetes 1.14+
-* Helm version 2.x is [installed](https://v2.helm.sh/docs/using_helm/) and initialized with Tiller
+* Helm version 3.x is [installed](https://helm.sh/docs/intro/install/)
 
-Retrieve the latest chart version from the repository:
+Add Traefik's chart repository to Helm:
 
 ```bash
-# Retrieve Chart from the repository
-git clone https://github.com/containous/traefik-helm-chart
+helm repo add traefik https://traefik.github.io/traefik-helm-chart
+```
+
+You can update the chart repository by running:
+
+```bash
+helm repo update
 ```
 
 And install it with the `helm` command line:
 
 ```bash
-helm install ./traefik-helm-chart
+helm install traefik traefik/traefik
 ```
 
 !!! tip "Helm Features"
     
-    All [Helm features](https://v2.helm.sh/docs/using_helm/#using-helm) are supported.
+    All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
     For instance, installing the chart in a dedicated namespace:
 
     ```bash tab="Install in a Dedicated Namespace"
+    kubectl create ns traefik-v2
     # Install in the namespace "traefik-v2"
     helm install --namespace=traefik-v2 \
-        ./traefik-helm-chart
+        traefik traefik/traefik
     ```
 
 ??? example "Installing with Custom Values"
     
     You can customize the installation by specifying custom values,
-    as with [any helm chart](https://v2.helm.sh/docs/using_helm/#customizing-the-chart-before-installing).
+    as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
     {: #helm-custom-values }
     
     The values are not (yet) documented, but are self-explanatory:
-    you can look at the [default `values.yaml`](https://github.com/containous/traefik-helm-chart/blob/master/values.yaml) file to explore possibilities.
+    you can look at the [default `values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
     
+    You can also set Traefik command line flags using `additionalArguments`.
     Example of installation with logging set to `DEBUG`:
     
     ```bash tab="Using Helm CLI"
     helm install --namespace=traefik-v2 \
-        --set="logs.loglevel=DEBUG" \
-        ./traefik-helm-chart
+        --set="additionalArguments={--log.level=DEBUG}" \
+        traefik traefik/traefik
     ```
     
     ```yml tab="With a custom values file"
     # File custom-values.yml
-    ## Install with "helm install --values=./custom-values.yml ./traefik-helm-chart
-    logs:
-        loglevel: DEBUG
+    ## Install with "helm install --values=./custom-values.yml traefik traefik/traefik
+    additionalArguments:
+      - "--log.level=DEBUG"
     ```
+    
+### Exposing the Traefik dashboard
+
+This HelmChart does not expose the Traefik dashboard by default, for security concerns.
+Thus, there are multiple ways to expose the dashboard.
+For instance, the dashboard access could be achieved through a port-forward :
+
+```shell
+kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
+```
+
+Accessible with the url: http://127.0.0.1:9000/dashboard/
+
+Another way would be to apply your own configuration, for instance,
+by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):
+
+```yaml
+# dashboard.yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: dashboard
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+```
 
 ## Use the Binary Distribution
 
-Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page.
+Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page.
 
 ??? info "Check the integrity of the downloaded file"
 

docs/content/getting-started/quick-start.md

@@ -14,8 +14,8 @@ version: '3'
 
 services:
   reverse-proxy:
-    # The official v2.0 Traefik docker image
-    image: traefik:v2.0
+    # The official v2 Traefik docker image
+    image: traefik:v2.3
     # Enables the web UI and tells Traefik to listen to docker
     command: --api.insecure=true --providers.docker
     ports:
@@ -48,7 +48,7 @@ Edit your `docker-compose.yml` file and add the following at the end of your fil
 # ...
   whoami:
     # A container that exposes an API to show its IP address
-    image: containous/whoami
+    image: traefik/whoami
     labels:
       - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
 ```

docs/content/glossary.md

@@ -12,7 +12,7 @@ Where Every Technical Word finds its Definition`
 - [ ] [Static configuration](getting-started/configuration-overview.md#the-static-configuration)
 - [ ] [Dynamic configuration](getting-started/configuration-overview.md#the-dynamic-configuration)
 - [ ] ACME
-- [ ] TraefikEE
+- [ ] Traefik Enterprise
 - [ ] Tracing
 - [ ] Metrics
 - [ ] Orchestrator

docs/content/https/acme.md

@@ -23,6 +23,25 @@ Certificates are requested for domain names retrieved from the router's [dynamic
 
 You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).
 
+!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
+??? note "Configuration Reference"
+    
+    There are many available options for ACME.
+    For a quick glance at what's possible, browse the configuration reference:
+    
+    ```toml tab="File (TOML)"
+    --8<-- "content/https/ref-acme.toml"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    --8<-- "content/https/ref-acme.yaml"
+    ```
+    
+    ```bash tab="CLI"
+    --8<-- "content/https/ref-acme.txt"
+    ```
+
 ## Domain Definition
 
 Certificate resolvers request certificates for a set of the domain names 
@@ -56,13 +75,13 @@ Please check the [configuration examples below](#configuration-examples) for mor
       [entryPoints.web]
         address = ":80"
     
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     
-    [certificatesResolvers.sample.acme]
-      email = "your-email@your-domain.org"
+    [certificatesResolvers.myresolver.acme]
+      email = "your-email@example.com"
       storage = "acme.json"
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.myresolver.acme.httpChallenge]
         # used during the challenge
         entryPoint = "web"
     ```
@@ -72,13 +91,13 @@ Please check the [configuration examples below](#configuration-examples) for mor
       web:
         address: ":80"
     
-      web-secure:
+      websecure:
         address: ":443"
     
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
-          email: your-email@your-domain.org
+          email: your-email@example.com
           storage: acme.json
           httpChallenge:
             # used during the challenge
@@ -86,50 +105,33 @@ Please check the [configuration examples below](#configuration-examples) for mor
     ```
     
     ```bash tab="CLI"
-    --entryPoints.web.address=:80
-    --entryPoints.websecure.address=:443
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
     # ...
-    --certificatesResolvers.sample.acme.email=your-email@your-domain.org
-    --certificatesResolvers.sample.acme.storage=acme.json
+    --certificatesresolvers.myresolver.acme.email=your-email@example.com
+    --certificatesresolvers.myresolver.acme.storage=acme.json
     # used during the challenge
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
     ```
 
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
 
-??? note "Configuration Reference"
-    
-    There are many available options for ACME.
-    For a quick glance at what's possible, browse the configuration reference:
-    
-    ```toml tab="File (TOML)"
-    --8<-- "content/https/ref-acme.toml"
-    ```
-    
-    ```yaml tab="File (YAML)"
-    --8<-- "content/https/ref-acme.yaml"
-    ```
-    
-    ```bash tab="CLI"
-    --8<-- "content/https/ref-acme.txt"
-    ```
-
 ??? example "Single Domain from Router's Rule Example"
     
-    * A certificate for the domain `company.com` is requested:
+    * A certificate for the domain `example.com` is requested:
 
     --8<-- "content/https/include-acme-single-domain-example.md"
 
 ??? example "Multiple Domains from Router's Rule Example"
  
-    * A certificate for the domains `company.com` (main) and `blog.company.org`
+    * A certificate for the domains `example.com` (main) and `blog.example.org`
       is requested:
     
     --8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
     
 ??? example "Multiple Domains from Router's `tls.domain` Example"
 
-    * A certificate for the domains `company.com` (main) and `*.company.org` (SAN)
+    * A certificate for the domains `example.com` (main) and `*.example.org` (SAN)
       is requested:
       
     --8<-- "content/https/include-acme-multiple-domains-example.md"
@@ -164,14 +166,14 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 ??? example "Configuring the `tlsChallenge`"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.tlsChallenge]
+      [certificatesResolvers.myresolver.acme.tlsChallenge]
     ```
 
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           tlsChallenge: {}
@@ -179,7 +181,7 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.tlsChallenge=true
+    --certificatesresolvers.myresolver.acme.tlschallenge=true
     ```
 
 ### `httpChallenge`
@@ -187,21 +189,21 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
 
 As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
+when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpchallenge.entrypoint` must be reachable by Let's Encrypt through port 80.
 
-??? example "Using an EntryPoint Called http for the `httpChallenge`"
+??? example "Using an EntryPoint Called web for the `httpChallenge`"
 
     ```toml tab="File (TOML)"
     [entryPoints]
       [entryPoints.web]
         address = ":80"
       
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.myresolver.acme.httpChallenge]
         entryPoint = "web"
     ```
 
@@ -210,11 +212,11 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
       web:
         address: ":80"
     
-      web-secure:
+      websecure:
         address: ":443"
     
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           httpChallenge:
@@ -222,10 +224,10 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
     ```
     
     ```bash tab="CLI"
-    --entryPoints.web.address=:80
-    --entryPoints.websecure.address=:443
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
     # ...
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
     ```
 
 !!! info ""
@@ -238,9 +240,9 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 ??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.dnsChallenge]
+      [certificatesResolvers.myresolver.acme.dnsChallenge]
         provider = "digitalocean"
         delayBeforeCheck = 0
     # ...
@@ -248,7 +250,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           dnsChallenge:
@@ -259,8 +261,8 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
-    --certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+    --certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
+    --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
     # ...
     ```
 
@@ -273,22 +275,29 @@ Here is a list of supported `providers`, that can automate the DNS verification,
 along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
 Do not hesitate to complete it.
 
-Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
+Many lego environment variables can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
 For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
 
+For complete details, refer to your provider's _Additional configuration_ link.
+
 | Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       |                                                                             |
 |-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
 | [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
 | [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
-| [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
+| [ArvanCloud](https://www.arvancloud.com/en)                 | `arvancloud`   | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)   |
+| [Auroradns](https://www.pcextreme.com/dns-health-checks)    | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
 | [Autodns](https://www.internetx.com/domains/autodns/)       | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
 | [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
 | [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
+| [Checkdomain](https://www.checkdomain.de/)                  | `checkdomain`  | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
+| [CloudDNS](https://vshosting.eu/)                           | `clouddns`     | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)     |
 | [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
-| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
+| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
 | [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
 | [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
+| [Constellix](https://constellix.com)                        | `constellix`   | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)   |
+| [deSEC](https://desec.io)                                   | `desec`        | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)        |
 | [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
 | [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
 | [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
@@ -297,52 +306,64 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)    |
 | [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)      |
 | [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)          |
+| [Dynu](https://www.dynu.com)                                | `dynu`         | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)         |
 | [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)      |
+| [EdgeDNS](https://www.akamai.com/)                          | `edgedns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
 | External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
 | [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)     |
-| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/fastdns)      |
+| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
 | [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)        |
 | [Gandi v5](http://doc.livedns.gandi.net)                    | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)      |
 | [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)       |
 | [GoDaddy](https://godaddy.com/)                             | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)      |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)       |
+| [Hetzner](https://hetzner.com)                              | `hetzner`      | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)      |
 | [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
 | HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
+| [HyperOne](https://www.hyperone.com)                        | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
 | [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
 | [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
 | [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
-| [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
-| [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4)     |
+| [Linode v4](https://www.linode.com)                         | `linode`       | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
 | [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
-| manual                                                      | -              | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
+| [LuaDNS](https://luadns.com)                                | `luadns`       | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)       |
+| manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
+| [Mythic Beasts](https://www.mythic-beasts.com)              | `mythicbeasts` | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts) |
 | [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
 | [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
 | [Namesilo](https://www.namesilo.com/)                       | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)     |
 | [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
+| [Netlify](https://www.netlify.com)                          | `netlify`      | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)      |
 | [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
-| [Ns1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
+| [NS1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
 | [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
 | [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
 | [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)    |
 | [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)  |
 | [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)         |
 | [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)    |
+| [reg.ru](https://www.reg.ru)                                | `regru`        | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)        |
 | [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)      |
 | [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
+| [RimuHosting](https://rimuhosting.com)                      | `rimuhosting`  | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)  |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)  |
+| [Scaleway](https://www.scaleway.com)                        | `scaleway`     | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)     |
 | [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
+| [Servercow](https://servercow.de)                           | `servercow`    | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)    |
 | [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
 | [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
 | [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
 | [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)       |
 | [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)        |
+| [Yandex](https://yandex.com)                                | `yandex`       | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)       |
 | [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
+| [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
 
 [^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
-[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application)
+[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production)
 [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
 [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
 [^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
@@ -357,16 +378,16 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 Use custom DNS servers to resolve the FQDN authority.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
   # ...
-  [certificatesResolvers.sample.acme.dnsChallenge]
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
     # ...
     resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
 ```
 
 ```yaml tab="File (YAML)"
 certificatesResolvers:
-  sample:
+  myresolver:
     acme:
       # ...
       dnsChallenge:
@@ -378,7 +399,7 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.dnsChallenge.resolvers:=1.1.1.1:53,8.8.8.8:53
+--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```
 
 #### Wildcard Domains
@@ -390,10 +411,17 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
 
 ### `caServer`
 
+_Required, Default="https://acme-v02.api.letsencrypt.org/directory"_
+
+The CA server to use:
+
+- Let's Encrypt production server: https://acme-v02.api.letsencrypt.org/directory
+- Let's Encrypt staging server: https://acme-staging-v02.api.letsencrypt.org/directory
+
 ??? example "Using the Let's Encrypt staging server"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
       caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
       # ...
@@ -401,7 +429,7 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
     
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           caServer: https://acme-staging-v02.api.letsencrypt.org/directory
@@ -410,16 +438,18 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
 
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+    --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
     # ...
     ```
 
 ### `storage`
 
+_Required, Default="acme.json"_
+
 The `storage` option sets the location where your ACME certificates are saved to.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
   # ...
   storage = "acme.json"
   # ...
@@ -427,7 +457,7 @@ The `storage` option sets the location where your ACME certificates are saved to
 
 ```yaml tab="File (YAML)"
 certificatesResolvers:
-  sample:
+  myresolver:
     acme:
       # ...
       storage: acme.json
@@ -436,17 +466,11 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.storage=acme.json
+--certificatesresolvers.myresolver.acme.storage=acme.json
 # ...
 ```
 
-The value can refer to some kinds of storage:
-
-- a JSON file
-
-#### In a File
-
-ACME certificates can be stored in a JSON file that needs to have a `600` file mode .
+ACME certificates are stored in a JSON file that needs to have a `600` file mode.
 
 In Docker you can mount either the JSON file, or the folder containing it:
 
@@ -459,7 +483,38 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 ```
 
 !!! warning
-    For concurrency reason, this file cannot be shared across multiple instances of Traefik.
+    For concurrency reasons, this file cannot be shared across multiple instances of Traefik.
+
+### `preferredChain`
+
+_Optional, Default=""_
+
+Preferred chain to use.
+
+If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+If no match, the default offered chain will be used.
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  preferredChain = "ISRG Root X1"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      preferredChain: 'ISRG Root X1'
+      # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
+# ...
+```
 
 ## Fallback
 

docs/content/https/include-acme-multiple-domains-example.md

@@ -2,27 +2,26 @@
 ```yaml tab="Docker"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
-  - traefik.http.routers.blog.tls.domains[0].main=company.org
-  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```
 
 ```yaml tab="Docker (Swarm)"
 ## Dynamic configuration
 deploy:
   labels:
-    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
     - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
     - traefik.http.routers.blog.tls=true
-    - traefik.http.routers.blog.tls.certresolver=le
-    - traefik.http.routers.blog.tls.domains[0].main=company.org
-    - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.routers.blog.tls.domains[0].main=example.org
+    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```
 
 ```yaml tab="Kubernetes"
----
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@@ -31,22 +30,26 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`company.com`) && Path(`/blog`)
+  - match: Host(`example.com`) && Path(`/blog`)
     kind: Rule
     services:
     - name: blog
       port: 8080
   tls:
-    certResolver: le
+    certResolver: myresolver
+    domains:
+    - main: example.org
+      sans:
+      - '*.example.org'
 ```
 
 ```json tab="Marathon"
 labels: {
-  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
   "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "le",
-  "traefik.http.routers.blog.tls.domains[0].main": "company.com",
-  "traefik.http.routers.blog.tls.domains[0].sans": "*.company.com",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
+  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
   "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
 }
 ```
@@ -54,23 +57,23 @@ labels: {
 ```yaml tab="Rancher"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
-  - traefik.http.routers.blog.tls.domains[0].main=company.org
-  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```
 
 ```toml tab="File (TOML)"
 ## Dynamic configuration
 [http.routers]
   [http.routers.blog]
-    rule = "Host(`company.com`) && Path(`/blog`)"
+    rule = "Host(`example.com`) && Path(`/blog`)"
     [http.routers.blog.tls]
-      certResolver = "le" # From static configuration
+      certResolver = "myresolver" # From static configuration
       [[http.routers.blog.tls.domains]]
-        main = "company.org"
-        sans = ["*.company.org"]
+        main = "example.org"
+        sans = ["*.example.org"]
 ```
 
 ```yaml tab="File (YAML)"
@@ -78,11 +81,11 @@ labels:
 http:
   routers:
     blog:
-      rule: "Host(`company.com`) && Path(`/blog`)"
+      rule: "Host(`example.com`) && Path(`/blog`)"
       tls:
-        certResolver: le
+        certResolver: myresolver
         domains:
-          - main: "company.org"
+          - main: "example.org"
             sans:
-              - "*.company.org"
+              - "*.example.org"
 ```

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -2,23 +2,22 @@
 ```yaml tab="Docker"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.certresolver=myresolver
 ```
 
 ```yaml tab="Docker (Swarm)"
 ## Dynamic configuration
 deploy:
   labels:
-    - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
-    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+    - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
     - traefik.http.routers.blog.tls=true
-    - traefik.http.routers.blog.tls.certresolver=le
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
 ```
 
 ```yaml tab="Kubernetes"
----
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@@ -27,19 +26,20 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: (Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - match: (Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
     kind: Rule
     services:
     - name: blog
       port: 8080
-  tls: {}
+  tls:
+    certResolver: myresolver
 ```
 
 ```json tab="Marathon"
 labels: {
-  "traefik.http.routers.blog.rule": "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)",
+  "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
   "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "le",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
   "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
 }
 ```
@@ -47,18 +47,18 @@ labels: {
 ```yaml tab="Rancher"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.certresolver=myresolver
 ```
 
 ```toml tab="File (TOML)"
 ## Dynamic configuration
 [http.routers]
   [http.routers.blog]
-    rule = "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
+    rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
     [http.routers.blog.tls]
-      certResolver = "le" # From static configuration
+      certResolver = "myresolver"
 ```
 
 ```yaml tab="File (YAML)"
@@ -66,7 +66,7 @@ labels:
 http:
   routers:
     blog:
-      rule: "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
+      rule: "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
       tls:
-        certResolver: le
+        certResolver: myresolver
 ```

docs/content/https/include-acme-single-domain-example.md

@@ -2,23 +2,22 @@
 ```yaml tab="Docker"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.certresolver=myresolver
 ```
 
 ```yaml tab="Docker (Swarm)"
 ## Dynamic configuration
 deploy:
   labels:
-    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
-    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
     - traefik.http.routers.blog.tls=true
-    - traefik.http.routers.blog.tls.certresolver=le
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
 ```
 
 ```yaml tab="Kubernetes"
----
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@@ -27,19 +26,20 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`company.com`) && Path(`/blog`)
+  - match: Host(`example.com`) && Path(`/blog`)
     kind: Rule
     services:
     - name: blog
       port: 8080
-  tls: {}
+  tls:
+    certResolver: myresolver
 ```
 
 ```json tab="Marathon"
 labels: {
-  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
   "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "le",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
   "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
 }
 ```
@@ -47,18 +47,18 @@ labels: {
 ```yaml tab="Rancher"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.certresolver=myresolver
 ```
 
-```toml tab="Single Domain"
+```toml tab="File (TOML)"
 ## Dynamic configuration
 [http.routers]
-    [http.routers.blog]
-    rule = "Host(`company.com`) && Path(`/blog`)"
-    [http.routers.blog.tls]
-        certResolver = "le" # From static configuration
+  [http.routers.blog]
+  rule = "Host(`example.com`) && Path(`/blog`)"
+  [http.routers.blog.tls]
+    certResolver = "myresolver"
 ```
 
 ```yaml tab="File (YAML)"
@@ -66,7 +66,7 @@ labels:
 http:
   routers:
     blog:
-      rule: "Host(`company.com`) && Path(`/blog`)"
+      rule: "Host(`example.com`) && Path(`/blog`)"
       tls:
-        certResolver: le
+        certResolver: myresolver
 ```

docs/content/https/ref-acme.toml

@@ -1,11 +1,11 @@
 # Enable ACME (Let's Encrypt): automatic SSL.
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
 
   # Email address used for registration.
   #
   # Required
   #
-  email = "test@traefik.io"
+  email = "test@example.com"
 
   # File or key used for certificates storage.
   #
@@ -22,6 +22,16 @@
   #
   # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 
+  # Preferred chain to use.
+  #
+  # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+  # If no match, the default offered chain will be used.
+  #
+  # Optional
+  # Default: ""
+  #
+  # preferredChain = "ISRG Root X1"
+
   # KeyType to use.
   #
   # Optional
@@ -35,13 +45,13 @@
   #
   # Optional (but recommended)
   #
-  [certificatesResolvers.sample.acme.tlsChallenge]
+  [certificatesResolvers.myresolver.acme.tlsChallenge]
 
   # Use a HTTP-01 ACME challenge.
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.httpChallenge]
+  # [certificatesResolvers.myresolver.acme.httpChallenge]
 
     # EntryPoint to use for the HTTP-01 challenges.
     #
@@ -54,7 +64,7 @@
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.dnsChallenge]
+  # [certificatesResolvers.myresolver.acme.dnsChallenge]
 
     # DNS provider used.
     #

docs/content/https/ref-acme.txt

@@ -4,13 +4,13 @@
 #
 # Required
 #
---certificatesResolvers.sample.acme.email=test@traefik.io
+--certificatesresolvers.myresolver.acme.email=test@example.com
 
 # File or key used for certificates storage.
 #
 # Required
 #
---certificatesResolvers.sample.acme.storage=acme.json
+--certificatesresolvers.myresolver.acme.storage=acme.json
 
 # CA server to use.
 # Uncomment the line to use Let's Encrypt's staging server,
@@ -19,7 +19,17 @@
 # Optional
 # Default: "https://acme-v02.api.letsencrypt.org/directory"
 #
---certificatesResolvers.sample.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+
+# Preferred chain to use.
+#
+# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+# If no match, the default offered chain will be used.
+#
+# Optional
+# Default: ""
+#
+--certificatesresolvers.myresolver.acme.preferredchain="ISRG Root X1"
 
 # KeyType to use.
 #
@@ -28,38 +38,38 @@
 #
 # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
 #
---certificatesResolvers.sample.acme.keyType=RSA4096
+--certificatesresolvers.myresolver.acme.keytype=RSA4096
 
 # Use a TLS-ALPN-01 ACME challenge.
 #
 # Optional (but recommended)
 #
---certificatesResolvers.sample.acme.tlsChallenge=true
+--certificatesresolvers.myresolver.acme.tlschallenge=true
 
 # Use a HTTP-01 ACME challenge.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.httpChallenge=true
+--certificatesresolvers.myresolver.acme.httpchallenge=true
 
 # EntryPoint to use for the HTTP-01 challenges.
 #
 # Required
 #
---certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
 
 # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
 # Note: mandatory for wildcard certificate generation.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.dnsChallenge=true
+--certificatesresolvers.myresolver.acme.dnschallenge=true
 
 # DNS provider used.
 #
 # Required
 #
---certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+--certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
 
 # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
 # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
@@ -68,14 +78,14 @@
 # Optional
 # Default: 0
 #
---certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
 
 # Use following DNS servers to resolve the FQDN authority.
 #
 # Optional
 # Default: empty
 #
---certificatesResolvers.sample.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
+--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 
 # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
 #
@@ -85,4 +95,4 @@
 # Optional
 # Default: false
 #
---certificatesResolvers.sample.acme.dnsChallenge.disablePropagationCheck=true
+--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true

docs/content/https/ref-acme.yaml

@@ -1,5 +1,5 @@
 certificatesResolvers:
-  sample:
+  myresolver:
     # Enable ACME (Let's Encrypt): automatic SSL.
     acme:
 
@@ -7,7 +7,7 @@ certificatesResolvers:
       #
       # Required
       #
-      email: "test@traefik.io"
+      email: "test@example.com"
 
       # File or key used for certificates storage.
       #
@@ -24,6 +24,16 @@ certificatesResolvers:
       #
       # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
 
+      # Preferred chain to use.
+      #
+      # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+      # If no match, the default offered chain will be used.
+      #
+      # Optional
+      # Default: ""
+      #
+      # preferredChain: 'ISRG Root X1'
+
       # KeyType to use.
       #
       # Optional

docs/content/https/tls.md

@@ -40,7 +40,7 @@ tls:
 
     In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
     It is the only available method to configure the certificates (as well as the options and the stores).
-    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](../routing/providers/kubernetes-crd.md#tls). 
+    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
 
 ## Certificates Stores
 
@@ -134,6 +134,16 @@ If no default certificate is provided, Traefik generates and uses a self-signed
 
 The TLS options allow one to configure some parameters of the TLS connection.
 
+!!! important "TLSOptions in Kubernetes"
+
+    When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that,
+    if not explicitly overwritten, should apply to all ingresses. To achieve that, you'll have to
+    create a TLSOptions CR with the name `default`. There may exist only one TLSOption with the 
+    name `default` (across all namespaces) - otherwise they will be dropped.  
+    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources) you'll 
+    have to add an annotation to the Ingress in the following form:
+    `traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd`
+
 ### Minimum TLS Version
 
 ```toml tab="File (TOML)"
@@ -183,9 +193,9 @@ spec:
 
 ### Maximum TLS Version
 
-We discourages the use of this setting to disable TLS1.3.
+We discourage the use of this setting to disable TLS1.3.
 
-The right approach is to update the clients to support TLS1.3.
+The recommended approach is to update the clients to support TLS1.3.
 
 ```toml tab="File (TOML)"
 # Dynamic configuration
@@ -316,8 +326,8 @@ spec:
 
 ### Strict SNI Checking
 
-With strict SNI checking, Traefik won't allow connections from clients connections
-that do not specify a server_name extension.
+With strict SNI checking enabled, Traefik won't allow connections from clients
+that do not specify a server_name extension or don't match any certificate configured on the tlsOption.
 
 ```toml tab="File (TOML)"
 # Dynamic configuration
@@ -347,6 +357,39 @@ spec:
   sniStrict: true
 ```
 
+### Prefer Server Cipher Suites
+
+This option allows the server to choose its most preferred cipher suite instead of the client's.
+Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    preferServerCipherSuites = true
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      preferServerCipherSuites: true
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  preferServerCipherSuites: true
+```
+
 ### Client Authentication (mTLS)
 
 Traefik supports mutual authentication, through the `clientAuth` section.
@@ -395,6 +438,7 @@ metadata:
 
 spec:
   clientAuth:
+    # the CA certificate is extracted from key `tls.ca` of the given secrets.
     secretNames:
       - secretCA
     clientAuthType: RequireAndVerifyClientCert

docs/content/index.md

@@ -3,7 +3,7 @@
 
 ![Architecture](assets/img/traefik-architecture.png)
 
-Traefik is an [open-source](https://github.com/containous/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
+Traefik is an [open-source](https://github.com/traefik/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
 It receives requests on behalf of your system and finds out which components are responsible for handling them. 
 
 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
@@ -20,4 +20,9 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
 
 !!! info
 
-    If you're a business running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://info.containo.us/commercial-services) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. 
+    Join our user friendly and active [Community Forum](https://community.traefik.io) to discuss, learn, and connect with the traefik community.
+    
+    If you're a business running critical services behind Traefik,
+    know that [Traefik Labs](https://traefik.io), the company that sponsors Traefik's development,
+    can provide [commercial support](https://info.traefik.io/commercial-services)
+    and develops an [Enterprise Edition](https://traefik.io/traefik-enterprise/) of Traefik.

docs/content/middlewares/basicauth.md

@@ -12,9 +12,11 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
 ```yaml tab="Docker"
 # Declaring the user list
 #
-# Note: all dollar signs in the hash need to be doubled for escaping.
+# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
 # To create user:password pair, it's possible to use this command:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+#
+# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
@@ -71,7 +73,7 @@ http:
 
 ### General
 
-Passwords must be encoded using MD5, SHA1, or BCrypt.
+Passwords must be hashed using MD5, SHA1, or BCrypt.
 
 !!! tip 
 
@@ -79,7 +81,7 @@ Passwords must be encoded using MD5, SHA1, or BCrypt.
 
 ### `users`
 
-The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
+The `users` option is an array of authorized users. Each user will be declared using the `name:hashed-password` format.
 
 !!! note ""
     
@@ -90,7 +92,7 @@ The `users` option is an array of authorized users. Each user will be declared u
 # Declaring the user list
 #
 # Note: all dollar signs in the hash need to be doubled for escaping.
-# To create user:password pair, it's possible to use this command:
+# To create a user:password pair, the following command can be used:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -107,6 +109,10 @@ spec:
     secret: authsecret
 
 ---
+# Note: in a kubernetes secret the string (e.g. generated by htpasswd) must be base64-encoded first.
+# To create an encoded user:password pair, the following command can be used:
+# htpasswd -nb user password | openssl base64
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -161,7 +167,7 @@ http:
 
 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
 
-The file content is a list of `name:encoded-password`.
+The file content is a list of `name:hashed-password`.
 
 !!! note ""
     

docs/content/middlewares/buffering.md

@@ -165,7 +165,7 @@ http:
 
 ### `maxResponseBodyBytes`
 
-With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
+With the `maxResponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
 
 If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
 

docs/content/middlewares/circuitbreaker.md

@@ -7,7 +7,7 @@ Don't Waste Time Calling Unhealthy Services
 
 The circuit breaker protects your system from stacking requests to unhealthy services (resulting in cascading failures).
 
-When your system is healthy, the circuit is close (normal operations). 
+When your system is healthy, the circuit is closed (normal operations).
 When your system becomes unhealthy, the circuit becomes open and the requests are no longer forwarded (but handled by a fallback mechanism).
 
 To assess if your system is healthy, the circuit breaker constantly monitors the services. 
@@ -82,13 +82,13 @@ http:
 
 There are three possible states for your circuit breaker:
 
-- Close (your service operates normally)
+- Closed (your service operates normally)
 - Open (the fallback mechanism takes over your service)
 - Recovering (the circuit breaker tries to resume normal operations by progressively sending requests to your service)
 
-### Close
+### Closed
 
-While close, the circuit breaker only collects metrics to analyze the behavior of the requests.
+While the circuit is closed, the circuit breaker only collects metrics to analyze the behavior of the requests.
 
 At specified intervals (`checkPeriod`), it will evaluate `expression` to decide if its state must change. 
 

docs/content/middlewares/compress.md

@@ -64,6 +64,9 @@ http:
     * The `Accept-Encoding` request header contains `gzip`.
     * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
 
+    If Content-Type header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type. 
+    It will also set accordingly the `Content-Type` header with the detected MIME type.
+    
 ## Configuration Options
 
 ### `excludedContentTypes`

docs/content/middlewares/contenttype.md

@@ -0,0 +1,86 @@
+
+# ContentType
+
+Handling ContentType auto-detection
+{: .subtitle }
+
+The Content-Type middleware - or rather its unique `autoDetect` option -
+specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.
+
+As a proxy, the default behavior should be to leave the header alone,
+regardless of what the backend did with it.
+However, the historic default was to always auto-detect and set the header if it was nil,
+and it is going to be kept that way in order to support users currently relying on it.
+This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+
+!!! info
+
+    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
+    is still to automatically set the `Content-Type` header.
+    Therefore, given the default value of the `autoDetect` option (false),
+    simply enabling this middleware for a router switches the router's behavior.
+    
+    The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
+    Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).
+
+## Configuration Examples
+
+```yaml tab="Docker"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```yaml tab="Kubernetes"
+# Disable auto-detection
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: autodetect
+spec:
+  contentType:
+    autoDetect: false
+```
+
+```yaml tab="Consul Catalog"
+# Disable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
+}
+```
+
+```yaml tab="Rancher"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```toml tab="File (TOML)"
+# Disable auto-detection
+[http.middlewares]
+  [http.middlewares.autodetect.contentType]
+     autoDetect=false
+```
+
+```yaml tab="File (YAML)"
+# Disable auto-detection
+http:
+  middlewares:
+    autodetect:
+      contentType:
+        autoDetect: false
+```
+
+## Configuration Options
+
+### `autoDetect`
+
+`autoDetect` specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.

docs/content/middlewares/forwardauth.md

@@ -12,53 +12,53 @@ Otherwise, the response from the authentication server is returned.
 ## Configuration Examples
 
 ```yaml tab="Docker"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```yaml tab="Kubernetes"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
 ```
 
 ```yaml tab="Consul Catalog"
-# Forward authentication to authserver.com
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+# Forward authentication to example.com
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
 }
 ```
 
 ```yaml tab="Rancher"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```toml tab="File (TOML)"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
 ```
 
 ```yaml tab="File (YAML)"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
 ```
 
 ## Configuration Options
@@ -69,7 +69,7 @@ The `address` option defines the authentication server address.
 
 ```yaml tab="Docker"
 labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```yaml tab="Kubernetes"
@@ -79,28 +79,28 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth 
+    address: https://example.com/auth 
 ```
 
 ```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
 }
 ```
 
 ```yaml tab="Rancher"
 labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
 ```
 
 ```yaml tab="File (YAML)"
@@ -108,7 +108,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
 ```
 
 ### `trustForwardHeader`
@@ -127,7 +127,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     trustForwardHeader: true
 ```
 
@@ -149,7 +149,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     trustForwardHeader = true
 ```
 
@@ -158,7 +158,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         trustForwardHeader: true
 ```
 
@@ -178,7 +178,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     authResponseHeaders:
       - X-Auth-User
       - X-Secret
@@ -202,7 +202,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     authResponseHeaders = ["X-Auth-User", "X-Secret"]
 ```
 
@@ -211,7 +211,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         authResponseHeaders:
           - "X-Auth-User"
           - "X-Secret"
@@ -237,7 +237,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       caSecret: mycasercret
 
@@ -270,7 +270,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       ca = "path/to/local.crt"
 ```
@@ -280,7 +280,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           ca: "path/to/local.crt"
 ```
@@ -306,7 +306,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       caOptional: true
 ```
@@ -329,7 +329,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       caOptional = true
 ```
@@ -339,7 +339,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           caOptional: true
 ```
@@ -361,7 +361,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       certSecret: mytlscert
 
@@ -398,7 +398,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       cert = "path/to/foo.cert"
       key = "path/to/foo.key"
@@ -409,7 +409,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           cert: "path/to/foo.cert"
           key: "path/to/foo.key"
@@ -435,7 +435,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       certSecret: mytlscert
 
@@ -472,7 +472,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       cert = "path/to/foo.cert"
       key = "path/to/foo.key"
@@ -483,7 +483,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           cert: "path/to/foo.cert"
           key: "path/to/foo.key"
@@ -508,7 +508,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       insecureSkipVerify: true
 ```
@@ -531,7 +531,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       insecureSkipVerify: true
 ```
@@ -541,7 +541,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           insecureSkipVerify: true
 ```

docs/content/middlewares/headers.md

@@ -151,8 +151,8 @@ metadata:
   name: testHeader
 spec:
   headers:
-    frameDeny: "true"
-    sslRedirect: "true"
+    frameDeny: true
+    sslRedirect: true
 ```
 
 ```yaml tab="Consul Catalog"
@@ -197,7 +197,7 @@ This functionality allows for more advanced security features to quickly be set.
 ```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
   - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
   - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@@ -213,14 +213,16 @@ spec:
       - "GET"
       - "OPTIONS"
       - "PUT"
-    accessControlAllowOrigin: "origin-list-or-null"
+    accessControlAllowOriginList:
+      - "https://foo.bar.org"
+      - "https://example.org"
     accessControlMaxAge: 100
-    addVaryHeader: "true"
+    addVaryHeader: true
 ```
 
 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-- "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+- "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
 - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
 - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@@ -228,7 +230,7 @@ spec:
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
-  "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin": "origin-list-or-null",
+  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
   "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
   "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
 }
@@ -237,7 +239,7 @@ spec:
 ```yaml tab="Rancher"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
   - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
   - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@@ -246,7 +248,7 @@ labels:
 [http.middlewares]
   [http.middlewares.testHeader.headers]
     accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
-    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
     accessControlMaxAge = 100
     addVaryHeader = true
 ```
@@ -260,7 +262,9 @@ http:
           - GET
           - OPTIONS
           - PUT
-        accessControlAllowOrigin: "origin-list-or-null"
+        accessControlAllowOriginList:
+          - https://foo.bar.org
+          - https://example.org
         accessControlMaxAge: 100
         addVaryHeader: true
 ```
@@ -295,14 +299,22 @@ The `accessControlAllowHeaders` indicates which header field names can be used a
 
 The  `accessControlAllowMethods` indicates which methods can be used during requests.
 
-### `accessControlAllowOrigin`
+### `accessControlAllowOriginList`
 
-The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values.
-The three options for this value are:
+The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.
 
-- `origin-list-or-null`
-- `*`
-- `null`
+A wildcard origin `*` can also be configured, and will match all requests.
+If this value is set by a backend server, it will be overwritten by Traefik
+
+This value can contains a list of allowed origins.
+
+More information including how to use the settings can be found on:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
+
+Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
 
 ### `accessControlExposeHeaders`
 
@@ -310,11 +322,11 @@ The `accessControlExposeHeaders` indicates which headers are safe to expose to t
 
 ### `accessControlMaxAge`
 
-The `accessControlMaxAge` indicates how long a preflight request can be cached.
+The `accessControlMaxAge` indicates how long (in seconds) a preflight request can be cached.
 
 ### `addVaryHeader`
 
-The `addVaryHeader` is used in conjunction with `accessControlAllowOrigin` to determine whether the vary header should be added or modified to demonstrate that server responses can differ beased on the value of the origin header.
+The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
 
 ### `allowedHosts` 
 

docs/content/middlewares/ipwhitelist.md

@@ -66,7 +66,7 @@ http:
 
 ### `sourceRange`
 
-The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
+The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
 
 ### `ipStrategy`
 

docs/content/middlewares/overview.md

@@ -5,9 +5,9 @@ Tweaking the Request
 
 ![Overview](../assets/img/middleware/overview.png)
 
-Attached to the routers, pieces of middleware are a mean of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
+Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
 
-There are many different available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
+There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
 
 Pieces of middleware can be combined in chains to fit every scenario.
 
@@ -17,7 +17,7 @@ Pieces of middleware can be combined in chains to fit every scenario.
 # As a Docker Label
 whoami:
   #  A container that exposes an API to show its IP address
-  image: containous/whoami
+  image: traefik/whoami
   labels:
     # Create a middleware named `foo-add-prefix`
     - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
@@ -25,7 +25,7 @@ whoami:
     - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```
 
-```yaml tab="Kubernetes"
+```yaml tab="Kubernetes IngressRoute"
 # As a Kubernetes Traefik IngressRoute
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
@@ -130,7 +130,7 @@ http:
 
 ## Provider Namespace
 
-When you declare a middleware, it lives in its provider namespace.
+When you declare a middleware, it lives in its provider's namespace.
 For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.
 
 If you use multiple providers and wish to reference a middleware declared in another provider
@@ -143,11 +143,14 @@ then you'll have to append to the middleware name, the `@` separator, followed b
 
 !!! important "Kubernetes Namespace"
 
-	As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
-with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
-In this case, since the definition of the middleware is not in kubernetes,
-specifying a "kubernetes namespace" when referring to the resource does not make any sense,
-and therefore this specification would be ignored even if present.
+    As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
+    with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
+    In this case, since the definition of the middleware is not in kubernetes,
+    specifying a "kubernetes namespace" when referring to the resource does not make any sense,
+    and therefore this specification would be ignored even if present.
+    On the other hand, if you declare the middleware as a Custom Resource in Kubernetes and use the 
+    non-crd Ingress objects, you'll have to add the kubernetes namespace of the middleware to the 
+    annotation like this `<middleware-namespace>-<middleware-name>@kubernetescrd`.
 
 !!! abstract "Referencing a Middleware from Another Provider"
 
@@ -178,7 +181,7 @@ and therefore this specification would be ignored even if present.
         - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
     ```
 
-    ```yaml tab="Kubernetes"
+    ```yaml tab="Kubernetes Ingress Route"
     apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
@@ -188,7 +191,7 @@ and therefore this specification would be ignored even if present.
       entryPoints:
         - web
       routes:
-        - match: Host(`bar.com`)
+        - match: Host(`example.com`)
           kind: Rule
           services:
             - name: whoami
@@ -199,6 +202,31 @@ and therefore this specification would be ignored even if present.
             # A namespace specification such as above is ignored
             # when the cross-provider syntax is used.
     ```
+    
+    ```yaml tab="Kubernetes Ingress"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: stripprefix
+      namespace: appspace
+    spec:
+      stripPrefix:
+        prefixes:
+          - /stripit
+    
+    ---
+    apiVersion: networking.k8s.io/v1
+    kind: Ingress
+    metadata:
+      name: ingress
+      namespace: appspace
+      annotations:
+        # referencing a middleware from Kubernetes CRD provider: 
+        # <middleware-namespace>-<middleware-name>@kubernetescrd
+        "traefik.ingress.kubernetes.io/router.middlewares": appspace-stripprefix@kubernetescrd
+    spec:
+      # ... regular ingress definition
+    ```
 
 ## Available Middlewares
 

docs/content/middlewares/passtlsclientcert.md

@@ -70,6 +70,7 @@ http:
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.serialnumber=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
@@ -264,7 +265,7 @@ In the following example, you can see a complete certificate. We will use each p
             Validity
                 Not Before: Dec  6 11:10:16 2018 GMT
                 Not After : Dec  5 11:10:16 2020 GMT
-            Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
+            Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
             Subject Public Key Info:
                 Public Key Algorithm: rsaEncryption
                     RSA Public-Key: (2048 bit)
@@ -301,7 +302,7 @@ In the following example, you can see a complete certificate. We will use each p
                     keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
     
                 X509v3 Subject Alternative Name: 
-                    DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
+                    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
         Signature Algorithm: sha1WithRSAEncryption
              76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
              16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
@@ -421,7 +422,7 @@ The value of the header will be an escaped concatenation of all the selected cer
 The following example shows an unescaped result that uses all the available fields: 
 
 ```text
-Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
+Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```
 
 !!! info "Multiple certificates"
@@ -470,19 +471,19 @@ The data are taken from the following certificate part:
 
 ```text
  X509v3 Subject Alternative Name: 
-    DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
+    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
 ```
 
 The escape SANs info part will be like:
 
 ```text
-SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
+SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```
 
 !!! info "multiple values"
 
     All the SANs data are separated by a `,`.
-    
+
 #### `info.subject`
 
 The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
@@ -490,7 +491,7 @@ The `info.subject` select the specific client certificate subject details you wa
 The data are taken from the following certificate part :
 
 ```text
-Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
+Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
 ```
 
 ##### `info.subject.country`
@@ -548,7 +549,7 @@ The data are taken from the subject part with the `CN` key.
 The escape common name info in the subject part will be like :
 
 ```text
-CN=*.cheese.com
+CN=*.example.com
 ```
 
 ##### `info.subject.serialNumber`

docs/content/middlewares/ratelimit.md

@@ -3,7 +3,7 @@
 To Control the Number of Requests Going to a Service
 {: .subtitle }
 
-The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows you define what is fair.
+The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows one to define what fair is.
 
 ## Configuration Example
 
@@ -24,8 +24,8 @@ metadata:
   name: test-ratelimit
 spec:
   rateLimit:
-      average: 100
-      burst: 50
+    average: 100
+    burst: 50
 ```
 
 ```yaml tab="Consul Catalog"
@@ -74,25 +74,32 @@ http:
 
 ### `average`
 
-Average is the maximum rate, in requests/s, allowed for the given source.
-It defaults to 0, which means no rate limiting.
+`average` is the maximum rate, by default in requests by second, allowed for the given source.
+
+It defaults to `0`, which means no rate limiting.
+
+The rate is actually defined by dividing `average` by `period`.
+So for a rate below 1 req/s, one needs to define a `period` larger than a second.
 
 ```yaml tab="Docker"
+# 100 reqs/s
 labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```
 
 ```yaml tab="Kubernetes"
+# 100 reqs/s
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-ratelimit
 spec:
   rateLimit:
-      average: 100
+    average: 100
 ```
 
 ```yaml tab="Consul Catalog"
+# 100 reqs/s
 - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```
 
@@ -108,12 +115,14 @@ labels:
 ```
 
 ```toml tab="File (TOML)"
+# 100 reqs/s
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]
     average = 100
 ```
 
 ```yaml tab="File (YAML)"
+# 100 reqs/s
 http:
   middlewares:
     test-ratelimit:
@@ -121,10 +130,78 @@ http:
         average: 100
 ```
 
+### `period`
+
+`period`, in combination with `average`, defines the actual maximum rate, such as:
+
+```go
+r = average / period
+```
+
+It defaults to `1` second.
+
+```yaml tab="Docker"
+# 6 reqs/minute
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```yaml tab="Kubernetes"
+# 6 reqs/minute
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    period: 1m
+    average: 6
+```
+
+```yaml tab="Consul Catalog"
+# 6 reqs/minute
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "6",
+  "traefik.http.middlewares.test-ratelimit.ratelimit.period": "1m",
+}
+```
+
+```yaml tab="Rancher"
+# 6 reqs/minute
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```toml tab="File (TOML)"
+# 6 reqs/minute
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 6
+    period = 1m
+```
+
+```yaml tab="File (YAML)"
+# 6 reqs/minute
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        average: 6
+        period: 1m
+```
+
 ### `burst`
 
-Burst is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
-It defaults to 1.
+`burst` is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
+
+It defaults to `1`.
 
 ```yaml tab="Docker"
 labels:
@@ -138,7 +215,7 @@ metadata:
   name: test-ratelimit
 spec:
   rateLimit:
-      burst: 100
+    burst: 100
 ```
 
 ```yaml tab="Consul Catalog"

docs/content/middlewares/redirectscheme.md

@@ -11,6 +11,132 @@ RedirectScheme redirect request from a scheme to another.
 
 ## Configuration Examples
 
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+    permanent = true
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+```
+
+## Configuration Options
+
+### `permanent`
+
+Set the `permanent` option to `true` to apply a permanent redirection.
+
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    # ...
+    permanent: true
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    permanent = true
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        # ...
+        permanent: true
+```
+
+### `scheme`
+
+The `scheme` option defines the scheme of the new url.
+
 ```yaml tab="Docker"
 # Redirect to https
 labels:
@@ -31,7 +157,7 @@ spec:
 ```yaml tab="Consul Catalog"
 # Redirect to https
 labels:
-- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```
 
 ```json tab="Marathon"
@@ -62,16 +188,66 @@ http:
         scheme: https
 ```
 
-## Configuration Options
-
-### `permanent`
-
-Set the `permanent` option to `true` to apply a permanent redirection.
-
-### `scheme`
-
-The `scheme` option defines the scheme of the new url.
-
 ### `port`
 
 The `port` option defines the port of the new url.
+
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    # ...
+    port: "443"
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.port": "443"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    port = 443
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        # ...
+        port: "443"
+```
+
+!!! info "Port in this configuration is a string, not a numeric value."

docs/content/middlewares/stripprefix.md

@@ -98,7 +98,7 @@ _Optional, Default=true_
 ```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceslash=false"
+  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
 ```
 
 ```yaml tab="Kubernetes"
@@ -116,7 +116,7 @@ spec:
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
-  "traefik.http.middlewares.example.stripprefix.forceslash": "false"
+  "traefik.http.middlewares.example.stripprefix.forceSlash": "false"
 }
 ```
 

docs/content/migration/v1-to-v2.md

@@ -10,7 +10,7 @@ feature by feature, of how the configuration looked like in v1, and how it now l
 
 !!! info "Migration Helper"
 
-    We created a tool to help during the migration: [traefik-migration-tool](https://github.com/containous/traefik-migration-tool)
+    We created a tool to help during the migration: [traefik-migration-tool](https://github.com/traefik/traefik-migration-tool)
 
     This tool allows to:
 
@@ -40,7 +40,7 @@ Then any router can refer to an instance of the wanted middleware.
     ```
 
     ```yaml tab="K8s Ingress"
-    apiVersion: extensions/v1beta1
+    apiVersion: networking.k8s.io/v1beta1
     kind: Ingress
     metadata:
       name: traefik
@@ -50,7 +50,7 @@ Then any router can refer to an instance of the wanted middleware.
         traefik.ingress.kubernetes.io/rule-type: PathPrefix
     spec:
       rules:
-      - host: test.locahost
+      - host: test.localhost
         http:
           paths:
           - path: /test
@@ -97,14 +97,14 @@ Then any router can refer to an instance of the wanted middleware.
 
     ```yaml tab="Docker"
     labels:
-      - "traefik.http.routers.router0.rule=Host(`bar.com`) && PathPrefix(`/test`)"
+      - "traefik.http.routers.router0.rule=Host(`test.localhost`) && PathPrefix(`/test`)"
       - "traefik.http.routers.router0.middlewares=auth"
       - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
     ```
 
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the Middleware and IngressRoute kinds.
-    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
@@ -184,39 +184,39 @@ Then any router can refer to an instance of the wanted middleware.
               - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
     ```
 
-## TLS Configuration Is Now Dynamic, per Router.
+## TLS Configuration is Now Dynamic, per Router.
 
 TLS parameters used to be specified in the static configuration, as an entryPoint field.
 With Traefik v2, a new dynamic TLS section at the root contains all the desired TLS configurations.
 Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one of the [TLS configurations](../https/tls.md) defined at the root, hence defining the [TLS configuration](../https/tls.md) for that router.
 
-!!! example "TLS on web-secure entryPoint becomes TLS option on Router-1"
+!!! example "TLS on websecure entryPoint becomes TLS option on Router-1"
 
     !!! info "v1"
     
     ```toml tab="File (TOML)"
     # static configuration
     [entryPoints]
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     
-        [entryPoints.web-secure.tls]
+        [entryPoints.websecure.tls]
           minVersion = "VersionTLS12"
           cipherSuites = [
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-           ]
-          [[entryPoints.web-secure.tls.certificates]]
+          ]
+          [[entryPoints.websecure.tls.certificates]]
             certFile = "path/to/my.cert"
             keyFile = "path/to/my.key"
     ```
 
     ```bash tab="CLI"
-    --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
+    --entryPoints='Name:websecure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
     ```
 
     !!! info "v2"
@@ -225,7 +225,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
     # dynamic configuration
     [http.routers]
       [http.routers.Router-1]
-        rule = "Host(`bar.com`)"
+        rule = "Host(`example.com`)"
         service = "service-id"
         # will terminate the TLS request
         [http.routers.Router-1.tls]
@@ -236,26 +236,23 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       keyFile = "/path/to/domain.key"
     
     [tls.options]
-      [tls.options.default]
-        minVersion = "VersionTLS12"
-    
       [tls.options.myTLSOptions]
-        minVersion = "VersionTLS13"
+        minVersion = "VersionTLS12"
         cipherSuites = [
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
-            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            ]
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        ]
     ```
 
     ```yaml tab="File (YAML)"
     http:
       routers:
         Router-1:
-          rule: "Host(`bar.com`)"
+          rule: "Host(`example.com`)"
           service: service-id
           # will terminate the TLS request
           tls:
@@ -267,18 +264,18 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
           keyFile: /path/to/domain.key
       options:
         myTLSOptions:
-          minVersion: VersionTLS13
+          minVersion: VersionTLS12
           cipherSuites:
 	        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-	        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-	        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+	        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+	        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 	        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 	        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     ```
 
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
-    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: TLSOption
     metadata:
@@ -286,11 +283,11 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       namespace: default
     
     spec:
-      minVersion: VersionTLS13
+      minVersion: VersionTLS12
       cipherSuites:
 	    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-	    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-	    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+	    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+	    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 	    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 	    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     
@@ -304,7 +301,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       entryPoints:
         - web
       routes:
-        - match: Host(`bar.com`)
+        - match: Host(`example.com`)
           kind: Rule
           services:
             - name: whoami
@@ -322,50 +319,122 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       - "traefik.http.routers.router0.tls.options=myTLSOptions@file"
     ```
 
-## HTTP to HTTPS Redirection Is Now Configured on Routers
+## HTTP to HTTPS Redirection is Now Configured on Routers
 
 Previously on Traefik v1, the redirection was applied on an entry point or on a frontend.
-With Traefik v2 it is applied on a [Router](../routing/routers/index.md). 
+With Traefik v2 it is applied on an entry point or a [Router](../routing/routers/index.md). 
 
-To apply a redirection, one of the redirect middlewares, [RedirectRegex](../middlewares/redirectregex.md) or [RedirectScheme](../middlewares/redirectscheme.md), has to be configured and added to the router middlewares list.
+To apply a redirection:
 
-!!! example "HTTP to HTTPS redirection"
+- on an entry point, the [HTTP redirection](../routing/entrypoints.md#redirection) has to be configured.
+- on a router, one of the redirect middlewares, [RedirectRegex](../middlewares/redirectregex.md) or [RedirectScheme](../middlewares/redirectscheme.md), has to be configured and added to the router middlewares list.
+
+!!! example "Global HTTP to HTTPS redirection"
 
     !!! info "v1"
     
     ```toml tab="File (TOML)"
     # static configuration
-    defaultEntryPoints = ["http", "https"]
+    defaultEntryPoints = ["web", "websecure"]
     
     [entryPoints]
-      [entryPoints.http]
+      [entryPoints.web]
         address = ":80"
-        [entryPoints.http.redirect]
-          entryPoint = "https"
+        [entryPoints.web.redirect]
+          entryPoint = "websecure"
 
-      [entryPoints.https]
+      [entryPoints.websecure]
         address = ":443"
-        [entryPoints.https.tls]
-          [[entryPoints.https.tls.certificates]]
-            certFile = "examples/traefik.crt"
-            keyFile = "examples/traefik.key"
+        [entryPoints.websecure.tls]
     ```
 
     ```bash tab="CLI"
-    --entrypoints=Name:web Address::80 Redirect.EntryPoint:web-secure
-    --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key'
+    --entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure
+    --entryPoints='Name:websecure Address::443 TLS'
+    ```
+
+    !!! info "v2"
+    
+    ```bash tab="CLI"
+    ## static configuration
+    
+    --entrypoints.web.address=:80
+    --entrypoints.web.http.redirections.entrypoint.to=websecure
+    --entrypoints.web.http.redirections.entrypoint.scheme=https
+    --entrypoints.websecure.address=:443
+    --providers.docker=true
+    ```
+    
+    ```toml tab="File (TOML)"
+    # traefik.toml
+    ## static configuration
+    
+    [entryPoints.web]
+      address = ":80"
+      [entryPoints.web.http.redirections.entryPoint]
+        to = "websecure"
+        scheme = "https"
+   
+    [entryPoints.websecure]
+      address = ":443"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    # traefik.yaml
+    ## static configuration
+    
+    entryPoints:
+      web:
+        address: 80
+        http:
+          redirections:
+            entrypoint:
+              to: websecure
+              scheme: https
+    
+      websecure:
+        address: 443
+    ```
+
+!!! example "HTTP to HTTPS redirection per domain"
+
+    !!! info "v1"
+    
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+        [entryPoints.websecure.tls]
+    
+    [file]
+    
+    [frontends]
+      [frontends.frontend1]
+        entryPoints = ["web", "websecure"]
+        [frontends.frontend1.routes]
+          [frontends.frontend1.routes.route0]
+            rule = "Host:example.net"
+        [frontends.frontend1.redirect]
+          entryPoint = "websecure"
     ```
 
     !!! info "v2"
 
     ```yaml tab="Docker"
     labels:
-    - traefik.http.routers.web.rule=Host(`foo.com`)
-    - traefik.http.routers.web.entrypoints=web
-    - traefik.http.routers.web.middlewares=redirect@file
-    - traefik.http.routers.web-secured.rule=Host(`foo.com`)
-    - traefik.http.routers.web-secured.entrypoints=web-secure
-    - traefik.http.routers.web-secured.tls=true
+      traefik.http.routers.app.rule: Host(`example.net`)
+      traefik.http.routers.app.entrypoints: web
+      traefik.http.routers.app.middlewares: https_redirect
+    
+      traefik.http.routers.appsecured.rule: Host(`example.net`)
+      traefik.http.routers.appsecured.entrypoints: websecure
+      traefik.http.routers.appsecured.tls: true
+    
+      traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
+      traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
     ```
 
     ```yaml tab="K8s IngressRoute"
@@ -378,13 +447,13 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
       entryPoints:
         - web
       routes:
-        - match: Host(`foo.com`)
+        - match: Host(`example.net`)
           kind: Rule
           services:
             - name: whoami
               port: 80
           middlewares:
-            - name: redirect
+            - name: https-redirect
     
     ---
     apiVersion: traefik.containo.us/v1alpha1
@@ -394,7 +463,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     
     spec:
       entryPoints:
-        - web-secure
+        - websecure
       routes:
         - match: Host(`foo`)
           kind: Rule
@@ -407,119 +476,76 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
-      name: redirect
+      name: https-redirect
     spec:
       redirectScheme:
         scheme: https
-      
+        permanent: true
     ```
 
     ```toml tab="File (TOML)"
-    ## static configuration
-    # traefik.toml
-    
-    [entryPoints.web]
-      address = ":80"
-    
-    [entryPoints.web-secure]
-      address = ":443"
-    
-    ##---------------------##
-    
     ## dynamic configuration
     # dynamic-conf.toml
     
     [http.routers]
       [http.routers.router0]
-        rule = "Host(`foo.com`)"
+        rule = "Host(`example.net`)"
         service = "my-service"
         entrypoints = ["web"]
-        middlewares = ["redirect"]
+        middlewares = ["https_redirect"]
     
     [http.routers.router1]
-        rule = "Host(`foo.com`)"
+        rule = "Host(`example.net`)"
         service = "my-service"
-        entrypoints = ["web-secure"]
+        entrypoints = ["websecure"]
         [http.routers.router1.tls]
-        
-    [http.services]
-      [[http.services.my-service.loadBalancer.servers]]
-        url = "http://10.10.10.1:80"
-      [[http.services.my-service.loadBalancer.servers]]
-        url = "http://10.10.10.2:80"
     
     [http.middlewares]
-      [http.middlewares.redirect.redirectScheme]
+      [http.middlewares.https_redirect.redirectScheme]
         scheme = "https"
-    
-    [[tls.certificates]]
-      certFile = "/path/to/domain.cert"
-      keyFile = "/path/to/domain.key"
+        permanent = true
     ```
 
     ```yaml tab="File (YAML)"
-    ## static configuration
-    # traefik.yml
-    
-    entryPoints:
-      web:
-        address: ":80"
-    
-      web-secure:
-        address: ":443"
-    
-    ##---------------------##
-    
     ## dynamic configuration
     # dynamic-conf.yml
     
     http:
       routers:
         router0:
-          rule: "Host(`foo.com`)"
+          rule: "Host(`example.net`)"
           entryPoints:
             - web
           middlewares:
-            - redirect
+            - https_redirect
           service: my-service
     
         router1:
-          rule: "Host(`foo.com`)"
+          rule: "Host(`example.net`)"
           entryPoints:
-            - web-secure
+            - websecure
           service: my-service
           tls: {}
     
-      services:
-        my-service:
-          loadBalancer:
-            servers:
-              - url: http://10.10.10.1:80
-              - url: http://10.10.10.2:80
-    
       middlewares:
-        redirect:
+        https-redirect:
           redirectScheme:
             scheme: https
-    
-    tls:
-      certificates:
-        - certFile: /app/certs/server/server.pem
-          keyFile: /app/certs/server/server.pem
+            permanent: true
     ```
 
 ## Strip and Rewrite Path Prefixes
 
 With the new core notions of v2 (introduced earlier in the section
 ["Frontends and Backends Are Dead... Long Live Routers, Middlewares, and Services"](#frontends-and-backends-are-dead-long-live-routers-middlewares-and-services)),
-transforming the URL path prefix of incoming requests is configured with [middlewares](../../middlewares/overview/),
-after the routing step with [router rule `PathPrefix`](https://docs.traefik.io/v2.0/routing/routers/#rule).
+transforming the URL path prefix of incoming requests is configured with [middlewares](../middlewares/overview.md),
+after the routing step with [router rule `PathPrefix`](../routing/routers/index.md#rule).
 
-Use Case: Incoming requests to `http://company.org/admin` are forwarded to the webapplication "admin",
+Use Case: Incoming requests to `http://example.org/admin` are forwarded to the webapplication "admin",
 with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, you must:
 
-* First, configure a router named `admin` with a rule matching at least the path prefix with the `PathPrefix` keyword,
-* Then, define a middleware of type [`stripprefix`](../../middlewares/stripprefix/), which remove the prefix `/admin`, associated to the router `admin`.
+- First, configure a router named `admin` with a rule matching at least the path prefix with the `PathPrefix` keyword,
+- Then, define a middleware of type [`stripprefix`](../middlewares/stripprefix.md), which removes the prefix `/admin`, associated to the router `admin`.
 
 !!! example "Strip Path Prefix When Forwarding to Backend"
 
@@ -527,7 +553,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
 
     ```yaml tab="Docker"
     labels:
-      - "traefik.frontend.rule=Host:company.org;PathPrefixStrip:/admin"
+      - "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"
     ```
 
     ```yaml tab="Kubernetes Ingress"
@@ -540,7 +566,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
         traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip
     spec:
       rules:
-      - host: company.org
+      - host: example.org
         http:
           paths:
           - path: /admin
@@ -552,14 +578,14 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     ```toml tab="File (TOML)"
     [frontends.admin]
       [frontends.admin.routes.admin_1]
-      rule = "Host:company.org;PathPrefixStrip:/admin"
+      rule = "Host:example.org;PathPrefixStrip:/admin"
     ```
 
     !!! info "v2"
 
     ```yaml tab="Docker"
     labels:
-      - "traefik.http.routers.admin.rule=Host(`company.org`) && PathPrefix(`/admin`)"
+      - "traefik.http.routers.admin.rule=Host(`example.org`) && PathPrefix(`/admin`)"
       - "traefik.http.routers.admin.middlewares=admin-stripprefix"
       - "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
     ```
@@ -575,7 +601,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
       entryPoints:
         - web
       routes:
-        - match: Host(`company.org`) && PathPrefix(`/admin`)
+        - match: Host(`example.org`) && PathPrefix(`/admin`)
           kind: Rule
           services:
             - name: admin-svc
@@ -583,6 +609,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
           middlewares:
             - name: admin-stripprefix
     ---
+    apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
       name: admin-stripprefix
@@ -597,7 +624,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     # dynamic-conf.toml
 
     [http.routers.router1]
-        rule = "Host(`company.org`) && PathPrefix(`/admin`)"
+        rule = "Host(`example.org`) && PathPrefix(`/admin`)"
         service = "admin-svc"
         entrypoints = ["web"]
         middlewares = ["admin-stripprefix"]
@@ -620,7 +647,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
           service: admin-svc
           middlewares:
             - "admin-stripprefix"
-          rule: "Host(`company.org`) && PathPrefix(`/admin`)"
+          rule: "Host(`example.org`) && PathPrefix(`/admin`)"
 
       middlewares:
         admin-stripprefix:
@@ -635,10 +662,10 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
 
     Instead of removing the path prefix with the [`stripprefix` middleware](../../middlewares/stripprefix/), you can also:
 
-    * Add a path prefix with the [`addprefix` middleware](../../middlewares/addprefix/)
-    * Replace the complete path of the request with the [`replacepath` middleware](../../middlewares/replacepath/)
-    * ReplaceRewrite path using Regexp with the [`replacepathregex` middleware](../../middlewares/replacepathregex/)
-    * And a lot more on the [`middlewares` page](../../middlewares/overview/)
+    - Add a path prefix with the [`addprefix` middleware](../../middlewares/addprefix/)
+    - Replace the complete path of the request with the [`replacepath` middleware](../../middlewares/replacepath/)
+    - ReplaceRewrite path using Regexp with the [`replacepathregex` middleware](../../middlewares/replacepathregex/)
+    - And a lot more on the [`middlewares` page](../../middlewares/overview/)
 
 ## ACME (LetsEncrypt)
 
@@ -650,34 +677,33 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     
     ```toml tab="File (TOML)"
     # static configuration
-    defaultEntryPoints = ["web-secure","web"]
+    defaultEntryPoints = ["websecure","web"]
     
     [entryPoints.web]
     address = ":80"
       [entryPoints.web.redirect]
       entryPoint = "webs"
-    [entryPoints.web-secure]
+    [entryPoints.websecure]
       address = ":443"
-      [entryPoints.https.tls]
+      [entryPoints.websecure.tls]
     
     [acme]
-      email = "your-email-here@my-awesome-app.org"
+      email = "your-email-here@example.com"
       storage = "acme.json"
-      entryPoint = "web-secure"
+      entryPoint = "websecure"
       onHostRule = true
-      [acme.httpChallenge]
-        entryPoint = "web"
+      [acme.tlsChallenge]
     ```
 
     ```bash tab="CLI"
-    --defaultentrypoints=web-secure,web
-    --entryPoints=Name:web Address::80 Redirect.EntryPoint:web-secure
-    --entryPoints=Name:web-secure Address::443 TLS
-    --acme.email=your-email-here@my-awesome-app.org
+    --defaultentrypoints=websecure,web
+    --entryPoints=Name:web Address::80 Redirect.EntryPoint:websecure
+    --entryPoints=Name:websecure Address::443 TLS
+    --acme.email=your-email-here@example.com
     --acme.storage=acme.json
-    --acme.entryPoint=web-secure
+    --acme.entryPoint=websecure
     --acme.onHostRule=true
-    --acme.httpchallenge.entrypoint=http
+    --acme.tlschallenge=true
     ```
 
     !!! info "v2"
@@ -688,15 +714,15 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
       [entryPoints.web]
         address = ":80"
     
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
+      [entryPoints.websecure.http.tls]
+        certResolver = "myresolver"
     
-    [certificatesResolvers.sample.acme]
-      email = "your-email@your-domain.org"
+    [certificatesResolvers.myresolver.acme]
+      email = "your-email@example.com"
       storage = "acme.json"
-      [certificatesResolvers.sample.acme.httpChallenge]
-        # used during the challenge
-        entryPoint = "web"
+      [certificatesResolvers.myresolver.acme.tlsChallenge]
     ```
 
     ```yaml tab="File (YAML)"
@@ -704,25 +730,26 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
       web:
         address: ":80"
     
-      web-secure:
+      websecure:
         address: ":443"
+        http:
+          tls:
+            certResolver: myresolver
     
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
-          email: your-email@your-domain.org
+          email: your-email@example.com
           storage: acme.json
-          httpChallenge:
-            # used during the challenge
-            entryPoint: web
+          tlsChallenge: {}
     ```
 
     ```bash tab="CLI"
-    --entryPoints.web.address=:80
-    --entryPoints.websecure.address=:443
-    --certificatesResolvers.sample.acme.email=your-email@your-domain.org
-    --certificatesResolvers.sample.acme.storage=acme.json
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
+    --certificatesresolvers.myresolver.acme.email=your-email@example.com
+    --certificatesresolvers.myresolver.acme.storage=acme.json
+    --certificatesresolvers.myresolver.acme.tlschallenge=true
     ```
 
 ## Traefik Logs
@@ -773,6 +800,13 @@ There is no more log configuration at the root level.
     --log.format=json
     ```
 
+## Access Logs
+
+Access Logs are configured in the same way as before.
+
+But all request headers are now filtered out by default in Traefik v2.
+So during migration, you might want to consider enabling some needed fields (see [access log configuration](../observability/access-logs.md)).
+
 ## Tracing
 
 Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is gone, you just have to set your [tracing configuration](../observability/tracing/overview.md).
@@ -901,7 +935,7 @@ Each root item has been moved to a related section or removed.
     providersThrottleDuration = "2s"
     AllowMinWeightZero = true
     debug = true
-    defaultEntryPoints = ["web", "web-secure"]
+    defaultEntryPoints = ["web", "websecure"]
     keepTrailingSlash = false
     ```
 
@@ -915,7 +949,7 @@ Each root item has been moved to a related section or removed.
     --providersthrottleduration=2s
     --allowminweightzero=true
     --debug=true
-    --defaultentrypoints=web,web-secure
+    --defaultentrypoints=web,websecure
     --keeptrailingslash=true
     ```
 
@@ -971,14 +1005,11 @@ Each root item has been moved to a related section or removed.
 ## Dashboard
 
 You need to activate the API to access the [dashboard](../operations/dashboard.md).
-As the dashboard access is now secured by default you can either:
 
-* define a  [specific router](../operations/api.md#configuration) with the `api@internal` service and one authentication middleware like the following example
-* or use the [insecure](../operations/api.md#insecure) option of the API
+To activate the dashboard, you can either:
 
-!!! info "Dashboard with k8s and dedicated router"
-
-    As `api@internal` is not a Kubernetes service, you have to use the file provider or the `insecure` API option.
+- use the [secure mode](../operations/dashboard.md#secure-mode) with the `api@internal` service like in the following examples
+- or use the [insecure mode](../operations/api.md#insecure)
 
 !!! example "Activate and access the dashboard"
 
@@ -988,21 +1019,21 @@ As the dashboard access is now secured by default you can either:
     ## static configuration
     # traefik.toml
     
-    [entryPoints.web-secure]
+    [entryPoints.websecure]
       address = ":443"
-      [entryPoints.web-secure.tls]
-      [entryPoints.web-secure.auth]
-        [entryPoints.web-secure.auth.basic]
+      [entryPoints.websecure.tls]
+      [entryPoints.websecure.auth]
+        [entryPoints.websecure.auth.basic]
           users = [
             "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
           ]
     
     [api]
-      entryPoint = "web-secure"
+      entryPoint = "websecure"
     ```
 
     ```bash tab="CLI"
-    --entryPoints='Name:web-secure Address::443 TLS Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
+    --entryPoints='Name:websecure Address::443 TLS Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
     --api
     ```
 
@@ -1012,7 +1043,7 @@ As the dashboard access is now secured by default you can either:
     # dynamic configuration
     labels:
       - "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"
-      - "traefik.http.routers.api.entrypoints=web-secured"
+      - "traefik.http.routers.api.entrypoints=websecure"
       - "traefik.http.routers.api.service=api@internal"
       - "traefik.http.routers.api.middlewares=myAuth"
       - "traefik.http.routers.api.tls"
@@ -1023,7 +1054,7 @@ As the dashboard access is now secured by default you can either:
     ## static configuration
     # traefik.toml
     
-    [entryPoints.web-secure]
+    [entryPoints.websecure]
       address = ":443"
     
     [api]
@@ -1038,7 +1069,7 @@ As the dashboard access is now secured by default you can either:
     
     [http.routers.api]
       rule = "Host(`traefik.docker.localhost`)"
-      entrypoints = ["web-secure"]
+      entrypoints = ["websecure"]
       service = "api@internal"
       middlewares = ["myAuth"]
       [http.routers.api.tls]
@@ -1054,7 +1085,7 @@ As the dashboard access is now secured by default you can either:
     # traefik.yaml
     
     entryPoints:
-      web-secure:
+      websecure:
         address: ':443'
         
     api: {}
@@ -1073,7 +1104,7 @@ As the dashboard access is now secured by default you can either:
         api:
           rule: Host(`traefik.docker.localhost`)
           entrypoints:
-            - web-secure
+            - websecure
           service: api@internal
           middlewares:
             - myAuth
@@ -1090,28 +1121,28 @@ As the dashboard access is now secured by default you can either:
 
 Supported [providers](../providers/overview.md), for now:
 
-* [ ] Azure Service Fabric
-* [ ] BoltDB
-* [ ] Consul
-* [x] Consul Catalog
-* [x] Docker
-* [ ] DynamoDB
-* [ ] ECS
-* [ ] Etcd
-* [ ] Eureka
-* [x] File
-* [x] Kubernetes Ingress (without annotations)
-* [x] Kubernetes IngressRoute
-* [x] Marathon
-* [ ] Mesos
-* [x] Rancher
-* [x] Rest
-* [ ] Zookeeper
+- [ ] Azure Service Fabric
+- [x] Consul
+- [x] Consul Catalog
+- [x] Docker
+- [ ] DynamoDB
+- [ ] ECS
+- [x] Etcd
+- [ ] Eureka
+- [x] File
+- [x] Kubernetes Ingress
+- [x] Kubernetes IngressRoute
+- [x] Marathon
+- [ ] Mesos
+- [x] Rancher
+- [x] Redis
+- [x] Rest
+- [x] Zookeeper
 
 ## Some Tips You Should Know
 
-* Different sources of static configuration (file, CLI flags, ...) cannot be [mixed](../getting-started/configuration-overview.md#the-static-configuration).
-* Now, configuration elements can be referenced between different providers by using the provider namespace notation: `@<provider>`.
+- Different sources of static configuration (file, CLI flags, ...) cannot be [mixed](../getting-started/configuration-overview.md#the-static-configuration).
+- Now, configuration elements can be referenced between different providers by using the provider namespace notation: `@<provider>`.
   For instance, a router named `myrouter` in a File Provider can refer to a service named `myservice` defined in Docker Provider with the following notation: `myservice@docker`.
-* Middlewares are applied in the same order as their declaration in router.
-* If you have any questions feel free to join our [community forum](https://community.containo.us).
+- Middlewares are applied in the same order as their declaration in router.
+- If you have any questions feel free to join our [community forum](https://community.traefik.io).

docs/content/migration/v2.md

@@ -0,0 +1,338 @@
+# Migration: Steps needed between the versions
+
+## v2.0 to v2.1
+
+### Kubernetes CRD
+
+In v2.1, a new Kubernetes CRD called `TraefikService` was added.
+While updating an installation to v2.1,
+one should apply that CRD, and update the existing `ClusterRole` definition to allow Traefik to use that CRD.
+
+To add that CRD and enhance the permissions, following definitions need to be applied to the cluster.
+
+```yaml tab="TraefikService"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+```
+
+```yaml tab="ClusterRole"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - tlsoptions
+    verbs:
+      - get
+      - list
+      - watch
+```
+
+After having both resources applied, Traefik will work properly.
+
+## v2.1 to v2.2
+
+### Headers middleware: accessControlAllowOrigin
+
+`accessControlAllowOrigin` is deprecated.
+This field will be removed in future 2.x releases.
+Please configure your allowed origins in `accessControlAllowOriginList` instead.
+
+### Kubernetes CRD
+
+In v2.2, new Kubernetes CRDs called `TLSStore` and `IngressRouteUDP` were added.
+While updating an installation to v2.2,
+one should apply that CRDs, and update the existing `ClusterRole` definition to allow Traefik to use that CRDs.
+
+To add that CRDs and enhance the permissions, following definitions need to be applied to the cluster.
+
+```yaml tab="TLSStore"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsstores.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSStore
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+
+```
+
+```yaml tab="IngressRouteUDP"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressrouteudps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteUDP
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+  scope: Namespaced
+
+```
+
+```yaml tab="ClusterRole"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+    verbs:
+      - get
+      - list
+      - watch
+
+```
+
+After having both resources applied, Traefik will work properly.
+
+### Kubernetes Ingress
+
+To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in the Ingress.
+
+#### Expose an Ingress on 80 and 443
+
+Define the default TLS configuration on the HTTPS entry point. 
+
+```yaml tab="Ingress"
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: example
+
+spec:
+  tls:
+  - secretName: myTlsSecret
+
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: "/foo"
+        backend:
+          serviceName: example-com
+          servicePort: 80
+```
+
+Entry points definition and enable Ingress provider:
+
+```yaml tab="File (YAML)"
+# Static configuration
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+    http:
+      tls: {}
+
+providers:
+  kubernetesIngress: {}
+```
+
+```toml tab="File (TOML)"
+# Static configuration
+
+[entryPoints.web]
+  address = ":80"
+
+[entryPoints.websecure]
+  address = ":443"
+  [entryPoints.websecure.http]
+    [entryPoints.websecure.http.tls]
+
+[providers.kubernetesIngress]
+```
+
+```bash tab="CLI"
+# Static configuration
+
+--entryPoints.web.address=:80
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.tls=true
+--providers.kubernetesIngress=true
+```
+
+#### Use TLS only on one Ingress
+
+Define the TLS restriction with annotations.
+
+```yaml tab="Ingress"
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: example-tls
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+
+spec:
+  tls:
+  - secretName: myTlsSecret
+
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: ""
+        backend:
+          serviceName: example-com
+          servicePort: 80
+```
+
+Entry points definition and enable Ingress provider:
+
+```yaml tab="File (YAML)"
+# Static configuration
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+
+providers:
+  kubernetesIngress: {}
+```
+
+```toml tab="File (TOML)"
+# Static configuration
+
+[entryPoints.web]
+  address = ":80"
+
+[entryPoints.websecure]
+  address = ":443"
+
+[providers.kubernetesIngress]
+```
+
+```bash tab="CLI"
+# Static configuration
+
+--entryPoints.web.address=:80
+--entryPoints.websecure.address=:443
+--providers.kubernetesIngress=true
+```
+
+## v2.2.2 to v2.2.5
+
+### InsecureSNI removal
+
+In `v2.2.2` we introduced a new flag (`insecureSNI`) which was available as a global option to disable domain fronting.
+Since `v2.2.5` this global option has been removed, and you should not use it anymore.
+
+### HostSNI rule matcher removal
+
+In `v2.2.2` we introduced a new rule matcher (`HostSNI`) for HTTP routers which was allowing to match the Server Name Indication at the router level.
+Since `v2.2.5` this rule has been removed for HTTP routers, and you should not use it anymore.
+
+## v2.2 to v2.3
+
+### X.509 CommonName Deprecation
+
+The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present, is now disabled by default.
+
+It means that if one is using https with your backend servers, and a certificate with only a CommonName,
+Traefik will not try to match the server name indication with the CommonName anymore.
+
+It can be temporarily re-enabled by adding the value `x509ignoreCN=0` to the `GODEBUG` environment variable.
+
+More information: https://golang.org/doc/go1.15#commonname
+
+### File Provider
+
+The file parser has been changed, since v2.3 the unknown options/fields in a dynamic configuration file are treated as errors.
+
+### IngressClass
+
+In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced.
+In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated. 

docs/content/observability/access-logs.md

@@ -35,7 +35,7 @@ If the given format is unsupported, the default (CLF) is used instead.
 !!! info "Common Log Format"
     
     ```html
-    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms 
+    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
     ```
 
 ### `bufferingSize`
@@ -111,9 +111,9 @@ accessLog:
 --accesslog.filters.minduration=10ms
 ```
 
-### Limiting the Fields
+### Limiting the Fields/Including Headers
 
-You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.header` options
+You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.headers` options.
 
 Each field can be set to:
 
@@ -121,7 +121,7 @@ Each field can be set to:
 - `drop` to drop the value
 - `redact` to replace the value with "redacted"
 
-The `defaultMode` for `fields.header` is `drop`.
+The `defaultMode` for `fields.headers` is `drop`.
 
 ```toml tab="File (TOML)"
 # Limiting the Logs to Specific Fields
@@ -181,10 +181,10 @@ accessLog:
     | `StartUTC`              | The time at which request processing started.                                                                                                                       |
     | `StartLocal`            | The local time at which request processing started.                                                                                                                 |
     | `Duration`              | The total time taken (in nanoseconds) by processing the response, including the origin server's time but not the log writing time.                                  |
-    | `FrontendName`          | The name of the Traefik frontend.                                                                                                                                   |
-    | `BackendName`           | The name of the Traefik backend.                                                                                                                                    |
-    | `BackendURL`            | The URL of the Traefik backend.                                                                                                                                     |
-    | `BackendAddr`           | The IP:port of the Traefik backend (extracted from `BackendURL`)                                                                                                    |
+    | `RouterName`            | The name of the Traefik  router.                                                                                                                                    |
+    | `ServiceName`           | The name of the Traefik backend.                                                                                                                                    |
+    | `ServiceURL`            | The URL of the Traefik backend.                                                                                                                                     |
+    | `ServiceAddr`           | The IP:port of the Traefik backend (extracted from `ServiceURL`)                                                                                                    |
     | `ClientAddr`            | The remote address in its original form (usually IP:port).                                                                                                          |
     | `ClientHost`            | The remote IP address from which the client request was received.                                                                                                   |
     | `ClientPort`            | The remote TCP port from which the client request was received.                                                                                                     |
@@ -195,6 +195,7 @@ accessLog:
     | `RequestMethod`         | The HTTP method.                                                                                                                                                    |
     | `RequestPath`           | The HTTP request URI, not including the scheme, host or port.                                                                                                       |
     | `RequestProtocol`       | The version of HTTP requested.                                                                                                                                      |
+    | `RequestScheme`         | The HTTP scheme requested `http` or `https`.                                                                                                                        |
     | `RequestLine`           | `RequestMethod` + `RequestPath` + `RequestProtocol`                                                                                                                 |
     | `RequestContentSize`    | The number of bytes in the request entity (a.k.a. body) sent by the client.                                                                                         |
     | `OriginDuration`        | The time taken by the origin server ('upstream') to return its response.                                                                                            |
@@ -216,3 +217,32 @@ This allows the logs to be rotated and processed by an external program, such as
 
 !!! warning
     This does not work on Windows due to the lack of USR signals.
+
+## Time Zones
+
+Traefik will timestamp each log line in UTC time by default.
+
+It is possible to configure the Traefik to timestamp in a specific timezone by ensuring the following configuration has been made in your environment:
+
+1. Provide time zone data to `/etc/localtime` or `/usr/share/zoneinfo` (based on your distribution) or set the environment variable TZ to the desired timezone
+2. Specify the field `StartLocal` by dropping the field named `StartUTC` (available on the default Common Log Format (CLF) as well as JSON)
+
+Example utilizing Docker Compose:
+
+```yaml
+version: "3.7"
+
+services:
+  traefik:
+    image: traefik:v2.2
+    environment:
+      - TZ=US/Alaska
+    command:
+      - --accesslog
+      - --accesslog.fields.names.StartUTC=drop
+      - --providers.docker
+    ports:
+      - 80:80
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+```

docs/content/observability/tracing/elastic.md

@@ -0,0 +1,88 @@
+# Elastic
+
+To enable the Elastic:
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic: {}
+```
+
+```bash tab="CLI"
+--tracing.elastic=true
+```
+
+#### `serverURL`
+
+_Optional, Default="http://localhost:8200"_
+
+APM ServerURL is the URL of the Elastic APM server.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    serverURL = "http://apm:8200"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic:
+    serverURL: "http://apm:8200"
+```
+
+```bash tab="CLI"
+--tracing.elastic.serverurl="http://apm:8200"
+```
+
+#### `secretToken`
+
+_Optional, Default=""_
+
+APM Secret Token is the token used to connect to Elastic APM Server.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    secretToken = "mytoken"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic:
+    secretToken: "mytoken"
+```
+
+```bash tab="CLI"
+--tracing.elastic.secrettoken="mytoken"
+```
+
+#### `serviceEnvironment`
+
+_Optional, Default=""_
+
+APM Service Environment is the name of the environment Traefik is deployed in, e.g. `production` or `staging`.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    serviceEnvironment = "production"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic:
+    serviceEnvironment: "production"
+```
+
+```bash tab="CLI"
+--tracing.elastic.serviceenvironment="production"
+```
+
+### Further
+
+Additional configuration of Elastic APM Go agent can be done using environment variables.
+See [APM Go agent reference](https://www.elastic.co/guide/en/apm/agent/go/current/configuration.html).

docs/content/observability/tracing/haystack.md

@@ -40,24 +40,24 @@ tracing:
 
 #### `localAgentPort`
 
-_Require, Default=42699_
+_Require, Default=35000_
 
 Local Agent port instructs reporter to send spans to the haystack-agent at this port.
 
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    localAgentPort = 42699
+    localAgentPort = 35000
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    localAgentPort: 42699
+    localAgentPort: 35000
 ```
 
 ```bash tab="CLI"
---tracing.haystack.localAgentPort=42699
+--tracing.haystack.localAgentPort=35000
 ```
 
 #### `globalTag`
@@ -91,61 +91,61 @@ Specifies the header name that will be used to store the trace ID.
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    traceIDHeaderName = "sample"
+    traceIDHeaderName = "Trace-ID"
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    traceIDHeaderName: sample
+    traceIDHeaderName: Trace-ID
 ```
 
 ```bash tab="CLI"
---tracing.haystack.traceIDHeaderName=sample
+--tracing.haystack.traceIDHeaderName=Trace-ID
 ```
 
 #### `parentIDHeaderName`
 
 _Optional, Default=empty_
 
+Specifies the header name that will be used to store the parent ID.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    parentIDHeaderName = "Parent-Message-ID"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    parentIDHeaderName: Parent-Message-ID
+```
+
+```bash tab="CLI"
+--tracing.haystack.parentIDHeaderName=Parent-Message-ID
+```
+
+#### `spanIDHeaderName`
+
+_Optional, Default=empty_
+
 Specifies the header name that will be used to store the span ID.
 
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    parentIDHeaderName = "sample"
+    spanIDHeaderName = "Message-ID"
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    parentIDHeaderName: "sample"
+    spanIDHeaderName: Message-ID
 ```
 
 ```bash tab="CLI"
---tracing.haystack.parentIDHeaderName=sample
-```
-
-#### `spanIDHeaderName`
-
-_Optional, Default=empty_
-
-Apply shared tag in a form of Key:Value to all the traces.
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    spanIDHeaderName = "sample:test"
-```
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack:
-    spanIDHeaderName: "sample:test"
-```
-
-```bash tab="CLI"
---tracing.haystack.spanIDHeaderName=sample:test
+--tracing.haystack.spanIDHeaderName=Message-ID
 ```
 
 #### `baggagePrefixHeaderName`

docs/content/observability/tracing/jaeger.md

@@ -185,6 +185,29 @@ tracing:
 --tracing.jaeger.traceContextHeaderName=uber-trace-id
 ```
 
+### disableAttemptReconnecting
+
+_Optional, Default=true_
+
+Disable the UDP connection helper that periodically re-resolves the agent's hostname and reconnects if there was a change.
+Enabling the re-resolving of UDP address make the client more robust in Kubernetes deployments.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    disableAttemptReconnecting = false
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    disableAttemptReconnecting: false
+```
+
+```bash tab="CLI"
+--tracing.jaeger.disableAttemptReconnecting=false
+```
+
 ### `collector`
 #### `endpoint`
 

docs/content/observability/tracing/overview.md

@@ -7,13 +7,14 @@ The tracing system allows developers to visualize call flows in their infrastruc
 
 Traefik uses OpenTracing, an open standard designed for distributed tracing.
 
-Traefik supports five tracing backends:
+Traefik supports six tracing backends:
 
 - [Jaeger](./jaeger.md)
 - [Zipkin](./zipkin.md)
 - [Datadog](./datadog.md)
 - [Instana](./instana.md)
 - [Haystack](./haystack.md)
+- [Elastic](./elastic.md)
 
 ## Configuration
 

docs/content/operations/api.md

@@ -50,21 +50,21 @@ And then define a routing configuration on Traefik itself with the
     However, you can also use "path prefix" rule or any combination or rules.
 
     ```bash tab="Host Rule"
-    # Matches http://traefik.domain.com, http://traefik.domain.com/api
-    # or http://traefik.domain.com/hello
-    rule = "Host(`traefik.domain.com`)"
+    # Matches http://traefik.example.com, http://traefik.example.com/api
+    # or http://traefik.example.com/hello
+    rule = "Host(`traefik.example.com`)"
     ```
 
     ```bash tab="Path Prefix Rule"
-    # Matches http://api.traefik.domain.com/api or http://domain.com/api
-    # but does not match http://api.traefik.domain.com/hello
+    # Matches http://api.traefik.example.com/api or http://example.com/api
+    # but does not match http://api.traefik.example.com/hello
     rule = "PathPrefix(`/api`)"
     ```
 
     ```bash tab="Combination of Rules"
-    # Matches http://traefik.domain.com/api or http://traefik.domain.com/dashboard
-    # but does not match http://traefik.domain.com/hello
-    rule = "Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+    # Matches http://traefik.example.com/api or http://traefik.example.com/dashboard
+    # but does not match http://traefik.example.com/hello
+    rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
     ```
 
 ### `insecure`

docs/content/operations/dashboard.md

@@ -72,33 +72,33 @@ to allow defining:
 - A [router rule](#dashboard-router-rule) for accessing the dashboard,
   through Traefik itself (sometimes referred as "Traefik-ception").
 
-??? example "Dashboard Dynamic Configuration Examples"
-    --8<-- "content/operations/include-api-examples.md"
-
 ### Dashboard Router Rule
 
 As underlined in the [documentation for the `api.dashboard` option](./api.md#dashboard),
 the [router rule](../routing/routers/index.md#rule) defined for Traefik must match
 the path prefixes `/api` and `/dashboard`.
 
-We recommend to use a "Host Based rule" as ```Host(`traefik.domain.com`)``` to match everything on the host domain,
+We recommend to use a "Host Based rule" as ```Host(`traefik.example.com`)``` to match everything on the host domain,
 or to make sure that the defined rule captures both prefixes:
 
 ```bash tab="Host Rule"
-# The dashboard can be accessed on http://traefik.domain.com/dashboard/
-rule = "Host(`traefik.domain.com`)"
+# The dashboard can be accessed on http://traefik.example.com/dashboard/
+rule = "Host(`traefik.example.com`)"
 ```
 
 ```bash tab="Path Prefix Rule"
-# The dashboard can be accessed on http://domain.com/dashboard/ or http://traefik.domain.com/dashboard/
+# The dashboard can be accessed on http://example.com/dashboard/ or http://traefik.example.com/dashboard/
 rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
 ```
 
 ```bash tab="Combination of Rules"
-# The dashboard can be accessed on http://traefik.domain.com/dashboard/
-rule = "Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+# The dashboard can be accessed on http://traefik.example.com/dashboard/
+rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
 ```
 
+??? example "Dashboard Dynamic Configuration Examples"
+    --8<-- "content/operations/include-dashboard-examples.md"
+
 ## Insecure Mode
 
 This mode is not recommended because it does not allow the use of security features.

docs/content/operations/include-api-examples.md

@@ -1,7 +1,7 @@
 ```yaml tab="Docker"
 # Dynamic Configuration
 labels:
-  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+  - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
   - "traefik.http.routers.api.service=api@internal"
   - "traefik.http.routers.api.middlewares=auth"
   - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -11,7 +11,7 @@ labels:
 # Dynamic Configuration
 deploy:
   labels:
-    - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+    - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
     - "traefik.http.routers.api.service=api@internal"
     - "traefik.http.routers.api.middlewares=auth"
     - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -19,9 +19,33 @@ deploy:
     - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
 ```
 
+```yaml tab="Kubernetes CRD"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+spec:
+  routes:
+  - match: Host(`traefik.example.com`)
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+    middlewares:
+      - name: auth
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+spec:
+  basicAuth:
+    secret: secretName # Kubernetes secret named "secretName"
+```
+
 ```yaml tab="Consul Catalog"
 # Dynamic Configuration
-- "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+- "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
 - "traefik.http.routers.api.service=api@internal"
 - "traefik.http.routers.api.middlewares=auth"
 - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -29,7 +53,7 @@ deploy:
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.routers.api.rule": "Host(`traefik.domain.com`)",
+  "traefik.http.routers.api.rule": "Host(`traefik.example.com`)",
   "traefik.http.routers.api.service": "api@internal",
   "traefik.http.routers.api.middlewares": "auth",
   "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -39,7 +63,7 @@ deploy:
 ```yaml tab="Rancher"
 # Dynamic Configuration
 labels:
-  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+  - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
   - "traefik.http.routers.api.service=api@internal"
   - "traefik.http.routers.api.middlewares=auth"
   - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -48,7 +72,7 @@ labels:
 ```toml tab="File (TOML)"
 # Dynamic Configuration
 [http.routers.my-api]
-  rule = "Host(`traefik.domain.com`)"
+  rule = "Host(`traefik.example.com`)"
   service = "api@internal"
   middlewares = ["auth"]
 
@@ -64,7 +88,7 @@ labels:
 http:
   routers:
     api:
-      rule: Host(`traefik.domain.com`)
+      rule: Host(`traefik.example.com`)
       service: api@internal
       middlewares:
         - auth

docs/content/operations/include-dashboard-examples.md

@@ -0,0 +1,101 @@
+```yaml tab="Docker"
+# Dynamic Configuration
+labels:
+  - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+  - "traefik.http.routers.dashboard.service=api@internal"
+  - "traefik.http.routers.dashboard.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="Docker (Swarm)"
+# Dynamic Configuration
+deploy:
+  labels:
+    - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+    - "traefik.http.routers.dashboard.service=api@internal"
+    - "traefik.http.routers.dashboard.middlewares=auth"
+    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+    # Dummy service for Swarm port detection. The port can be any valid integer value.
+    - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
+```
+
+```yaml tab="Kubernetes CRD"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+spec:
+  routes:
+  - match: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+    middlewares:
+      - name: auth
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+spec:
+  basicAuth:
+    secret: secretName # Kubernetes secret named "secretName"
+```
+
+```yaml tab="Consul Catalog"
+# Dynamic Configuration
+- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+- "traefik.http.routers.dashboard.service=api@internal"
+- "traefik.http.routers.dashboard.middlewares=auth"
+- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.routers.dashboard.rule": "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))",
+  "traefik.http.routers.dashboard.service": "api@internal",
+  "traefik.http.routers.dashboard.middlewares": "auth",
+  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Dynamic Configuration
+labels:
+  - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+  - "traefik.http.routers.dashboard.service=api@internal"
+  - "traefik.http.routers.dashboard.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Dynamic Configuration
+[http.routers.my-api]
+  rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+  service = "api@internal"
+  middlewares = ["auth"]
+
+[http.middlewares.auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```
+
+```yaml tab="File (YAML)"
+# Dynamic Configuration
+http:
+  routers:
+    dashboard:
+      rule: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
+      service: api@internal
+      middlewares:
+        - auth
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```

docs/content/operations/ping.md

@@ -23,7 +23,8 @@ ping: {}
 
 The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
 
-You can customize the `entryPoint` where the `/ping` is active with the `entryPoint` option (default value: `traefik`)
+The `entryPoint` where the `/ping` is active can be customized with the `entryPoint` option,
+whose default value is `traefik` (port `8080`).
 
 | Path    | Method        | Description                                                                                         |
 |---------|---------------|-----------------------------------------------------------------------------------------------------|
@@ -34,6 +35,8 @@ You can customize the `entryPoint` where the `/ping` is active with the `entryPo
 
 ### `entryPoint`
 
+_Optional, Default="traefik"_
+
 Enabling /ping on a dedicated EntryPoint.
 
 ```toml tab="File (TOML)"
@@ -78,3 +81,28 @@ ping:
 ```bash tab="CLI"
 --ping.manualrouting=true
 ```
+
+### `terminatingStatusCode`
+
+_Optional, Default=503_
+
+During the period in which Traefik is gracefully shutting down, the ping handler
+returns a 503 status code by default. If Traefik is behind e.g. a load-balancer
+doing health checks (such as the Kubernetes LivenessProbe), another code might
+be expected as the signal for graceful termination. In which case, the
+terminatingStatusCode can be used to set the code returned by the ping
+handler during termination.
+
+```toml tab="File (TOML)"
+[ping]
+  terminatingStatusCode = 204
+```
+
+```yaml tab="File (YAML)"
+ping:
+  terminatingStatusCode: 204
+```
+
+```bash tab="CLI"
+--ping.terminatingStatusCode=204
+```

docs/content/plugins/overview.md

@@ -0,0 +1,38 @@
+# Plugins and Traefik Pilot
+
+Overview
+{: .subtitle}
+
+Traefik Pilot is a software-as-a-service (SaaS) platform that connects to Traefik to extend its capabilities.
+It does this through *plugins*, which are dynamically loaded components that enable new features.
+
+For example, Traefik plugins can add features to modify requests or headers, issue redirects, add authentication, and so on, providing similar functionality to Traefik [middlewares](https://doc.traefik.io/traefik/middlewares/overview/).
+
+Traefik Pilot can also monitor connected Traefik instances and issue alerts when one is not responding, or when it is subject to security vulnerabilities.
+
+!!! note "Availability"
+    Plugins are available for Traefik v2.3.0-rc1 and later.
+    
+!!! danger "Experimental Features"
+    Plugins can potentially modify the behavior of Traefik in unforeseen ways.
+    Exercise caution when adding new plugins to production Traefik instances.
+
+## Connecting to Traefik Pilot
+
+Plugins are available when a Traefik instance is connected to Traefik Pilot.
+
+To register a new instance and begin working with plugins, login or create an account at the [Traefik Pilot homepage](https://pilot.traefik.io) and choose **Register New Instance**.
+
+To complete the connection, Traefik Pilot will issue a token that must be added to your Traefik static configuration by following the instructions provided.
+
+!!! note "Enabling Alerts" 
+    Health and security alerts for registered Traefik instances can be enabled from the Preferences in your [Traefik Pilot Profile](https://pilot.traefik.io/profile).
+
+## Creating Plugins
+
+Traefik users can create their own plugins and contribute them to the Traefik Pilot catalog to share them with the community.
+
+Plugins are written in [Go](https://golang.org/) and their code is executed by an [embedded Go interpreter](https://github.com/traefik/yaegi).
+There is no need to compile binaries and all plugins are 100% cross-platform.
+
+To learn more and see code for example Traefik plugins, please see the [developer documentation](https://github.com/traefik/plugindemo).

docs/content/plugins/using-plugins.md

@@ -0,0 +1,122 @@
+# Using Plugins
+
+Plugins are available to any instance of Traefik v2.3 or later that is [registered](overview.md#connecting-to-traefik-pilot) with Traefik Pilot.
+Plugins are hosted on GitHub, but you can browse plugins to add to your registered Traefik instances from the Traefik Pilot UI.
+
+!!! danger "Experimental Features"
+    Plugins can potentially modify the behavior of Traefik in unforeseen ways.
+    Exercise caution when adding new plugins to production Traefik instances.
+
+## Add a Plugin
+
+To add a new plugin to a Traefik instance, you must modify that instance's static configuration.
+The code to be added is provided by the Traefik Pilot UI when you choose **Install the Plugin**.
+
+In the example below, we add the [`blockpath`](http://github.com/traefik/plugin-blockpath) and [`rewritebody`](https://github.com/traefik/plugin-rewritebody) plugins:
+
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
+
+[pilot]
+  token = "xxxxxxxxx"
+
+[experimental.plugins]
+  [experimental.plugins.block]
+    modulename = "github.com/traefik/plugin-blockpath"
+    version = "v0.2.0"
+    
+  [experimental.plugins.rewrite]
+    modulename = "github.com/traefik/plugin-rewritebody"
+    version = "v0.3.0"
+```
+
+```yaml tab="File (YAML)"
+entryPoints:
+  web:
+    address: :80
+
+pilot:
+    token: xxxxxxxxx
+
+experimental:
+  plugins:
+    block:
+      modulename: github.com/traefik/plugin-blockpath
+      version: v0.2.0
+    rewrite:
+      modulename: github.com/traefik/plugin-rewritebody
+      version: v0.3.0
+```
+
+```bash tab="CLI"
+--entryPoints.web.address=:80
+--pilot.token=xxxxxxxxx
+--experimental.plugins.block.modulename=github.com/traefik/plugin-blockpath
+--experimental.plugins.block.version=v0.2.0
+--experimental.plugins.rewrite.modulename=github.com/traefik/plugin-rewritebody
+--experimental.plugins.rewrite.version=v0.3.0
+```
+
+## Configuring Plugins
+
+Some plugins will need to be configured by adding a dynamic configuration.
+For the `bodyrewrite` plugin, for example:
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex=example"
+  - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement=test"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: my-rewritebody
+spec:
+  plugin:
+    rewrite:
+      rewrites:
+        - regex: example
+          replacement: test
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex=example"
+- "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement=test"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex": "example",
+  "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement": "test"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex=example"
+  - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement=test"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.my-rewritebody.plugin.rewrite]
+    lastModified = true
+    [[http.middlewares.my-rewritebody.plugin.rewrite.rewrites]]
+      regex = "example"
+      replacement = "test"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    my-rewritebody:
+      plugin:
+        rewrite:
+          rewrites:
+            - regex: example
+              replacement: test
+```

docs/content/providers/consul-catalog.md

@@ -29,7 +29,7 @@ Attach tags to your services and let Traefik do the rest!
     Attaching tags to services
 
     ```yaml
-    - traefik.http.services.my-service.rule=Host(`mydomain.com`)
+    - traefik.http.routers.my-router.rule=Host(`example.com`)
     ```
 
 ## Routing Configuration
@@ -565,7 +565,7 @@ Constraints is an expression that Traefik matches against the service's tags to
 That is to say, if none of the service's tags match the expression, no route for that service is created.
 If the expression is empty, all detected services are included.
 
-The expression syntax is based on the `Tag("tag")`, and `TagRegex("tag")` functions,
+The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
 as well as the usual boolean logic, as shown in examples below.
 
 ??? example "Constraints Expression Examples"

docs/content/providers/consul.md

@@ -0,0 +1,216 @@
+# Traefik & Consul
+
+A Story of KV store & Containers
+{: .subtitle }
+
+Store your configuration in Consul and let Traefik do the rest!
+
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/kv.md).
+
+## Provider Configuration
+
+### `endpoints`
+
+_Required, Default="127.0.0.1:8500"_
+
+Defines how to access to Consul.
+
+```toml tab="File (TOML)"
+[providers.consul]
+  endpoints = ["127.0.0.1:8500"]
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    endpoints:
+      - "127.0.0.1:8500"
+```
+
+```bash tab="CLI"
+--providers.consul.endpoints=127.0.0.1:8500
+```
+
+### `rootKey`
+
+Defines the root key of the configuration.
+
+_Required, Default="traefik"_
+
+```toml tab="File (TOML)"
+[providers.consul]
+  rootKey = "traefik"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    rootKey: "traefik"
+```
+
+```bash tab="CLI"
+--providers.consul.rootkey=traefik
+```
+
+### `username`
+
+Defines a username to connect with Consul.
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consul]
+  # ...
+  username = "foo"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    # ...
+    usename: "foo"
+```
+
+```bash tab="CLI"
+--providers.consul.username=foo
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines a password to connect with Consul.
+
+```toml tab="File (TOML)"
+[providers.consul]
+  # ...
+  password = "bar"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    # ...
+    password: "bar"
+```
+
+```bash tab="CLI"
+--providers.consul.password=foo
+```
+
+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to Consul.
+
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.consul.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+Policy followed for the secured connection with TLS Client Authentication to Consul.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.consul.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to Consul.
+
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.consul.tls.cert=path/to/foo.cert
+--providers.consul.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+Private certificate used for the secured connection to Consul.
+
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.consul.tls.cert=path/to/foo.cert
+--providers.consul.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS for the connection to Consul accepts any certificate presented by the server and any host name in that certificate.
+
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.consul.tls.insecureSkipVerify=true
+```

docs/content/providers/docker.md

@@ -40,7 +40,7 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
       my-container:
         # ...
         labels:
-          - traefik.http.routers.my-container.rule=Host(`mydomain.com`)
+          - traefik.http.routers.my-container.rule=Host(`example.com`)
     ```
 
 ??? example "Configuring Docker Swarm & Deploying / Exposing Services"
@@ -60,14 +60,17 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
     providers:
       docker:
         # swarm classic (1.12-)
-        # endpoint = "tcp://127.0.0.1:2375"
+        # endpoint: "tcp://127.0.0.1:2375"
         # docker swarm mode (1.12+)
-        endpoint: "tcp://127.0.0.1:2375"
+        endpoint: "tcp://127.0.0.1:2377"
         swarmMode: true
     ```
     
     ```bash tab="CLI"
-    --providers.docker.endpoint=tcp://127.0.0.1:2375
+    # swarm classic (1.12-)
+    # --providers.docker.endpoint=tcp://127.0.0.1:2375
+    # docker swarm mode (1.12+)
+    --providers.docker.endpoint=tcp://127.0.0.1:2377
     --providers.docker.swarmMode=true
     ```
 
@@ -79,14 +82,14 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
       my-container:
         deploy:
           labels:
-            - traefik.http.routers.my-container.rule=Host(`mydomain.com`)
+            - traefik.http.routers.my-container.rule=Host(`example.com`)
             - traefik.http.services.my-container-service.loadbalancer.server.port=8080
     ```
 
 ## Routing Configuration
 
-When using Docker as a [provider](https://docs.traefik.io/providers/overview/),
-Trafik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
+When using Docker as a [provider](./overview.md),
+Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
 
 See the list of labels in the dedicated [routing](../routing/providers/docker.md) section.
 
@@ -116,6 +119,20 @@ Ports detection works as follows:
   by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
   (Read more on this label in the dedicated section in [routing](../routing/providers/docker.md#port)).
 
+### Host networking
+
+When exposing containers that are configured with [host networking](https://docs.docker.com/network/host/),
+the IP address of the host is resolved as follows:
+
+<!-- TODO: verify and document the swarm mode case with container.Node.IPAddress coming from the API -->
+- try a lookup of `host.docker.internal`
+- otherwise fall back to `127.0.0.1`
+
+On Linux, (and until [github.com/moby/moby/pull/40007](https://github.com/moby/moby/pull/40007) is included in a release),
+for `host.docker.internal` to be defined, it should be provided as an `extra_host` to the Traefik container,
+using the `--add-host` flag. For example, to set it to the IP address of the bridge interface (docker0 by default):
+`--add-host=host.docker.internal:172.17.0.1`
+
 ### Docker API Access
 
 Traefik requires access to the docker socket to get its dynamic configuration.
@@ -135,25 +152,26 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
 
     ??? success "Solutions"
 
-        Expose the Docker socket over TCP, instead of the default Unix socket file.
+        Expose the Docker socket over TCP or SSH, instead of the default Unix socket file.
         It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
 
         - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
         - Authorize and filter requests to restrict possible actions with [the TecnativaDocker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy).
-        - Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
+        - Authorization with the [Docker Authorization Plugin Mechanism](https://web.archive.org/web/20190920092526/https://docs.docker.com/engine/extend/plugins_authorization/)
         - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
         - Accounting at container level, by exposing the socket on a another container than Traefik's.
           With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
         - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
+        - SSH public key authentication (SSH is supported with Docker > 18.09)
 
     ??? info "More Resources and Examples"
         - ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c)
-        - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.containo.us/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
+        - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
         - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
         - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
         - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
         - [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
-        - [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174)
+        - [Traefik issue GH-4174 about security with Docker socket](https://github.com/traefik/traefik/issues/4174)
         - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
         - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
         - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
@@ -184,7 +202,7 @@ Therefore you **must** specify the port to use for communication by using the la
 Docker Swarm Mode follows the same rules as Docker [API Access](#docker-api-access).
 
 As the Swarm API is only exposed on the [manager nodes](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#manager-nodes), you should schedule Traefik on the Swarm manager nodes by default,
-by deploying Traefik with a [constraint](https://success.docker.com/article/using-contraints-and-labels-to-control-the-placement-of-containers) on the node's "role":
+by deploying Traefik with a constraint on the node's "role":
 
 ```shell tab="With Docker CLI"
 docker service create \
@@ -246,7 +264,7 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
 
     services:
       traefik:
-         image: traefik:v2.0 # The official v2.0 Traefik docker image
+         image: traefik:v2.3 # The official v2 Traefik docker image
          ports:
            - "80:80"
          volumes:
@@ -273,6 +291,30 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
     # ...
     ```
 
+??? example "Using SSH"
+
+    Using Docker 18.09+ you can connect Traefik to daemon using SSH
+    We specify the SSH host and user in Traefik's configuration file.
+    Note that is server requires public keys for authentication you must have those accessible for user who runs Traefik.
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      endpoint = "ssh://traefik@192.168.2.5:2022"
+      # ...
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        endpoint: "ssh://traefik@192.168.2.5:2022"
+         # ...
+    ```
+    
+    ```bash tab="CLI"
+    --providers.docker.endpoint=ssh://traefik@192.168.2.5:2022
+    # ...
+    ```
+
 ### `useBindPortIP`
 
 _Optional, Default=false_
@@ -434,24 +476,48 @@ _Optional, Default=15_
 
 ```toml tab="File (TOML)"
 [providers.docker]
-  swarmModeRefreshSeconds = "30s"
+  swarmModeRefreshSeconds = 30
   # ...
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   docker:
-    swarmModeRefreshSeconds: "30s"
+    swarmModeRefreshSeconds: 30
     # ...
 ```
 
 ```bash tab="CLI"
---providers.docker.swarmModeRefreshSeconds=30s
+--providers.docker.swarmModeRefreshSeconds=30
 # ...
 ```
 
 Defines the polling interval (in seconds) in Swarm Mode.
 
+### `watch`
+
+_Optional, Default=true_
+
+```toml tab="File (TOML)"
+[providers.docker]
+  watch = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    watch: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.watch=false
+# ...
+```
+
+Watch Docker Swarm events.
+
 ### `constraints`
 
 _Optional, Default=""_

docs/content/providers/ecs.md

@@ -0,0 +1,223 @@
+# Traefik & AWS ECS
+
+A Story of Labels & Elastic Containers
+{: .subtitle }
+
+Attach labels to your ECS containers and let Traefik do the rest!
+
+## Configuration Examples
+
+??? example "Configuring ECS provider"
+
+    Enabling the ECS provider:
+    
+    ```toml tab="File (TOML)"
+    [providers.ecs]
+      clusters = ["default"]
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      ecs:
+        clusters:
+          - default
+    ```
+    
+    ```bash tab="CLI"
+    --providers.ecs.clusters=default
+    ```
+
+## Policy
+
+Traefik needs the following policy to read ECS information:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "TraefikECSReadAccess",
+            "Effect": "Allow",
+            "Action": [
+                "ecs:ListClusters",
+                "ecs:DescribeClusters",
+                "ecs:ListTasks",
+                "ecs:DescribeTasks",
+                "ecs:DescribeContainerInstances",
+                "ecs:DescribeTaskDefinition",
+                "ec2:DescribeInstances"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}
+```
+
+## Provider configuration
+
+### `autoDiscoverClusters`
+
+_Optional, Default=false_
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  autoDiscoverClusters = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    autoDiscoverClusters: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.autoDiscoverClusters=true
+# ...
+```
+
+Search for services in clusters list.
+
+- If set to `true` the configured clusters will be ignored and the clusters will be discovered.
+- If set to `false` the services will be discovered only in configured clusters.
+
+### `clusters`
+
+_Optional, Default=["default"]_
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  cluster = ["default"]
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    clusters:
+      - default
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.clusters=default
+# ...
+```
+
+Search for services in clusters list.
+
+### `exposedByDefault`
+
+_Optional, Default=true_
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  exposedByDefault = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    exposedByDefault: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.exposedByDefault=false
+# ...
+```
+
+Expose ECS services by default in Traefik.
+If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
+
+### `defaultRule`
+
+_Optional, Default=```Host(`{{ normalize .Name }}`)```_
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
+# ...
+```
+
+For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
+It must be a valid [Go template](https://golang.org/pkg/text/template/),
+augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
+The service name can be accessed as the `Name` identifier,
+and the template has access to all the labels defined on this container.
+
+### `refreshSeconds`
+
+_Optional, Default=15_
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  refreshSeconds = 15
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    refreshSeconds: 15
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.refreshSeconds=15
+# ...
+```
+
+Polling interval (in seconds).
+
+### Credentials
+
+_Optional_
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  region = "us-east-1"
+  accessKeyID = "abc"
+  secretAccessKey = "123"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    region: us-east-1
+    accessKeyID: "abc"
+    secretAccessKey: "123"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.region="us-east-1"
+--providers.ecs.accessKeyID="abc"
+--providers.ecs.secretAccessKey="123"
+# ...
+```
+
+If `region` is not provided, it will be resolved from the EC2 metadata endpoint for EC2 tasks. 
+In a FARGATE context it will be resolved from the `AWS_REGION` env variable.
+
+If `accessKeyID` / `secretAccessKey` are not provided, credentials will be resolved in the following order:
+
+- From environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
+- Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to default and `~/.aws/credentials`.
+- EC2 instance role or ECS task role

docs/content/providers/etcd.md

@@ -0,0 +1,216 @@
+# Traefik & Etcd
+
+A Story of KV store & Containers
+{: .subtitle }
+
+Store your configuration in Etcd and let Traefik do the rest!
+
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/kv.md).
+
+## Provider Configuration
+
+### `endpoints`
+
+_Required, Default="127.0.0.1:2379"_
+
+Defines how to access to Etcd.
+
+```toml tab="File (TOML)"
+[providers.etcd]
+  endpoints = ["127.0.0.1:2379"]
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    endpoints:
+      - "127.0.0.1:2379"
+```
+
+```bash tab="CLI"
+--providers.etcd.endpoints=127.0.0.1:2379
+```
+
+### `rootKey`
+
+Defines the root key of the configuration.
+
+_Required, Default="traefik"_
+
+```toml tab="File (TOML)"
+[providers.etcd]
+  rootKey = "traefik"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    rootKey: "traefik"
+```
+
+```bash tab="CLI"
+--providers.etcd.rootkey=traefik
+```
+
+### `username`
+
+Defines a username to connect with Etcd.
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.etcd]
+  # ...
+  username = "foo"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    # ...
+    usename: "foo"
+```
+
+```bash tab="CLI"
+--providers.etcd.username=foo
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines a password to connect with Etcd.
+
+```toml tab="File (TOML)"
+[providers.etcd]
+  # ...
+  password = "bar"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    # ...
+    password: "bar"
+```
+
+```bash tab="CLI"
+--providers.etcd.password=foo
+```
+
+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to Etcd.
+
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.etcd.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+Policy followed for the secured connection with TLS Client Authentication to Etcd.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.etcd.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to Etcd.
+
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.etcd.tls.cert=path/to/foo.cert
+--providers.etcd.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+Private certificate used for the secured connection to Etcd.
+
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.etcd.tls.cert=path/to/foo.cert
+--providers.etcd.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS for the connection to Etcd accepts any certificate presented by the server and any host name in that certificate.
+
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.etcd.tls.insecureSkipVerify=true
+```

docs/content/providers/file.md

@@ -47,22 +47,22 @@ You can write one of these mutually exclusive configuration elements:
           middlewares = ["my-basic-auth"]
           service = "service-foo"
           rule = "Path(`/foo`)"
-    
-        # Add the middleware
-        [http.middlewares]    
-          [http.middlewares.my-basic-auth.basicAuth]
-            users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
-                      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
-            usersFile = "etc/traefik/.htpasswd"
-        
-        # Add the service
-        [http.services]
-          [http.services.service-foo]
-            [http.services.service-foo.loadBalancer]
-              [[http.services.service-foo.loadBalancer.servers]]
-                url = "http://foo/"
-              [[http.services.service-foo.loadBalancer.servers]]
-                url = "http://bar/"
+      
+      # Add the middleware
+      [http.middlewares]    
+        [http.middlewares.my-basic-auth.basicAuth]
+          users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+                    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
+          usersFile = "etc/traefik/.htpasswd"
+      
+      # Add the service
+      [http.services]
+        [http.services.service-foo]
+          [http.services.service-foo.loadBalancer]
+            [[http.services.service-foo.loadBalancer.servers]]
+              url = "http://foo/"
+            [[http.services.service-foo.loadBalancer.servers]]
+              url = "http://bar/"
     ```
     
     ```yaml tab="YAML"
@@ -118,27 +118,35 @@ If you're in a hurry, maybe you'd rather go through the [dynamic configuration](
     
 ### `filename`
 
-Defines the path of the configuration file.
+Defines the path to the configuration file.
+
+!!! warning ""
+    `filename` and `directory` are mutually exclusive.
+    The recommendation is to use `directory`.
 
 ```toml tab="File (TOML)"
 [providers]
   [providers.file]
-    filename = "dynamic_conf.toml"
+    filename = "/path/to/config/dynamic_conf.toml"
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   file:
-    filename: dynamic_conf.yml
+    filename: /path/to/config/dynamic_conf.yml
 ```
 
 ```bash tab="CLI"
---providers.file.filename=dynamic_conf.toml
+--providers.file.filename=/path/to/config/dynamic_conf.toml
 ```
 
 ### `directory`
 
-Defines the directory that contains the configuration files.
+Defines the path to the directory that contains the configuration files.
+
+!!! warning ""
+    `filename` and `directory` are mutually exclusive.
+    The recommendation is to use `directory`.
 
 ```toml tab="File (TOML)"
 [providers]
@@ -183,11 +191,14 @@ providers:
 ### Go Templating
 
 !!! warning
-    Go Templating only works along with dedicated dynamic configuration files.
+    Go Templating only works with dedicated dynamic configuration files.
     Templating does not work in the Traefik main static configuration file.
 
-Traefik allows using Go templating.  
-Thus, it's possible to define easily lot of routers, services and TLS certificates as described in the file `template-rules.toml` :
+Traefik supports using Go templating to automatically generate repetitive portions of configuration files.
+These sections must be valid [Go templates](https://golang.org/pkg/text/template/),
+augmented with the [Sprig template functions](http://masterminds.github.io/sprig/).
+
+To illustrate, it's possible to easily define multiple routers, services, and TLS certificates as described in the following examples:
 
 ??? example "Configuring Using Templating"
     
@@ -197,7 +208,7 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
     
       [http.routers]
       {{ range $i, $e := until 100 }}
-        [http.routers.router{{ $e }}]
+        [http.routers.router{{ $e }}-{{ env "MY_ENV_VAR" }}]
         # ...
       {{ end }}  
       
@@ -227,7 +238,7 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
     [[tls.certificates]]
       certFile = "/etc/traefik/cert-{{ $e }}.pem"
       keyFile = "/etc/traefik/cert-{{ $e }}.key"
-      store = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
+      stores = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
     {{ end }}
     
     [tls.config]
@@ -239,40 +250,38 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
     
     ```yaml tab="YAML"
     http:
-    
-    {{range $i, $e := until 100 }}
       routers:
-        router{{ $e }:
+        {{range $i, $e := until 100 }}
+        router{{ $e }}-{{ env "MY_ENV_VAR" }}:
           # ...
-    {{end}}
+        {{end}}
     
-    {{range $i, $e := until 100 }}
       services:
+        {{range $i, $e := until 100 }}
         application{{ $e }}:
           # ...
-    {{end}}
+        {{end}}
     
     tcp:
-    
-    {{range $i, $e := until 100 }}
       routers:
-        router{{ $e }:
+        {{range $i, $e := until 100 }}
+        router{{ $e }}:
           # ...
-    {{end}}
+        {{end}}
     
-    {{range $i, $e := until 100 }}
       services:
+        {{range $i, $e := until 100 }}
         service{{ $e }}:
           # ...
-    {{end}}
+        {{end}}
     
-    {{ range $i, $e := until 10 }}
     tls:
       certificates:
+      {{ range $i, $e := until 10 }}
       - certFile: "/etc/traefik/cert-{{ $e }}.pem"
         keyFile: "/etc/traefik/cert-{{ $e }}.key"
         store:
         - "my-store-foo-{{ $e }}"
         - "my-store-bar-{{ $e }}"
-    {{end}}
+      {{end}}
     ```

docs/content/providers/http.md

@@ -0,0 +1,189 @@
+# Traefik & HTTP
+
+Provide your [dynamic configuration](./overview.md) via an HTTP(s) endpoint and let Traefik do the rest!
+
+## Routing Configuration
+
+The HTTP provider uses the same configuration as the [File Provider](./file.md) in YAML or JSON format.
+
+## Provider Configuration
+
+### `endpoint`
+
+_Required_
+
+Defines the HTTP(s) endpoint to poll.
+
+```toml tab="File (TOML)"
+[providers.http]
+  endpoint = "http://127.0.0.1:9000/api"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    endpoint:
+      - "http://127.0.0.1:9000/api"
+```
+
+```bash tab="CLI"
+--providers.http.endpoint=http://127.0.0.1:9000/api
+```
+
+### `pollInterval`
+
+_Optional, Default="5s"_
+
+Defines the polling interval.
+
+```toml tab="File (TOML)"
+[providers.http]
+  pollInterval = "5s"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    pollInterval: "5s"
+```
+
+```bash tab="CLI"
+--providers.http.pollInterval=5s
+```
+
+### `pollTimeout`
+
+_Optional, Default="5s"_
+
+Defines the polling timeout when connecting to the configured endpoint.
+
+```toml tab="File (TOML)"
+[providers.http]
+  pollTimeout = "5s"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    pollTimeout: "5s"
+```
+
+```bash tab="CLI"
+--providers.http.pollTimeout=5s
+```
+
+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to the configured Endpoint.
+
+```toml tab="File (TOML)"
+[providers.http.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.http.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+Policy followed for the secured connection with TLS Client Authentication to the configured Endpoint.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```toml tab="File (TOML)"
+[providers.http.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.http.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to the configured Endpoint.
+
+```toml tab="File (TOML)"
+[providers.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.http.tls.cert=path/to/foo.cert
+--providers.http.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+Private certificate used for the secured connection to the configured Endpoint.
+
+```toml tab="File (TOML)"
+[providers.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.http.tls.cert=path/to/foo.cert
+--providers.http.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS connection to the configured Endpoint accepts any certificate presented by the 
+server and any host name in that certificate.
+
+```toml tab="File (TOML)"
+[providers.http.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.http.tls.insecureSkipVerify=true
+```

docs/content/providers/kubernetes-crd.md

@@ -8,9 +8,43 @@ Traefik used to support Kubernetes only through the [Kubernetes Ingress provider
 However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
 we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
 
+## Configuration Requirements
+
+!!! tip "All Steps for a Successful Deployment"
+
+    * Add/update **all** the Traefik resources [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions)
+    * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources
+    * Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment 
+        * Enable the kubernetesCRD provider
+        * Apply the needed kubernetesCRD provider [configuration](#provider-configuration)
+    * Add all needed traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
+ 
+??? example "Initializing Resource Definition and RBAC"
+
+    ```yaml tab="Traefik Resource Definition"
+    # All resources definition must be declared
+    --8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
+    ```
+
+    ```yaml tab="RBAC for Traefik CRD"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
+    ```
+
 ## Resource Configuration
 
-See the dedicated section in [routing](../routing/providers/kubernetes-crd.md).
+When using KubernetesCRD as a provider,
+Traefik uses [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to retrieve its routing configuration.
+Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are:
+
+* The usage of `name` **and** `namespace` to refer to another Kubernetes resource.
+* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensible data like:
+    * TLS certificate.
+    * Authentication data.
+* The structure of the configuration.
+* The obligation to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).
+
+The Traefik CRD are building blocks which you can assemble according to your needs.
+See the list of CRDs in the dedicated [routing section](../routing/providers/kubernetes-crd.md).
 
 ## LetsEncrypt Support with the Custom Resource Definition Provider
 
@@ -19,14 +53,14 @@ For this reason, users can run multiple instances of Traefik at the same time to
 
 When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
 Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
-Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
 
-If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) where distributed LetsEncrypt is a supported feature.
 
 If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
 When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot interface directly with the CRDs _yet_, but this is being worked on by our team.
-A workaround it to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
+A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
 Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once created, Cert-Manager will keep the certificate renewed.
 
 ## Provider Configuration
@@ -44,7 +78,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
   kubernetesCRD:
-    endpoint = "http://localhost:8080"
+    endpoint: "http://localhost:8080"
     # ...
 ```
 
@@ -78,7 +112,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
   kubernetesCRD:
-    token = "mytoken"
+    token: "mytoken"
     # ...
 ```
 
@@ -139,7 +173,7 @@ Array of namespaces to watch.
 
 ### `labelselector`
 
-_Optional,Default: empty (process all Ingresses)_
+_Optional,Default: empty (process all resources)_
 
 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
@@ -158,8 +192,8 @@ providers:
 --providers.kubernetescrd.labelselector="A and not B"
 ```
 
-By default, Traefik processes all Ingress objects in the configured namespaces.
-A label selector can be defined to filter on specific Ingress objects only.
+By default, Traefik processes all resource objects in the configured namespaces.
+A label selector can be defined to filter on specific resource objects only.
 
 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
 
@@ -184,10 +218,10 @@ providers:
 --providers.kubernetescrd.ingressclass=traefik-internal
 ```
 
-Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
+Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.
 
-If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
-Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
+If the parameter is non-empty, only resources containing an annotation with the same value are processed.
+Otherwise, resources missing the annotation, having an empty value, or the value `traefik` are processed.
 
 ### `throttleDuration`
 

docs/content/providers/kubernetes-ingress.md

@@ -6,7 +6,11 @@ The Kubernetes Ingress Controller.
 The Traefik Kubernetes Ingress provider is a Kubernetes Ingress controller; that is to say,
 it manages access to a cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
 
-## Enabling and using the provider
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/kubernetes-ingress.md).
+
+## Enabling and Using the Provider
 
 As usual, the provider is enabled through the static configuration:
 
@@ -23,7 +27,9 @@ providers:
 --providers.kubernetesingress=true
 ```
 
-The provider then watches for incoming ingresses events, such as the example below, and derives the corresponding dynamic configuration from it, which in turn will create the resulting routers, services, handlers, etc.
+The provider then watches for incoming ingresses events, such as the example below,
+and derives the corresponding dynamic configuration from it,
+which in turn will create the resulting routers, services, handlers, etc.
 
 ```yaml tab="File (YAML)"
 kind: Ingress
@@ -34,7 +40,7 @@ metadata:
 
 spec:
   rules:
-    - host: foo.com
+    - host: example.net
       http:
         paths:
           - path: /bar
@@ -49,17 +55,26 @@ spec:
 
 ## LetsEncrypt Support with the Ingress Provider
 
-By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
-For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
+By design, Traefik is a stateless application,
+meaning that it only derives its configuration from the environment it runs in,
+without additional configuration.
+For this reason, users can run multiple instances of Traefik at the same time to achieve HA,
+as is a common pattern in the kubernetes ecosystem.
 
-When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
-Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
-Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+When using a single instance of Traefik with LetsEncrypt, no issues should be encountered,
+however this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled,
+because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
+Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this,
+but due to sub-optimal performance was dropped as a feature in 2.0.
 
-If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+If you require LetsEncrypt with HA in a kubernetes environment,
+we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) where distributed LetsEncrypt is a supported feature.
 
-If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
-When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+If you are wanting to continue to run Traefik Community Edition,
+LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+When using Cert-Manager to manage certificates,
+it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 
 ## Provider Configuration
 
@@ -76,7 +91,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
   kubernetesIngress:
-    endpoint = "http://localhost:8080"
+    endpoint: "http://localhost:8080"
     # ...
 ```
 
@@ -93,7 +108,8 @@ They are both provided automatically as mounts in the pod where Traefik is deplo
 
 When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
 In which case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication
+and authorization of the associated kubeconfig.
 
 ### `token`
 
@@ -108,7 +124,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
   kubernetesIngress:
-    token = "mytoken"
+    token: "mytoken"
     # ...
 ```
 
@@ -242,6 +258,40 @@ Value of `kubernetes.io/ingress.class` annotation that identifies Ingress object
 If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
 Otherwise, Ingresses missing the annotation, having an empty value, or with the value `traefik` are processed.
 
+!!! info "Kubernetes 1.18+"
+
+    If the Kubernetes cluster version is 1.18+,
+    the new `IngressClass` resource can be leveraged to identify Ingress objects that should be processed.
+    In that case, Traefik will look for an `IngressClass` in the cluster with the controller value equal to *traefik.io/ingress-controller*. 
+    
+    Please see [this article](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/) for more information or the example below.
+
+    ```yaml tab="IngressClass"
+    apiVersion: networking.k8s.io/v1beta1
+    kind: IngressClass
+    metadata: 
+      name: traefik-lb
+    spec: 
+      controller: traefik.io/ingress-controller
+    ```
+  
+    ```yaml tab="Ingress"
+    apiVersion: "networking.k8s.io/v1beta1"
+    kind: "Ingress"
+    metadata:
+      name: "example-ingress"
+    spec:
+      ingressClassName: "traefik-lb"
+      rules:
+      - host: "*.example.com"
+        http:
+          paths:
+          - path: "/example"
+            backend:
+              serviceName: "example-service"
+              servicePort: 80
+    ```
+
 ### `ingressEndpoint`
 
 #### `hostname`
@@ -250,7 +300,7 @@ _Optional, Default: empty_
 
 ```toml tab="File (TOML)"
 [providers.kubernetesIngress.ingressEndpoint]
-  hostname = "foo.com"
+  hostname = "example.net"
   # ...
 ```
 
@@ -258,12 +308,12 @@ _Optional, Default: empty_
 providers:
   kubernetesIngress:
     ingressEndpoint:
-      hostname: "foo.com"
+      hostname: "example.net"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.hostname=foo.com
+--providers.kubernetesingress.ingressendpoint.hostname=example.net
 ```
 
 Hostname used for Kubernetes Ingress endpoints.
@@ -298,7 +348,7 @@ _Optional, Default: empty_
 
 ```toml tab="File (TOML)"
 [providers.kubernetesIngress.ingressEndpoint]
-  publishedService = "foo-service"
+  publishedService = "namespace/foo-service"
   # ...
 ```
 
@@ -306,15 +356,16 @@ _Optional, Default: empty_
 providers:
   kubernetesIngress:
     ingressEndpoint:
-      publishedService: "foo-service"
+      publishedService: "namespace/foo-service"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.publishedservice=foo-service
+--providers.kubernetesingress.ingressendpoint.publishedservice=namespace/foo-service
 ```
 
 Published Kubernetes Service to copy status from.
+Format: `namespace/servicename`.
 
 ### `throttleDuration`
 
@@ -337,6 +388,7 @@ providers:
 --providers.kubernetesingress.throttleDuration=10s
 ```
 
-## Further
+### Further
 
-If one wants to know more about the various aspects of the Ingress spec that Traefik supports, many examples of Ingresses definitions are located in the tests [data](https://github.com/containous/traefik/tree/v2.0/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+If one wants to know more about the various aspects of the Ingress spec that Traefik supports,
+many examples of Ingresses definitions are located in the tests [data](https://github.com/traefik/traefik/tree/v2.3/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

docs/content/providers/marathon.md

@@ -32,7 +32,7 @@ See also [Marathon user guide](../user-guides/marathon.md).
 		"container": {
 			"type": "DOCKER",
 			"docker": {
-				"image": "containous/whoami",
+				"image": "traefik/whoami",
 				"network": "BRIDGE",
 				"portMappings": [
 					{

docs/content/providers/overview.md

@@ -26,19 +26,24 @@ Even if each provider is different, we can categorize them in four groups:
 
 Below is the list of the currently supported providers in Traefik. 
 
-| Provider                              | Type         | Configuration Type |
-|---------------------------------------|--------------|--------------------|
-| [Docker](./docker.md)                 | Orchestrator | Label              |
-| [Kubernetes](./kubernetes-crd.md)     | Orchestrator | Custom Resource    |
-| [Consul Catalog](./consul-catalog.md) | Orchestrator | Label              |
-| [Marathon](./marathon.md)             | Orchestrator | Label              |
-| [Rancher](./rancher.md)               | Orchestrator | Label              |
-| [File](./file.md)                     | Manual       | TOML/YAML format   |
+| Provider                              | Type         | Configuration Type         |
+|---------------------------------------|--------------|----------------------------|
+| [Docker](./docker.md)                 | Orchestrator | Label                      |
+| [Kubernetes](./kubernetes-crd.md)     | Orchestrator | Custom Resource or Ingress |
+| [Consul Catalog](./consul-catalog.md) | Orchestrator | Label                      |
+| [Marathon](./marathon.md)             | Orchestrator | Label                      |
+| [Rancher](./rancher.md)               | Orchestrator | Label                      |
+| [File](./file.md)                     | Manual       | TOML/YAML format           |
+| [Consul](./consul.md)                 | KV           | KV                         |
+| [Etcd](./etcd.md)                     | KV           | KV                         |
+| [Redis](./redis.md)                   | KV           | KV                         |
+| [ZooKeeper](./zookeeper.md)           | KV           | KV                         |
+| [HTTP](./http.md)                     | Manual       | JSON format                |
 
 !!! info "More Providers"
 
     The current version of Traefik doesn't support (yet) every provider.
-    See the [previous version (v1.7)](https://docs.traefik.io/v1.7/) for more providers.
+    See the [previous version (v1.7)](https://doc.traefik.io/traefik/v1.7/) for more providers.
 
 ### Configuration reload frequency
 

docs/content/providers/rancher.md

@@ -35,7 +35,7 @@ Attach labels to your services and let Traefik do the rest!
 
     ```yaml
     labels:
-      - traefik.http.services.my-service.rule=Host(`mydomain.com`)
+      - traefik.http.services.my-service.rule=Host(`example.com`)
     ```
 
 ## Routing Configuration

docs/content/providers/redis.md

@@ -0,0 +1,216 @@
+# Traefik & Redis
+
+A Story of KV store & Containers
+{: .subtitle }
+
+Store your configuration in Redis and let Traefik do the rest!
+
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/kv.md).
+
+## Provider Configuration
+
+### `endpoints`
+
+_Required, Default="127.0.0.1:6379"_
+
+Defines how to access to Redis.
+
+```toml tab="File (TOML)"
+[providers.redis]
+  endpoints = ["127.0.0.1:6379"]
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    endpoints:
+      - "127.0.0.1:6379"
+```
+
+```bash tab="CLI"
+--providers.redis.endpoints=127.0.0.1:6379
+```
+
+### `rootKey`
+
+Defines the root key of the configuration.
+
+_Required, Default="traefik"_
+
+```toml tab="File (TOML)"
+[providers.redis]
+  rootKey = "traefik"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    rootKey: "traefik"
+```
+
+```bash tab="CLI"
+--providers.redis.rootkey=traefik
+```
+
+### `username`
+
+Defines a username to connect with Redis.
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.redis]
+  # ...
+  username = "foo"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    # ...
+    usename: "foo"
+```
+
+```bash tab="CLI"
+--providers.redis.username=foo
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines a password to connect with Redis.
+
+```toml tab="File (TOML)"
+[providers.redis]
+  # ...
+  password = "bar"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    # ...
+    password: "bar"
+```
+
+```bash tab="CLI"
+--providers.redis.password=foo
+```
+
+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to Redis.
+
+```toml tab="File (TOML)"
+[providers.redis.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.redis.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+Policy followed for the secured connection with TLS Client Authentication to Redis.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```toml tab="File (TOML)"
+[providers.redis.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.redis.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to Redis.
+
+```toml tab="File (TOML)"
+[providers.redis.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.redis.tls.cert=path/to/foo.cert
+--providers.redis.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+Private certificate used for the secured connection to Redis.
+
+```toml tab="File (TOML)"
+[providers.redis.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.redis.tls.cert=path/to/foo.cert
+--providers.redis.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS for the connection to Redis accepts any certificate presented by the server and any host name in that certificate.
+
+```toml tab="File (TOML)"
+[providers.redis.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.redis.tls.insecureSkipVerify=true
+```

docs/content/providers/zookeeper.md

@@ -0,0 +1,216 @@
+# Traefik & ZooKeeper
+
+A Story of KV store & Containers
+{: .subtitle }
+
+Store your configuration in ZooKeeper and let Traefik do the rest!
+
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/kv.md).
+
+## Provider Configuration
+
+### `endpoints`
+
+_Required, Default="127.0.0.1:2181"_
+
+Defines how to access to ZooKeeper.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper]
+  endpoints = ["127.0.0.1:2181"]
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    endpoints:
+      - "127.0.0.1:2181"
+```
+
+```bash tab="CLI"
+--providers.zookeeper.endpoints=127.0.0.1:2181
+```
+
+### `rootKey`
+
+Defines the root key of the configuration.
+
+_Required, Default="traefik"_
+
+```toml tab="File (TOML)"
+[providers.zooKeeper]
+  rootKey = "traefik"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    rootKey: "traefik"
+```
+
+```bash tab="CLI"
+--providers.zookeeper.rootkey=traefik
+```
+
+### `username`
+
+Defines a username to connect with ZooKeeper.
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.zooKeeper]
+  # ...
+  username = "foo"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    # ...
+    usename: "foo"
+```
+
+```bash tab="CLI"
+--providers.zookeeper.username=foo
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines a password to connect with ZooKeeper.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper]
+  # ...
+  password = "bar"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    # ...
+    password: "bar"
+```
+
+```bash tab="CLI"
+--providers.zookeeper.password=foo
+```
+
+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to ZooKeeper.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.zookeeper.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+Policy followed for the secured connection with TLS Client Authentication to ZooKeeper.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```toml tab="File (TOML)"
+[providers.zooKeeper.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.zookeeper.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to ZooKeeper.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.zookeeper.tls.cert=path/to/foo.cert
+--providers.zookeeper.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+Private certificate used for the secured connection to ZooKeeper.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.zookeeper.tls.cert=path/to/foo.cert
+--providers.zookeeper.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS for the connection to ZooKeeper accepts any certificate presented by the server and any host name in that certificate.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.zookeeper.tls.insecureSkipVerify=true
+```