Prepare release v2.2.0-rc4

Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>

.dockerignore

@@ -1,3 +1,5 @@
 dist/
 !dist/traefik
 site/
+vendor/
+.idea/

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.
 
 Documentation fixes or enhancements:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.1
+- for Traefik v2: use branch v2.2
 
 Bug fixes:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.1
+- for Traefik v2: use branch v2.2
 
 Enhancements:
 - for Traefik v1: we only accept bug fixes

.golangci.toml

@@ -47,6 +47,7 @@
     "gocognit",
     "bodyclose", # Too many false-positive and panics.
     "wsl", # Too strict
+    "gomnd", # Too strict
     "stylecheck", # skip because report issues related to some generated files.
   ]
 
@@ -92,6 +93,15 @@
  [[issues.exclude-rules]]
     path = "cmd/configuration.go"
     text = "string `traefik` has (\\d) occurrences, make it a constant"
+ [[issues.exclude-rules]]
+    path = "pkg/server/middleware/middlewares.go"
+    text = "Function 'buildConstructor' is too long \\(\\d+ > 230\\)"
  [[issues.exclude-rules]] # FIXME must be fixed
     path = "cmd/context.go"
     text = "S1000: should use a simple channel send/receive instead of `select` with a single case"
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/haystack/logger.go"
+    linters = ["goprintffuncname"]
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/tracing.go"
+    text = "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"

.goreleaser.yml

@@ -34,8 +34,10 @@ builds:
         goarch: 386
       - goos: openbsd
         goarch: arm
+      - goos: openbsd
+        goarch: arm64
       - goos: freebsd
-        goarch: arm
+        goarch: arm64
 
 changelog:
   skip: true

.semaphoreci/setup.sh

@@ -18,9 +18,9 @@ echo ${SHOULD_TEST}
 #if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
 #if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
 if [ -n "$SHOULD_TEST" ]; then docker version; fi
-export GO_VERSION=1.12
+export GO_VERSION=1.13
 if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
-#if [ "${GO_VERSION}" == '1.13' ]; then export GO_VERSION=1.13rc2; fi
+#if [ "${GO_VERSION}" == '1.14' ]; then export GO_VERSION=1.14rc2; fi
 echo "Selected Go version: ${GO_VERSION}"
 
 if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi

.semaphoreci/vars

@@ -10,7 +10,7 @@ else
   export VERSION=''
 fi
 
-export CODENAME=cantal
+export CODENAME=chevrotin
 
 export N_MAKE_JOBS=2
 

.travis.yml

@@ -11,7 +11,7 @@ env:
   global:
     - REPO=$TRAVIS_REPO_SLUG
     - VERSION=$TRAVIS_TAG
-    - CODENAME=cantal
+    - CODENAME=chevrotin
     - GO111MODULE=on
 
 script:

CHANGELOG.md

@@ -1,3 +1,232 @@
+## [v2.2.0-rc4](https://github.com/containous/traefik/tree/v2.2.0-rc4) (2020-03-19)
+[All Commits](https://github.com/containous/traefik/compare/v2.2.0-rc3...v2.2.0-rc4)
+
+**Documentation:**
+- **[acme]** Doc: fix wrong name of config format ([#6519](https://github.com/containous/traefik/pull/6519) by [Nek-](https://github.com/Nek-))
+
+**Misc:**
+- **[middleware]** Merge current v2.1 branch into v2.2 ([#6525](https://github.com/containous/traefik/pull/6525) by [ldez](https://github.com/ldez))
+
+## [v2.1.8](https://github.com/containous/traefik/tree/v2.1.8) (2020-03-19)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.7...v2.1.8)
+
+**Bug fixes:**
+- **[middleware,metrics]** Fix memory leak in metrics ([#6522](https://github.com/containous/traefik/pull/6522) by [juliens](https://github.com/juliens))
+
+## [v2.2.0-rc3](https://github.com/containous/traefik/tree/v2.2.0-rc3) (2020-03-18)
+[All Commits](https://github.com/containous/traefik/compare/v2.2.0-rc2...v2.2.0-rc3)
+
+**Enhancements:**
+- **[authentication,middleware]** docs: terminology, replace 'encoded' by 'hashed' ([#6478](https://github.com/containous/traefik/pull/6478) by [debovema](https://github.com/debovema))
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v3.5.0 ([#6491](https://github.com/containous/traefik/pull/6491) by [ldez](https://github.com/ldez))
+- **[internal]** Fix entry point redirect behavior ([#6512](https://github.com/containous/traefik/pull/6512) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/ingress]** fix: Ingress TLS support ([#6504](https://github.com/containous/traefik/pull/6504) by [ldez](https://github.com/ldez))
+- **[middleware]** fix: custom Host header. ([#6502](https://github.com/containous/traefik/pull/6502) by [ldez](https://github.com/ldez))
+- **[server,udp]** udp: replace concurrently reset timer with ticker ([#6498](https://github.com/containous/traefik/pull/6498) by [mpl](https://github.com/mpl))
+- **[server]** Drop traefik from default entry points. ([#6477](https://github.com/containous/traefik/pull/6477) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[k8s,k8s/crd,sticky-session]** docs: clarify multi-levels stickiness ([#6475](https://github.com/containous/traefik/pull/6475) by [mpl](https://github.com/mpl))
+- **[k8s/helm]** Update traefik install documentation ([#6466](https://github.com/containous/traefik/pull/6466) by [mmatur](https://github.com/mmatur))
+- Fix wrong copy/pasted with service name warning ([#6510](https://github.com/containous/traefik/pull/6510) by [Nek-](https://github.com/Nek-))
+- Improve ping documentation. ([#6476](https://github.com/containous/traefik/pull/6476) by [ldez](https://github.com/ldez))
+- doc: fix typo. ([#6472](https://github.com/containous/traefik/pull/6472) by [ldez](https://github.com/ldez))
+- doc: Use neutral domains. ([#6471](https://github.com/containous/traefik/pull/6471) by [ldez](https://github.com/ldez))
+
+**Misc:**
+- **[rancher]** Stop using fork of go-rancher-metadata ([#6469](https://github.com/containous/traefik/pull/6469) by [ibuildthecloud](https://github.com/ibuildthecloud))
+
+## [v2.1.7](https://github.com/containous/traefik/tree/v2.1.7) (2020-03-18)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.6...v2.1.7)
+
+**Bug fixes:**
+- **[logs,middleware]** Access log field quotes. ([#6484](https://github.com/containous/traefik/pull/6484) by [ldez](https://github.com/ldez))
+- **[metrics]** fix statsd scale for duration based metrics ([#6054](https://github.com/containous/traefik/pull/6054) by [ddtmachado](https://github.com/ddtmachado))
+- **[middleware]** Added support for replacement containing escaped characters ([#6413](https://github.com/containous/traefik/pull/6413) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[acme,docker]** Add some missing doc. ([#6422](https://github.com/containous/traefik/pull/6422) by [ldez](https://github.com/ldez))
+- **[acme]** Added wildcard ACME example ([#6423](https://github.com/containous/traefik/pull/6423) by [Basster](https://github.com/Basster))
+- **[acme]** fix typo ([#6408](https://github.com/containous/traefik/pull/6408) by [hamiltont](https://github.com/hamiltont))
+
+## [v2.2.0-rc2](https://github.com/containous/traefik/tree/v2.2.0-rc2) (2020-03-11)
+[All Commits](https://github.com/containous/traefik/compare/v2.2.0-rc1...v2.2.0-rc2)
+
+**Bug fixes:**
+- **[internal]** Router entry points on reload. ([#6444](https://github.com/containous/traefik/pull/6444) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd]** Improve kubernetes external name service support ([#6428](https://github.com/containous/traefik/pull/6428) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[docker]** Fix example values for swarmModeRefreshSeconds ([#6460](https://github.com/containous/traefik/pull/6460) by [skjnldsv](https://github.com/skjnldsv))
+- **[k8s,k8s/ingress]** Improve documentation for kubernetes ingress configuration ([#6440](https://github.com/containous/traefik/pull/6440) by [rtribotte](https://github.com/rtribotte))
+- **[tcp,tls]** Specify passthrough for TCP/TLS in its own section ([#6459](https://github.com/containous/traefik/pull/6459) by [mpl](https://github.com/mpl))
+- Remove  @dduportal from the maintainers team ([#6464](https://github.com/containous/traefik/pull/6464) by [emilevauge](https://github.com/emilevauge))
+- Update migration documentation ([#6447](https://github.com/containous/traefik/pull/6447) by [ldez](https://github.com/ldez))
+- Update version references. ([#6434](https://github.com/containous/traefik/pull/6434) by [ldez](https://github.com/ldez))
+- Fix broken documentation link ([#6430](https://github.com/containous/traefik/pull/6430) by [pbek](https://github.com/pbek))
+
+## [v2.2.0-rc1](https://github.com/containous/traefik/tree/v2.2.0-rc1) (2020-03-05)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.0-rc1...v2.2.0-rc1)
+
+**Enhancements:**
+- **[acme,middleware,tls]** Entry point redirection and default routers configuration ([#6417](https://github.com/containous/traefik/pull/6417) by [ldez](https://github.com/ldez))
+- **[consul,etcd,kv,redis,zk]** Add KV store providers (dynamic configuration only) ([#5899](https://github.com/containous/traefik/pull/5899) by [ldez](https://github.com/ldez))
+- **[consulcatalog,docker,marathon,rancher,udp]** Add UDP in providers with labels ([#6327](https://github.com/containous/traefik/pull/6327) by [juliens](https://github.com/juliens))
+- **[docker]** Fix traefik behavior when network_mode is host ([#5698](https://github.com/containous/traefik/pull/5698) by [FuNK3Y](https://github.com/FuNK3Y))
+- **[docker]** Support SSH connection to Docker ([#5969](https://github.com/containous/traefik/pull/5969) by [sh7dm](https://github.com/sh7dm))
+- **[healthcheck]** Do not follow redirects for the health check URLs ([#5147](https://github.com/containous/traefik/pull/5147) by [coder-hugo](https://github.com/coder-hugo))
+- **[k8s,k8s/crd,udp]** Add UDP support in kubernetesCRD provider ([#6348](https://github.com/containous/traefik/pull/6348) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/crd]** Add TLSStores to Kubernetes CRD ([#6270](https://github.com/containous/traefik/pull/6270) by [dtomcej](https://github.com/dtomcej))
+- **[k8s,k8s/crd]** Add namespace attribute on IngressRouteTCP service ([#6085](https://github.com/containous/traefik/pull/6085) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/ingress]** Support 'networking.k8s.io/v1beta1' ingress apiVersion ([#6171](https://github.com/containous/traefik/pull/6171) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/ingress]** Update deprecated function call in k8s providers  ([#5241](https://github.com/containous/traefik/pull/5241) by [Wagum](https://github.com/Wagum))
+- **[k8s,k8s/ingress]** Add Ingress annotations support ([#6160](https://github.com/containous/traefik/pull/6160) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/ingress]** systematically call updateIngressStatus ([#6148](https://github.com/containous/traefik/pull/6148) by [mpl](https://github.com/mpl))
+- **[logs,middleware]** Rename the non-exposed field "count" to "size" ([#6048](https://github.com/containous/traefik/pull/6048) by [sylr](https://github.com/sylr))
+- **[logs,middleware]** Add http request scheme to logger ([#6226](https://github.com/containous/traefik/pull/6226) by [valtlfelipe](https://github.com/valtlfelipe))
+- **[logs]** Decrease log level for client related error ([#6204](https://github.com/containous/traefik/pull/6204) by [sylr](https://github.com/sylr))
+- **[metrics]** Add metrics about TLS ([#6255](https://github.com/containous/traefik/pull/6255) by [sylr](https://github.com/sylr))
+- **[middleware]** Add period for rate limiter middleware ([#6055](https://github.com/containous/traefik/pull/6055) by [mpl](https://github.com/mpl))
+- **[middleware]** Let metrics libs handle the atomicity ([#5738](https://github.com/containous/traefik/pull/5738) by [sylr](https://github.com/sylr))
+- **[middleware]** Rework access control origin configuration ([#5996](https://github.com/containous/traefik/pull/5996) by [dtomcej](https://github.com/dtomcej))
+- **[middleware]** Add serial number certificate to forward headers ([#5915](https://github.com/containous/traefik/pull/5915) by [dkijkuit](https://github.com/dkijkuit))
+- **[rancher]** Duration order consistency when multiplying number by time unit ([#5885](https://github.com/containous/traefik/pull/5885) by [maxifom](https://github.com/maxifom))
+- **[server,udp]** UDP support ([#6172](https://github.com/containous/traefik/pull/6172) by [mpl](https://github.com/mpl))
+- **[service]** Use EDF schedule algorithm for WeightedRoundRobin ([#6206](https://github.com/containous/traefik/pull/6206) by [pkumza](https://github.com/pkumza))
+- **[service]** Support mirroring request body ([#6080](https://github.com/containous/traefik/pull/6080) by [dmitriyminer](https://github.com/dmitriyminer))
+- **[tls]** Allow PreferServerCipherSuites as a TLS Option ([#6248](https://github.com/containous/traefik/pull/6248) by [dtomcej](https://github.com/dtomcej))
+- **[tracing]** Update APM client. ([#6152](https://github.com/containous/traefik/pull/6152) by [ldez](https://github.com/ldez))
+- **[tracing]** Elastic APM tracer implementation ([#5870](https://github.com/containous/traefik/pull/5870) by [amine7536](https://github.com/amine7536))
+- **[udp,webui]** WebUI: add udp pages ([#6313](https://github.com/containous/traefik/pull/6313) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Web UI: Polling on tables ([#5909](https://github.com/containous/traefik/pull/5909) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Proxy API to Traefik in dev mode ([#5980](https://github.com/containous/traefik/pull/5980) by [sh7dm](https://github.com/sh7dm))
+- **[webui]** Web UI: Table infinite scroll ([#5875](https://github.com/containous/traefik/pull/5875) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Web UI: Take off logic from generic table component ([#5910](https://github.com/containous/traefik/pull/5910) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Add dark theme for Web UI ([#6036](https://github.com/containous/traefik/pull/6036) by [sh7dm](https://github.com/sh7dm))
+- Update dependencies ([#6359](https://github.com/containous/traefik/pull/6359) by [ldez](https://github.com/ldez))
+
+**Bug fixes:**
+- **[etcd,kv]** fix: etcd provider name. ([#6212](https://github.com/containous/traefik/pull/6212) by [ldez](https://github.com/ldez))
+- **[file]** Revert "Allow fsnotify to reload config files on k8s (or symlinks)" ([#6416](https://github.com/containous/traefik/pull/6416) by [juliens](https://github.com/juliens))
+- **[k8s,k8s/ingress]** Improvement of the unique name of the router for Ingress. ([#6325](https://github.com/containous/traefik/pull/6325) by [ldez](https://github.com/ldez))
+- **[kv,redis]** Update valkeyrie to fix the support of Redis. ([#6291](https://github.com/containous/traefik/pull/6291) by [ldez](https://github.com/ldez))
+- **[kv]** fix: KV flaky tests. ([#6300](https://github.com/containous/traefik/pull/6300) by [ldez](https://github.com/ldez))
+- **[server]** fix: use MaxInt32. ([#5845](https://github.com/containous/traefik/pull/5845) by [ldez](https://github.com/ldez))
+- **[tracing]** Disable default APM tracer. ([#6410](https://github.com/containous/traefik/pull/6410) by [ldez](https://github.com/ldez))
+- **[udp]** Add missing generated element for UDP. ([#6309](https://github.com/containous/traefik/pull/6309) by [ldez](https://github.com/ldez))
+- **[udp]** Build all UDP services on an entrypoint ([#6329](https://github.com/containous/traefik/pull/6329) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- **[k8s,k8s/crd]** Update the k8s CRD documentation ([#6426](https://github.com/containous/traefik/pull/6426) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[provider]** Update supported providers list. ([#6190](https://github.com/containous/traefik/pull/6190) by [ldez](https://github.com/ldez))
+
+**Misc:**
+- Merge current v2.1 branch into master ([#6429](https://github.com/containous/traefik/pull/6429) by [ldez](https://github.com/ldez))
+- Merge current v2.1 branch into master ([#6409](https://github.com/containous/traefik/pull/6409) by [ldez](https://github.com/ldez))
+- Merge current v2.1 branch into master ([#6302](https://github.com/containous/traefik/pull/6302) by [ldez](https://github.com/ldez))
+- Merge current v2.1 branch into master ([#6216](https://github.com/containous/traefik/pull/6216) by [ldez](https://github.com/ldez))
+- Merge current v2.1 branch into master ([#6138](https://github.com/containous/traefik/pull/6138) by [ldez](https://github.com/ldez))
+- Merge current v2.1 branch into master ([#6004](https://github.com/containous/traefik/pull/6004) by [ldez](https://github.com/ldez))
+- Merge current v2.1 branch into master ([#5933](https://github.com/containous/traefik/pull/5933) by [ldez](https://github.com/ldez))
+
+## [v2.1.6](https://github.com/containous/traefik/tree/v2.1.6) (2020-02-28)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.4...v2.1.6)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v3.4.0 ([#6376](https://github.com/containous/traefik/pull/6376) by [ldez](https://github.com/ldez))
+- **[api]** Return an error when ping is not enabled. ([#6304](https://github.com/containous/traefik/pull/6304) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Early filter of the catalog services. ([#6307](https://github.com/containous/traefik/pull/6307) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** fix: consul-catalog uses port from label instead of item port. ([#6345](https://github.com/containous/traefik/pull/6345) by [ldez](https://github.com/ldez))
+- **[file]** fix: YML example of template for the file provider. ([#6402](https://github.com/containous/traefik/pull/6402) by [ldez](https://github.com/ldez))
+- **[file]** Allow fsnotify to reload config files on k8s (or symlinks) ([#5037](https://github.com/containous/traefik/pull/5037) by [dtomcej](https://github.com/dtomcej))
+- **[healthcheck]** Launch healthcheck only one time instead of two ([#6372](https://github.com/containous/traefik/pull/6372) by [juliens](https://github.com/juliens))
+- **[k8s,k8s/crd,k8s/ingress]** Fix secret informer load ([#6364](https://github.com/containous/traefik/pull/6364) by [mmatur](https://github.com/mmatur))
+- **[k8s,k8s/crd]** Use consistent protocol determination ([#6365](https://github.com/containous/traefik/pull/6365) by [dtomcej](https://github.com/dtomcej))
+- **[k8s,k8s/crd]** fix: use the right error in the log ([#6311](https://github.com/containous/traefik/pull/6311) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[provider]** Don't throw away valid configuration updates ([#5952](https://github.com/containous/traefik/pull/5952) by [zaphod42](https://github.com/zaphod42))
+- **[tls]** Consider SSLv2 as TLS in order to close the handshake correctly ([#6371](https://github.com/containous/traefik/pull/6371) by [juliens](https://github.com/juliens))
+- **[tracing]** Fix docs and code to match in haystack tracing. ([#6352](https://github.com/containous/traefik/pull/6352) by [evanlurvey](https://github.com/evanlurvey))
+
+**Documentation:**
+- **[acme]** Improve documentation. ([#6324](https://github.com/containous/traefik/pull/6324) by [ldez](https://github.com/ldez))
+- **[file]** Add information about filename and directory options. ([#6333](https://github.com/containous/traefik/pull/6333) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/ingress]** Docs: Clarifying format of ingress endpoint service name ([#6306](https://github.com/containous/traefik/pull/6306) by [BretFisher](https://github.com/BretFisher))
+- **[k8s/crd]** fix: dashboard example with k8s CRD. ([#6330](https://github.com/containous/traefik/pull/6330) by [ldez](https://github.com/ldez))
+- **[middleware,k8s]** Fix formatting in "Kubernetes Namespace" block ([#6305](https://github.com/containous/traefik/pull/6305) by [berekuk](https://github.com/berekuk))
+- **[tls]** Remove TLS cipher suites for TLS minVersion 1.3 ([#6328](https://github.com/containous/traefik/pull/6328) by [rYR79435](https://github.com/rYR79435))
+- **[tls]** Fix typo in the godoc of TLS option MaxVersion ([#6347](https://github.com/containous/traefik/pull/6347) by [pschaub](https://github.com/pschaub))
+- Use explicitly the word Kubernetes in the migration guide. ([#6380](https://github.com/containous/traefik/pull/6380) by [ldez](https://github.com/ldez))
+- Minor readme improvements ([#6293](https://github.com/containous/traefik/pull/6293) by [Rowayda-Khayri](https://github.com/Rowayda-Khayri))
+- Added link to community forum ([#6283](https://github.com/containous/traefik/pull/6283) by [isaacnewtonfx](https://github.com/isaacnewtonfx))
+
+## [v2.1.5](https://github.com/containous/traefik/tree/v2.1.5) (2020-02-28)
+
+Skipped.
+
+## [v2.1.4](https://github.com/containous/traefik/tree/v2.1.4) (2020-02-06)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.3...v2.1.4)
+
+**Bug fixes:**
+- **[acme,logs]** Improvement of the certificates resolvers logs ([#6225](https://github.com/containous/traefik/pull/6225) by [ldez](https://github.com/ldez))
+- **[acme]** Fix kubernetes providers shutdown and clean safe.Pool ([#6244](https://github.com/containous/traefik/pull/6244) by [juliens](https://github.com/juliens))
+- **[authentication,middleware]** don't create http client for each request in forwardAuth middleware ([#6267](https://github.com/containous/traefik/pull/6267) by [juliens](https://github.com/juliens))
+- **[k8s,k8s/ingress]** Allow wildcard hosts in ingress provider ([#6251](https://github.com/containous/traefik/pull/6251) by [dtomcej](https://github.com/dtomcej))
+- **[logs,tls]** Properly purge default certificate from stores before logging ([#6281](https://github.com/containous/traefik/pull/6281) by [dtomcej](https://github.com/dtomcej))
+- **[middleware]** use provider-qualified name when recursing for chain ([#6233](https://github.com/containous/traefik/pull/6233) by [mpl](https://github.com/mpl))
+
+**Documentation:**
+- **[acme,cli]** Documentation fix for acme.md CLI ([#6262](https://github.com/containous/traefik/pull/6262) by [altano](https://github.com/altano))
+- **[acme,k8s/crd]** Add missing certResolver in IngressRoute examples. ([#6265](https://github.com/containous/traefik/pull/6265) by [ldez](https://github.com/ldez))
+- **[k8s]** fix a typo ([#6279](https://github.com/containous/traefik/pull/6279) by [silenceshell](https://github.com/silenceshell))
+- **[middleware]** Minor documentation tweaks. ([#6218](https://github.com/containous/traefik/pull/6218) by [stevegroom](https://github.com/stevegroom))
+- Correct a trivial spelling mistake in the documentation. ([#6269](https://github.com/containous/traefik/pull/6269) by [nepella](https://github.com/nepella))
+- Update install-traefik.md ([#6260](https://github.com/containous/traefik/pull/6260) by [bitfactory-sander-lissenburg](https://github.com/bitfactory-sander-lissenburg))
+- doc: use the same entry point name everywhere ([#6219](https://github.com/containous/traefik/pull/6219) by [ldez](https://github.com/ldez))
+- readme: update links to use HTTPS ([#6274](https://github.com/containous/traefik/pull/6274) by [imba-tjd](https://github.com/imba-tjd))
+
+## [v2.1.3](https://github.com/containous/traefik/tree/v2.1.3) (2020-01-21)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.2...v2.1.3)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v3.3.0 ([#6192](https://github.com/containous/traefik/pull/6192) by [shilch](https://github.com/shilch))
+- **[docker]** Use the calculated port when useBindPortIP is enabled ([#6199](https://github.com/containous/traefik/pull/6199) by [juliens](https://github.com/juliens))
+- **[docker]** fix: invalid service definition. ([#6198](https://github.com/containous/traefik/pull/6198) by [ldez](https://github.com/ldez))
+- **[server]** Remove Content-Type auto-detection ([#6097](https://github.com/containous/traefik/pull/6097) by [juliens](https://github.com/juliens))
+- **[service]** fix memleak in safe.Pool ([#6140](https://github.com/containous/traefik/pull/6140) by [mpl](https://github.com/mpl))
+
+**Documentation:**
+- **[docker]** Fix typo in docker routing documentation ([#6147](https://github.com/containous/traefik/pull/6147) by [tvrg](https://github.com/tvrg))
+- **[k8s]** Fixed typo in k8s doc ([#6163](https://github.com/containous/traefik/pull/6163) by [MyIgel](https://github.com/MyIgel))
+- **[marathon]** Fix typo in Marathon doc. ([#6150](https://github.com/containous/traefik/pull/6150) by [thatshubham](https://github.com/thatshubham))
+- **[middleware]** Adding an explanation how to use `htpasswd` for k8s secret ([#6194](https://github.com/containous/traefik/pull/6194) by [jamct](https://github.com/jamct))
+- doc: adds an explanation of the global redirection pattern. ([#6195](https://github.com/containous/traefik/pull/6195) by [ldez](https://github.com/ldez))
+- Fix small typo in user-guides documentation ([#6154](https://github.com/containous/traefik/pull/6154) by [evert-arias](https://github.com/evert-arias))
+
+## [v2.1.2](https://github.com/containous/traefik/tree/v2.1.2) (2020-01-07)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.1...v2.1.2)
+
+**Bug fixes:**
+- **[authentication,middleware,tracing]** fix(tracing): makes sure tracing headers are being propagated when using forwardAuth ([#6072](https://github.com/containous/traefik/pull/6072) by [jcchavezs](https://github.com/jcchavezs))
+- **[cli]** fix: invalid label/flag parsing. ([#6028](https://github.com/containous/traefik/pull/6028) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Query consul catalog for service health separately ([#6046](https://github.com/containous/traefik/pull/6046) by [SantoDE](https://github.com/SantoDE))
+- **[k8s,k8s/crd]** Restore ExternalName https support for Kubernetes CRD ([#6037](https://github.com/containous/traefik/pull/6037) by [kpeiruza](https://github.com/kpeiruza))
+- **[k8s,k8s/crd]** Log the ignored namespace only when needed ([#6087](https://github.com/containous/traefik/pull/6087) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/ingress]** k8s Ingress: fix crash on rules with nil http ([#6121](https://github.com/containous/traefik/pull/6121) by [grimmy](https://github.com/grimmy))
+- **[logs]** Improves error message when a configuration file is empty. ([#6135](https://github.com/containous/traefik/pull/6135) by [ldez](https://github.com/ldez))
+- **[server]** Handle respondingTimeout and better shutdown tests. ([#6115](https://github.com/containous/traefik/pull/6115) by [juliens](https://github.com/juliens))
+- **[server]** Don't set user-agent to Go-http-client/1.1 ([#6030](https://github.com/containous/traefik/pull/6030) by [sh7dm](https://github.com/sh7dm))
+- **[tracing]** fix: Malformed x-b3-traceid Header ([#6079](https://github.com/containous/traefik/pull/6079) by [ldez](https://github.com/ldez))
+- **[webui]** fix: dashboard redirect loop ([#6078](https://github.com/containous/traefik/pull/6078) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Use consistent name in ACME documentation ([#6019](https://github.com/containous/traefik/pull/6019) by [ldez](https://github.com/ldez))
+- **[api,k8s/crd]** Add a documentation example for dashboard and api for kubernetes CRD ([#6022](https://github.com/containous/traefik/pull/6022) by [dduportal](https://github.com/dduportal))
+- **[cli]** Fix examples for the use of websecure via CLI ([#6116](https://github.com/containous/traefik/pull/6116) by [tiagoboeing](https://github.com/tiagoboeing))
+- **[k8s,k8s/crd]** Improve documentation about Kubernetes IngressRoute ([#6058](https://github.com/containous/traefik/pull/6058) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[middleware]** Improve sourceRange explanation for ipWhiteList ([#6070](https://github.com/containous/traefik/pull/6070) by [der-domi](https://github.com/der-domi))
+
 ## [v2.1.1](https://github.com/containous/traefik/tree/v2.1.1) (2019-12-12)
 [All Commits](https://github.com/containous/traefik/compare/v2.1.0...v2.1.1)
 

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2018 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -31,8 +31,9 @@ TRAEFIK_ENVS := \
 
 TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/containous/traefik/$(BIND_DIR)"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
-DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) -it $(DOCKER_RUN_OPTS)
+DOCKER_NON_INTERACTIVE ?= false
-DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) -i $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)
 
 PRE_TARGET ?= build-dev-image
 

README.md

@@ -5,7 +5,7 @@
 
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
-[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](http://goreportcard.com/report/containous/traefik)
+[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](https://goreportcard.com/report/containous/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
 [![Join the community support forum at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
@@ -89,7 +89,7 @@ You can access the simple HTML frontend of Traefik.
 
 You can find the complete documentation of Traefik v2 at [https://docs.traefik.io](https://docs.traefik.io).
 
-If you are using Traefik v1, you can find the complete documentation at [https://docs.traefik.io/v1.7/](https://docs.traefik.io/v1.7/)
+If you are using Traefik v1, you can find the complete documentation at [https://docs.traefik.io/v1.7/](https://docs.traefik.io/v1.7/).
 
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
@@ -122,7 +122,7 @@ git clone https://github.com/containous/traefik
 
 ## Introductory Videos
 
-You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us)
+You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us).
 
 ## Maintainers
 
@@ -138,16 +138,16 @@ By participating in this project, you agree to abide by its terms.
 ## Release Cycle
 
 - We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
-- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0)
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
-- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only)
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
 
-Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out)
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).
 
-We use [Semantic Versioning](http://semver.org/)
+We use [Semantic Versioning](https://semver.org/).
 
-## Mailing lists
+## Mailing Lists
 
-- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news)
+- General announcements, new releases: mail at news+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/news).
 - Security announcements: mail at security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
 
 ## Credits
@@ -156,5 +156,5 @@ Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on t
 
 Traefik's logo is licensed under the Creative Commons 3.0 Attributions license.
 
-Traefik's logo was inspired by the gopher stickers made by Takuya Ueda (https://twitter.com/tenntenn).
+Traefik's logo was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
-The original Go gopher was designed by Renee French (http://reneefrench.blogspot.com/).
+The original Go gopher was designed by [Renee French](https://reneefrench.blogspot.com/).

build.Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.13-alpine
+FROM golang:1.14-alpine
 
 RUN apk --update upgrade \
     && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
@@ -19,10 +19,10 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.20.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.23.6
 
-# Download golangci-lint and misspell binary to bin folder in $GOPATH
+# Download misspell binary to bin folder in $GOPATH
-RUN GO111MODULE=off go get github.com/client9/misspell/cmd/misspell
+RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
 
 # Download goreleaser binary to bin folder in $GOPATH
 RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh

cmd/healthcheck/healthcheck.go

@@ -75,5 +75,5 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 
 	path := "/"
 
-	return client.Head(protocol + "://" + pingEntryPoint.Address + path + "ping")
+	return client.Head(protocol + "://" + pingEntryPoint.GetAddress() + path + "ping")
 }

cmd/traefik/traefik.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"time"
 
@@ -172,7 +173,12 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
 
-	serverEntryPointsTCP, err := server.NewTCPEntryPoints(*staticConfiguration)
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
+	if err != nil {
+		return nil, err
+	}
+
+	serverEntryPointsUDP, err := server.NewUDPEntryPoints(staticConfiguration.EntryPoints)
 	if err != nil {
 		return nil, err
 	}
@@ -184,9 +190,29 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	accessLog := setupAccessLog(staticConfiguration.AccessLog)
 	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
 	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry)
-	tcpRouterFactory := server.NewTCPRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder)
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder)
 
-	watcher := server.NewConfigurationWatcher(routinesPool, providerAggregator, time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration))
+	var defaultEntryPoints []string
+	for name, cfg := range staticConfiguration.EntryPoints {
+		protocol, err := cfg.GetProtocol()
+		if err != nil {
+			// Should never happen because Traefik should not start if protocol is invalid.
+			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+		}
+
+		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
+			defaultEntryPoints = append(defaultEntryPoints, name)
+		}
+	}
+
+	sort.Strings(defaultEntryPoints)
+
+	watcher := server.NewConfigurationWatcher(
+		routinesPool,
+		providerAggregator,
+		time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration),
+		defaultEntryPoints,
+	)
 
 	watcher.AddListener(func(conf dynamic.Configuration) {
 		ctx := context.Background()
@@ -198,7 +224,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
 	})
 
-	watcher.AddListener(switchRouter(tcpRouterFactory, acmeProviders, serverEntryPointsTCP))
+	watcher.AddListener(switchRouter(routerFactory, acmeProviders, serverEntryPointsTCP, serverEntryPointsUDP))
 
 	watcher.AddListener(func(conf dynamic.Configuration) {
 		if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
@@ -229,12 +255,12 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		}
 	})
 
-	return server.NewServer(routinesPool, serverEntryPointsTCP, watcher, chainBuilder, accessLog), nil
+	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog), nil
 }
 
-func switchRouter(tcpRouterFactory *server.TCPRouterFactory, acmeProviders []*acme.Provider, serverEntryPointsTCP server.TCPEntryPoints) func(conf dynamic.Configuration) {
+func switchRouter(routerFactory *server.RouterFactory, acmeProviders []*acme.Provider, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints) func(conf dynamic.Configuration) {
 	return func(conf dynamic.Configuration) {
-		routers := tcpRouterFactory.CreateTCPRouters(conf)
+		routers, udpRouters := routerFactory.CreateRouters(conf)
 		for entryPointName, rt := range routers {
 			for _, p := range acmeProviders {
 				if p != nil && p.HTTPChallenge != nil && p.HTTPChallenge.EntryPoint == entryPointName {
@@ -244,6 +270,7 @@ func switchRouter(tcpRouterFactory *server.TCPRouterFactory, acmeProviders []*ac
 			}
 		}
 		serverEntryPointsTCP.Switch(routers)
+		serverEntryPointsUDP.Switch(udpRouters)
 	}
 }
 
@@ -267,14 +294,18 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 			}
 
 			if err := providerAggregator.AddProvider(p); err != nil {
-				log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
+				log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
 				continue
 			}
+
 			p.SetTLSManager(tlsManager)
+
 			if p.TLSChallenge != nil {
 				tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
 			}
+
 			p.SetConfigListenerChan(make(chan dynamic.Configuration))
+
 			resolvers = append(resolvers, p)
 		}
 	}
@@ -404,13 +435,13 @@ func stats(staticConfiguration *static.Configuration) {
 		logger.Info(`Stats collection is enabled.`)
 		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
 		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://docs.traefik.io/v2.0/contributing/data-collection/`)
+		logger.Info(`More details on: https://docs.traefik.io/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
 		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://docs.traefik.io/v2.0/contributing/data-collection/
+More details on: https://docs.traefik.io/contributing/data-collection/
 `)
 	}
 }

docs/content/contributing/building-testing.md

@@ -16,6 +16,8 @@ For changes to its dependencies, the `dep` dependency management tool is require
 Run make with the `binary` target.
 This will create binaries for the Linux platform in the `dist` folder.
 
+In case when you run build on CI, you may probably want to run docker in non-interactive mode. To achieve that define `DOCKER_NON_INTERACTIVE=true` environment variable.
+
 ```bash
 $ make binary
 docker build -t traefik-webui -f webui/Dockerfile webui
@@ -28,7 +30,7 @@ Successfully tagged traefik-webui:latest
 [...]
 docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
 Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.13-alpine
+Step 1/10 : FROM golang:1.14-alpine
  ---> f4bfb3d22bda
 [...]
 Successfully built 5c3c1a911277
@@ -60,9 +62,9 @@ PRE_TARGET= make test-unit
 
 Requirements:
 
-- `go` v1.13+
+- `go` v1.14+
 - environment variable `GO111MODULE=on`
-- go-bindata `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
+- [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
 
 !!! tip "Source Directory"
 
@@ -98,7 +100,8 @@ Requirements:
 #### Build Traefik
 
 Once you've set up your go environment and cloned the source repository, you can build Traefik.
-Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process).
+
+Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).
 
 ```bash
 cd ~/go/src/github.com/containous/traefik
@@ -123,10 +126,6 @@ go build ./cmd/traefik
 
 You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
 
-### Updating the templates
-
-If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.
-
 ## Testing
 
 ### Method 1: `Docker` and `make`

docs/content/contributing/maintainers.md

@@ -15,7 +15,6 @@
 * Michaël Matur [@mmatur](https://github.com/mmatur)
 * Gérald Croës [@geraldcroes](https://github.com/geraldcroes)
 * Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou)
-* Damien Duportal [@dduportal](https://github.com/dduportal)
 * Mathieu Lonjaret [@mpl](https://github.com/mpl)
 
 ## Contributions Daily Meeting

docs/content/contributing/submitting-pull-requests.md

@@ -3,11 +3,11 @@
 A Quick Guide for Efficient Contributions
 {: .subtitle }
 
-So you've decide to improve Traefik? 
+So you've decided to improve Traefik? 
 Thank You! 
 Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.
 
-Let's go though the classic pitfalls to make sure everything is right. 
+Let's go through the classic pitfalls to make sure everything is right. 
 
 ## Title
 
@@ -36,7 +36,7 @@ Help the readers focus on what matters, and help them understand the structure o
 - Add tests.
 - Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
 
-!!! note "third-party dependencies"
+!!! note "Third-Party Dependencies"
 
     If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
 

docs/content/getting-started/configuration-overview.md

@@ -74,7 +74,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:2.0 --help
+# ex: docker run traefik:2.1 --help
 ```
 
 All available arguments can also be found [here](../reference/static-configuration/cli.md).

docs/content/getting-started/install-traefik.md

@@ -3,17 +3,17 @@
 You can install Traefik with the following flavors:
 
 * [Use the official Docker image](./#use-the-official-docker-image)
-* [(Experimental) Use the Helm Chart](./#use-the-helm-chart)
+* [Use the Helm Chart](./#use-the-helm-chart)
 * [Use the binary distribution](./#use-the-binary-distribution)
 * [Compile your binary from the sources](./#compile-your-binary-from-the-sources)
 
 ## Use the Official Docker Image
 
-Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.0/traefik.sample.toml):
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.2/traefik.sample.toml):
 
 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.0
+    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.2
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -21,70 +21,74 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.0.0`
+    ex: `traefik:v2.1.4`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
-    * All the orchestrator using docker images could fetch the official Traefik docker image.
+    * Any orchestrator using docker images can fetch the official Traefik docker image.
 
 ## Use the Helm Chart
 
-!!! warning "Experimental Helm Chart"
+!!! warning
     
-    Please note that the Helm Chart for Traefik v2 is still experimental.
+    The Traefik Chart from 
-    
-    The Traefik Stable Chart from 
     [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://docs.traefik.io/v1.7).
 
-Traefik can be installed in Kubernetes using the v2.0 Helm chart from <https://github.com/containous/traefik-helm-chart>.
+Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/containous/traefik-helm-chart>.
 
 Ensure that the following requirements are met:
 
 * Kubernetes 1.14+
-* Helm version 2.x is [installed](https://v2.helm.sh/docs/using_helm/) and initialized with Tiller
+* Helm version 3.x is [installed](https://helm.sh/docs/intro/install/)
 
-Retrieve the latest chart version from the repository:
+Add Traefik's chart repository to Helm:
 
 ```bash
-# Retrieve Chart from the repository
+helm repo add traefik https://containous.github.io/traefik-helm-chart
-git clone https://github.com/containous/traefik-helm-chart
+```
+
+You can update the chart repository by running:
+
+```bash
+helm repo update
 ```
 
 And install it with the `helm` command line:
 
 ```bash
-helm install ./traefik-helm-chart
+helm install traefik traefik/traefik
 ```
 
 !!! tip "Helm Features"
     
-    All [Helm features](https://v2.helm.sh/docs/using_helm/#using-helm) are supported.
+    All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
     For instance, installing the chart in a dedicated namespace:
 
     ```bash tab="Install in a Dedicated Namespace"
+    kubectl create ns traefik-v2
     # Install in the namespace "traefik-v2"
     helm install --namespace=traefik-v2 \
-        ./traefik-helm-chart
+        traefik traefik/traefik
     ```
 
 ??? example "Installing with Custom Values"
     
     You can customize the installation by specifying custom values,
-    as with [any helm chart](https://v2.helm.sh/docs/using_helm/#customizing-the-chart-before-installing).
+    as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
     {: #helm-custom-values }
     
     The values are not (yet) documented, but are self-explanatory:
-    you can look at the [default `values.yaml`](https://github.com/containous/traefik-helm-chart/blob/master/values.yaml) file to explore possibilities.
+    you can look at the [default `values.yaml`](https://github.com/containous/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
     
     Example of installation with logging set to `DEBUG`:
     
     ```bash tab="Using Helm CLI"
     helm install --namespace=traefik-v2 \
         --set="logs.loglevel=DEBUG" \
-        ./traefik-helm-chart
+        traefik traefik/traefik
     ```
     
     ```yml tab="With a custom values file"
     # File custom-values.yml
-    ## Install with "helm install --values=./custom-values.yml ./traefik-helm-chart
+    ## Install with "helm install --values=./custom-values.yml traefik traefik/traefik
     logs:
         loglevel: DEBUG
     ```

docs/content/getting-started/quick-start.md

@@ -14,8 +14,8 @@ version: '3'
 
 services:
   reverse-proxy:
-    # The official v2.0 Traefik docker image
+    # The official v2 Traefik docker image
-    image: traefik:v2.0
+    image: traefik:v2.2
     # Enables the web UI and tells Traefik to listen to docker
     command: --api.insecure=true --providers.docker
     ports:

docs/content/https/acme.md

@@ -23,6 +23,25 @@ Certificates are requested for domain names retrieved from the router's [dynamic
 
 You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).
 
+!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+
+??? note "Configuration Reference"
+    
+    There are many available options for ACME.
+    For a quick glance at what's possible, browse the configuration reference:
+    
+    ```toml tab="File (TOML)"
+    --8<-- "content/https/ref-acme.toml"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    --8<-- "content/https/ref-acme.yaml"
+    ```
+    
+    ```bash tab="CLI"
+    --8<-- "content/https/ref-acme.txt"
+    ```
+
 ## Domain Definition
 
 Certificate resolvers request certificates for a set of the domain names 
@@ -56,13 +75,13 @@ Please check the [configuration examples below](#configuration-examples) for mor
       [entryPoints.web]
         address = ":80"
     
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
-      email = "your-email@your-domain.org"
+      email = "your-email@example.com"
       storage = "acme.json"
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.myresolver.acme.httpChallenge]
         # used during the challenge
         entryPoint = "web"
     ```
@@ -72,13 +91,13 @@ Please check the [configuration examples below](#configuration-examples) for mor
       web:
         address: ":80"
     
-      web-secure:
+      websecure:
         address: ":443"
     
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
-          email: your-email@your-domain.org
+          email: your-email@example.com
           storage: acme.json
           httpChallenge:
             # used during the challenge
@@ -89,47 +108,30 @@ Please check the [configuration examples below](#configuration-examples) for mor
     --entryPoints.web.address=:80
     --entryPoints.websecure.address=:443
     # ...
-    --certificatesResolvers.sample.acme.email=your-email@your-domain.org
+    --certificatesResolvers.myresolver.acme.email=your-email@example.com
-    --certificatesResolvers.sample.acme.storage=acme.json
+    --certificatesResolvers.myresolver.acme.storage=acme.json
     # used during the challenge
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
     ```
 
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
 
-??? note "Configuration Reference"
-    
-    There are many available options for ACME.
-    For a quick glance at what's possible, browse the configuration reference:
-    
-    ```toml tab="File (TOML)"
-    --8<-- "content/https/ref-acme.toml"
-    ```
-    
-    ```yaml tab="File (YAML)"
-    --8<-- "content/https/ref-acme.yaml"
-    ```
-    
-    ```bash tab="CLI"
-    --8<-- "content/https/ref-acme.txt"
-    ```
-
 ??? example "Single Domain from Router's Rule Example"
     
-    * A certificate for the domain `company.com` is requested:
+    * A certificate for the domain `example.com` is requested:
 
     --8<-- "content/https/include-acme-single-domain-example.md"
 
 ??? example "Multiple Domains from Router's Rule Example"
  
-    * A certificate for the domains `company.com` (main) and `blog.company.org`
+    * A certificate for the domains `example.com` (main) and `blog.example.org`
       is requested:
     
     --8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
     
 ??? example "Multiple Domains from Router's `tls.domain` Example"
 
-    * A certificate for the domains `company.com` (main) and `*.company.org` (SAN)
+    * A certificate for the domains `example.com` (main) and `*.example.org` (SAN)
       is requested:
       
     --8<-- "content/https/include-acme-multiple-domains-example.md"
@@ -164,14 +166,14 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 ??? example "Configuring the `tlsChallenge`"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.tlsChallenge]
+      [certificatesResolvers.myresolver.acme.tlsChallenge]
     ```
 
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           tlsChallenge: {}
@@ -179,7 +181,7 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.tlsChallenge=true
+    --certificatesResolvers.myresolver.acme.tlsChallenge=true
     ```
 
 ### `httpChallenge`
@@ -187,21 +189,21 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
 
 As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
+when using the `HTTP-01` challenge, `certificatesResolvers.myresolver.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
 
-??? example "Using an EntryPoint Called http for the `httpChallenge`"
+??? example "Using an EntryPoint Called web for the `httpChallenge`"
 
     ```toml tab="File (TOML)"
     [entryPoints]
       [entryPoints.web]
         address = ":80"
       
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.myresolver.acme.httpChallenge]
         entryPoint = "web"
     ```
 
@@ -210,11 +212,11 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
       web:
         address: ":80"
     
-      web-secure:
+      websecure:
         address: ":443"
     
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           httpChallenge:
@@ -225,7 +227,7 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
     --entryPoints.web.address=:80
     --entryPoints.websecure.address=:443
     # ...
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
     ```
 
 !!! info ""
@@ -238,9 +240,9 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 ??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
-      [certificatesResolvers.sample.acme.dnsChallenge]
+      [certificatesResolvers.myresolver.acme.dnsChallenge]
         provider = "digitalocean"
         delayBeforeCheck = 0
     # ...
@@ -248,7 +250,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           dnsChallenge:
@@ -259,8 +261,8 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+    --certificatesResolvers.myresolver.acme.dnsChallenge.provider=digitalocean
-    --certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+    --certificatesResolvers.myresolver.acme.dnsChallenge.delayBeforeCheck=0
     # ...
     ```
 
@@ -285,10 +287,12 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
 | [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
+| [Checkdomain](https://www.checkdomain.de/)                  | `checkdomain`  | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
 | [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
-| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
+| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
 | [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
 | [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
+| [Constellix](https://constellix.com)                        | `constellix`   | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)   |
 | [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
 | [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
 | [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
@@ -297,6 +301,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)    |
 | [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)      |
 | [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)          |
+| [Dynu](https://www.dynu.com)                                | `dynu`         | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)         |
 | [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)      |
 | External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
 | [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)     |
@@ -315,7 +320,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
 | [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4)     |
 | [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
-| manual                                                      | -              | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
+| manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
 | [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
 | [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
@@ -329,10 +334,14 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)  |
 | [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)         |
 | [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)    |
+| [reg.ru](https://www.reg.ru)                                | `regru`        | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)        |
 | [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)      |
 | [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
+| [RimuHosting](https://rimuhosting.com)                      | `rimuhosting`  | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)  |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)  |
+| [Scaleway](https://www.scaleway.com)                        | `scaleway`     | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)     |
 | [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
+| [Servercow](https://servercow.de)                           | `servercow`    | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)    |
 | [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
 | [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
@@ -340,6 +349,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)       |
 | [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)        |
 | [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
+| [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
 
 [^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
 [^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application)
@@ -357,16 +367,16 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 Use custom DNS servers to resolve the FQDN authority.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
   # ...
-  [certificatesResolvers.sample.acme.dnsChallenge]
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
     # ...
     resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
 ```
 
 ```yaml tab="File (YAML)"
 certificatesResolvers:
-  sample:
+  myresolver:
     acme:
       # ...
       dnsChallenge:
@@ -378,7 +388,7 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.dnsChallenge.resolvers:=1.1.1.1:53,8.8.8.8:53
+--certificatesResolvers.myresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```
 
 #### Wildcard Domains
@@ -390,10 +400,17 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
 
 ### `caServer`
 
+_Required, Default="https://acme-v02.api.letsencrypt.org/directory"_
+
+The CA server to use:
+
+- Let's Encrypt production server: https://acme-v02.api.letsencrypt.org/directory
+- Let's Encrypt staging server: https://acme-staging-v02.api.letsencrypt.org/directory
+
 ??? example "Using the Let's Encrypt staging server"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
       # ...
       caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
       # ...
@@ -401,7 +418,7 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
     
     ```yaml tab="File (YAML)"
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
           # ...
           caServer: https://acme-staging-v02.api.letsencrypt.org/directory
@@ -410,16 +427,18 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
 
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+    --certificatesResolvers.myresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
     # ...
     ```
 
 ### `storage`
 
+_Required, Default="acme.json"_
+
 The `storage` option sets the location where your ACME certificates are saved to.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
   # ...
   storage = "acme.json"
   # ...
@@ -427,7 +446,7 @@ The `storage` option sets the location where your ACME certificates are saved to
 
 ```yaml tab="File (YAML)"
 certificatesResolvers:
-  sample:
+  myresolver:
     acme:
       # ...
       storage: acme.json
@@ -436,17 +455,11 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.storage=acme.json
+--certificatesResolvers.myresolver.acme.storage=acme.json
 # ...
 ```
 
-The value can refer to some kinds of storage:
+ACME certificates are stored in a JSON file that needs to have a `600` file mode.
-
-- a JSON file
-
-#### In a File
-
-ACME certificates can be stored in a JSON file that needs to have a `600` file mode .
 
 In Docker you can mount either the JSON file, or the folder containing it:
 

docs/content/https/include-acme-multiple-domains-example.md

@@ -2,27 +2,26 @@
 ```yaml tab="Docker"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.certresolver=myresolver
-  - traefik.http.routers.blog.tls.domains[0].main=company.org
+  - traefik.http.routers.blog.tls.domains[0].main=example.org
-  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```
 
 ```yaml tab="Docker (Swarm)"
 ## Dynamic configuration
 deploy:
   labels:
-    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
     - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
     - traefik.http.routers.blog.tls=true
-    - traefik.http.routers.blog.tls.certresolver=le
+    - traefik.http.routers.blog.tls.certresolver=myresolver
-    - traefik.http.routers.blog.tls.domains[0].main=company.org
+    - traefik.http.routers.blog.tls.domains[0].main=example.org
-    - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```
 
 ```yaml tab="Kubernetes"
----
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@@ -31,22 +30,26 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`company.com`) && Path(`/blog`)
+  - match: Host(`example.com`) && Path(`/blog`)
     kind: Rule
     services:
     - name: blog
       port: 8080
   tls:
-    certResolver: le
+    certResolver: myresolver
+    domains:
+    - main: example.org
+      sans:
+      - *.example.org
 ```
 
 ```json tab="Marathon"
 labels: {
-  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
   "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "le",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
-  "traefik.http.routers.blog.tls.domains[0].main": "company.com",
+  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
-  "traefik.http.routers.blog.tls.domains[0].sans": "*.company.com",
+  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
   "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
 }
 ```
@@ -54,23 +57,23 @@ labels: {
 ```yaml tab="Rancher"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.certresolver=myresolver
-  - traefik.http.routers.blog.tls.domains[0].main=company.org
+  - traefik.http.routers.blog.tls.domains[0].main=example.org
-  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```
 
 ```toml tab="File (TOML)"
 ## Dynamic configuration
 [http.routers]
   [http.routers.blog]
-    rule = "Host(`company.com`) && Path(`/blog`)"
+    rule = "Host(`example.com`) && Path(`/blog`)"
     [http.routers.blog.tls]
-      certResolver = "le" # From static configuration
+      certResolver = "myresolver" # From static configuration
       [[http.routers.blog.tls.domains]]
-        main = "company.org"
+        main = "example.org"
-        sans = ["*.company.org"]
+        sans = ["*.example.org"]
 ```
 
 ```yaml tab="File (YAML)"
@@ -78,11 +81,11 @@ labels:
 http:
   routers:
     blog:
-      rule: "Host(`company.com`) && Path(`/blog`)"
+      rule: "Host(`example.com`) && Path(`/blog`)"
       tls:
-        certResolver: le
+        certResolver: myresolver
         domains:
-          - main: "company.org"
+          - main: "example.org"
             sans:
-              - "*.company.org"
+              - "*.example.org"
 ```

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -2,23 +2,22 @@
 ```yaml tab="Docker"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.certresolver=myresolver
 ```
 
 ```yaml tab="Docker (Swarm)"
 ## Dynamic configuration
 deploy:
   labels:
-    - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+    - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
-    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
     - traefik.http.routers.blog.tls=true
-    - traefik.http.routers.blog.tls.certresolver=le
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
 ```
 
 ```yaml tab="Kubernetes"
----
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@@ -27,19 +26,20 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: (Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - match: (Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
     kind: Rule
     services:
     - name: blog
       port: 8080
-  tls: {}
+  tls:
+    certresolver: myresolver
 ```
 
 ```json tab="Marathon"
 labels: {
-  "traefik.http.routers.blog.rule": "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)",
+  "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
   "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "le",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
   "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
 }
 ```
@@ -47,18 +47,18 @@ labels: {
 ```yaml tab="Rancher"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.certresolver=myresolver
 ```
 
 ```toml tab="File (TOML)"
 ## Dynamic configuration
 [http.routers]
   [http.routers.blog]
-    rule = "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
+    rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
     [http.routers.blog.tls]
-      certResolver = "le" # From static configuration
+      certResolver = "myresolver"
 ```
 
 ```yaml tab="File (YAML)"
@@ -66,7 +66,7 @@ labels:
 http:
   routers:
     blog:
-      rule: "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
+      rule: "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
       tls:
-        certResolver: le
+        certResolver: myresolver
 ```

docs/content/https/include-acme-single-domain-example.md

@@ -2,23 +2,22 @@
 ```yaml tab="Docker"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.certresolver=myresolver
 ```
 
 ```yaml tab="Docker (Swarm)"
 ## Dynamic configuration
 deploy:
   labels:
-    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
-    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
     - traefik.http.routers.blog.tls=true
-    - traefik.http.routers.blog.tls.certresolver=le
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
 ```
 
 ```yaml tab="Kubernetes"
----
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@@ -27,19 +26,20 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`company.com`) && Path(`/blog`)
+  - match: Host(`example.com`) && Path(`/blog`)
     kind: Rule
     services:
     - name: blog
       port: 8080
-  tls: {}
+  tls:
+    certresolver: myresolver
 ```
 
 ```json tab="Marathon"
 labels: {
-  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
   "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "le",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
   "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
 }
 ```
@@ -47,18 +47,18 @@ labels: {
 ```yaml tab="Rancher"
 ## Dynamic configuration
 labels:
-  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
   - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.certresolver=myresolver
 ```
 
-```toml tab="Single Domain"
+```toml tab="File (TOML)"
 ## Dynamic configuration
 [http.routers]
-    [http.routers.blog]
+  [http.routers.blog]
-    rule = "Host(`company.com`) && Path(`/blog`)"
+  rule = "Host(`example.com`) && Path(`/blog`)"
-    [http.routers.blog.tls]
+  [http.routers.blog.tls]
-        certResolver = "le" # From static configuration
+    certResolver = "myresolver"
 ```
 
 ```yaml tab="File (YAML)"
@@ -66,7 +66,7 @@ labels:
 http:
   routers:
     blog:
-      rule: "Host(`company.com`) && Path(`/blog`)"
+      rule: "Host(`example.com`) && Path(`/blog`)"
       tls:
-        certResolver: le
+        certResolver: myresolver
 ```

docs/content/https/ref-acme.toml

@@ -1,11 +1,11 @@
 # Enable ACME (Let's Encrypt): automatic SSL.
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.myresolver.acme]
 
   # Email address used for registration.
   #
   # Required
   #
-  email = "test@traefik.io"
+  email = "test@example.com"
 
   # File or key used for certificates storage.
   #
@@ -35,13 +35,13 @@
   #
   # Optional (but recommended)
   #
-  [certificatesResolvers.sample.acme.tlsChallenge]
+  [certificatesResolvers.myresolver.acme.tlsChallenge]
 
   # Use a HTTP-01 ACME challenge.
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.httpChallenge]
+  # [certificatesResolvers.myresolver.acme.httpChallenge]
 
     # EntryPoint to use for the HTTP-01 challenges.
     #
@@ -54,7 +54,7 @@
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.dnsChallenge]
+  # [certificatesResolvers.myresolver.acme.dnsChallenge]
 
     # DNS provider used.
     #

docs/content/https/ref-acme.txt

@@ -4,13 +4,13 @@
 #
 # Required
 #
---certificatesResolvers.sample.acme.email=test@traefik.io
+--certificatesResolvers.myresolver.acme.email=test@example.com
 
 # File or key used for certificates storage.
 #
 # Required
 #
---certificatesResolvers.sample.acme.storage=acme.json
+--certificatesResolvers.myresolver.acme.storage=acme.json
 
 # CA server to use.
 # Uncomment the line to use Let's Encrypt's staging server,
@@ -19,7 +19,7 @@
 # Optional
 # Default: "https://acme-v02.api.letsencrypt.org/directory"
 #
---certificatesResolvers.sample.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+--certificatesResolvers.myresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
 
 # KeyType to use.
 #
@@ -28,38 +28,38 @@
 #
 # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
 #
---certificatesResolvers.sample.acme.keyType=RSA4096
+--certificatesResolvers.myresolver.acme.keyType=RSA4096
 
 # Use a TLS-ALPN-01 ACME challenge.
 #
 # Optional (but recommended)
 #
---certificatesResolvers.sample.acme.tlsChallenge=true
+--certificatesResolvers.myresolver.acme.tlsChallenge=true
 
 # Use a HTTP-01 ACME challenge.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.httpChallenge=true
+--certificatesResolvers.myresolver.acme.httpChallenge=true
 
 # EntryPoint to use for the HTTP-01 challenges.
 #
 # Required
 #
---certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+--certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
 
 # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
 # Note: mandatory for wildcard certificate generation.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.dnsChallenge=true
+--certificatesResolvers.myresolver.acme.dnsChallenge=true
 
 # DNS provider used.
 #
 # Required
 #
---certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+--certificatesResolvers.myresolver.acme.dnsChallenge.provider=digitalocean
 
 # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
 # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
@@ -68,14 +68,14 @@
 # Optional
 # Default: 0
 #
---certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+--certificatesResolvers.myresolver.acme.dnsChallenge.delayBeforeCheck=0
 
 # Use following DNS servers to resolve the FQDN authority.
 #
 # Optional
 # Default: empty
 #
---certificatesResolvers.sample.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
+--certificatesResolvers.myresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 
 # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
 #
@@ -85,4 +85,4 @@
 # Optional
 # Default: false
 #
---certificatesResolvers.sample.acme.dnsChallenge.disablePropagationCheck=true
+--certificatesResolvers.myresolver.acme.dnsChallenge.disablePropagationCheck=true

docs/content/https/ref-acme.yaml

@@ -1,5 +1,5 @@
 certificatesResolvers:
-  sample:
+  myresolver:
     # Enable ACME (Let's Encrypt): automatic SSL.
     acme:
 
@@ -7,7 +7,7 @@ certificatesResolvers:
       #
       # Required
       #
-      email: "test@traefik.io"
+      email: "test@example.com"
 
       # File or key used for certificates storage.
       #

docs/content/https/tls.md

@@ -40,7 +40,7 @@ tls:
 
     In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
     It is the only available method to configure the certificates (as well as the options and the stores).
-    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](../routing/providers/kubernetes-crd.md#tls). 
+    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
 
 ## Certificates Stores
 
@@ -347,6 +347,39 @@ spec:
   sniStrict: true
 ```
 
+### Prefer Server Cipher Suites
+
+This option allows the server to choose its most preferred cipher suite instead of the client's.
+Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    preferServerCipherSuites = true
+```
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      preferServerCipherSuites: true
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  preferServerCipherSuites: true
+```
+
 ### Client Authentication (mTLS)
 
 Traefik supports mutual authentication, through the `clientAuth` section.

docs/content/index.md

@@ -20,4 +20,9 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
 
 !!! info
 
-    If you're a business running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://info.containo.us/commercial-services) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. 
+    Join our user friendly and active [Community Forum](https://community.containo.us) to discuss, learn, and connect with the traefik community.
+    
+    If you're a business running critical services behind Traefik,
+    know that [Containous](https://containo.us), the company that sponsors Traefik's development,
+    can provide [commercial support](https://info.containo.us/commercial-services)
+    and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik.

docs/content/middlewares/basicauth.md

@@ -71,7 +71,7 @@ http:
 
 ### General
 
-Passwords must be encoded using MD5, SHA1, or BCrypt.
+Passwords must be hashed using MD5, SHA1, or BCrypt.
 
 !!! tip 
 
@@ -79,7 +79,7 @@ Passwords must be encoded using MD5, SHA1, or BCrypt.
 
 ### `users`
 
-The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
+The `users` option is an array of authorized users. Each user will be declared using the `name:hashed-password` format.
 
 !!! note ""
     
@@ -90,7 +90,7 @@ The `users` option is an array of authorized users. Each user will be declared u
 # Declaring the user list
 #
 # Note: all dollar signs in the hash need to be doubled for escaping.
-# To create user:password pair, it's possible to use this command:
+# To create a user:password pair, the following command can be used:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -107,6 +107,10 @@ spec:
     secret: authsecret
 
 ---
+# Note: in a kubernetes secret the string (e.g. generated by htpasswd) must be base64-encoded first.
+# To create an encoded user:password pair, the following command can be used:
+# htpasswd -nb user password | openssl base64
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -161,7 +165,7 @@ http:
 
 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
 
-The file content is a list of `name:encoded-password`.
+The file content is a list of `name:hashed-password`.
 
 !!! note ""
     

docs/content/middlewares/contenttype.md

@@ -0,0 +1,83 @@
+
+# ContentType
+
+Handling ContentType auto-detection
+{: .subtitle }
+
+The Content-Type middleware - or rather its unique `autoDetect` option -
+specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.
+
+As a proxy, the default behavior should be to leave the header alone,
+regardless of what the backend did with it.
+However, the historic default was to always auto-detect and set the header if it was nil,
+and it is going to be kept that way in order to support users currently relying on it.
+This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+
+!!! info
+
+    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
+    is still to automatically set the `Content-Type` header.
+    Therefore, given the default value of the `autoDetect` option (false),
+    simply enabling this middleware for a router switches the router's behavior.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```yaml tab="Kubernetes"
+# Disable auto-detection
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: autodetect
+spec:
+  contentType:
+    autoDetect: false
+```
+
+```yaml tab="Consul Catalog"
+# Disable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
+}
+```
+
+```yaml tab="Rancher"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```toml tab="File (TOML)"
+# Disable auto-detection
+[http.middlewares]
+  [http.middlewares.autodetect.contentType]
+     autoDetect=false
+```
+
+```yaml tab="File (YAML)"
+# Disable auto-detection
+http:
+  middlewares:
+    autodetect:
+      contentType:
+        autoDetect: false
+```
+
+## Configuration Options
+
+### `autoDetect`
+
+`autoDetect` specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.

docs/content/middlewares/forwardauth.md

@@ -12,53 +12,53 @@ Otherwise, the response from the authentication server is returned.
 ## Configuration Examples
 
 ```yaml tab="Docker"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```yaml tab="Kubernetes"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
 ```
 
 ```yaml tab="Consul Catalog"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
 }
 ```
 
 ```yaml tab="Rancher"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```toml tab="File (TOML)"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
 ```
 
 ```yaml tab="File (YAML)"
-# Forward authentication to authserver.com
+# Forward authentication to example.com
 http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
 ```
 
 ## Configuration Options
@@ -69,7 +69,7 @@ The `address` option defines the authentication server address.
 
 ```yaml tab="Docker"
 labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```yaml tab="Kubernetes"
@@ -79,28 +79,28 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth 
+    address: https://example.com/auth 
 ```
 
 ```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
 }
 ```
 
 ```yaml tab="Rancher"
 labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
 ```
 
 ```yaml tab="File (YAML)"
@@ -108,7 +108,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
 ```
 
 ### `trustForwardHeader`
@@ -127,7 +127,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     trustForwardHeader: true
 ```
 
@@ -149,7 +149,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     trustForwardHeader = true
 ```
 
@@ -158,7 +158,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         trustForwardHeader: true
 ```
 
@@ -178,7 +178,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     authResponseHeaders:
       - X-Auth-User
       - X-Secret
@@ -202,7 +202,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     authResponseHeaders = ["X-Auth-User", "X-Secret"]
 ```
 
@@ -211,7 +211,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         authResponseHeaders:
           - "X-Auth-User"
           - "X-Secret"
@@ -237,7 +237,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       caSecret: mycasercret
 
@@ -270,7 +270,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       ca = "path/to/local.crt"
 ```
@@ -280,7 +280,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           ca: "path/to/local.crt"
 ```
@@ -306,7 +306,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       caOptional: true
 ```
@@ -329,7 +329,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       caOptional = true
 ```
@@ -339,7 +339,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           caOptional: true
 ```
@@ -361,7 +361,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       certSecret: mytlscert
 
@@ -398,7 +398,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       cert = "path/to/foo.cert"
       key = "path/to/foo.key"
@@ -409,7 +409,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           cert: "path/to/foo.cert"
           key: "path/to/foo.key"
@@ -435,7 +435,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       certSecret: mytlscert
 
@@ -472,7 +472,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       cert = "path/to/foo.cert"
       key = "path/to/foo.key"
@@ -483,7 +483,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           cert: "path/to/foo.cert"
           key: "path/to/foo.key"
@@ -508,7 +508,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://authserver.com/auth
+    address: https://example.com/auth
     tls:
       insecureSkipVerify: true
 ```
@@ -531,7 +531,7 @@ labels:
 ```toml tab="File (TOML)"
 [http.middlewares]
   [http.middlewares.test-auth.forwardAuth]
-    address = "https://authserver.com/auth"
+    address = "https://example.com/auth"
     [http.middlewares.test-auth.forwardAuth.tls]
       insecureSkipVerify: true
 ```
@@ -541,7 +541,7 @@ http:
   middlewares:
     test-auth:
       forwardAuth:
-        address: "https://authserver.com/auth"
+        address: "https://example.com/auth"
         tls:
           insecureSkipVerify: true
 ```

docs/content/middlewares/headers.md

@@ -197,7 +197,7 @@ This functionality allows for more advanced security features to quickly be set.
 ```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
   - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
   - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@@ -213,14 +213,16 @@ spec:
       - "GET"
       - "OPTIONS"
       - "PUT"
-    accessControlAllowOrigin: "origin-list-or-null"
+    accessControlAllowOriginList:
+      - "https://foo.bar.org"
+      - "https://example.org"
     accessControlMaxAge: 100
     addVaryHeader: "true"
 ```
 
 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-- "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+- "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
 - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
 - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@@ -228,7 +230,7 @@ spec:
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
-  "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin": "origin-list-or-null",
+  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
   "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
   "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
 }
@@ -237,7 +239,7 @@ spec:
 ```yaml tab="Rancher"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
   - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
   - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@@ -246,7 +248,7 @@ labels:
 [http.middlewares]
   [http.middlewares.testHeader.headers]
     accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
-    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
     accessControlMaxAge = 100
     addVaryHeader = true
 ```
@@ -260,7 +262,9 @@ http:
           - GET
           - OPTIONS
           - PUT
-        accessControlAllowOrigin: "origin-list-or-null"
+        accessControlAllowOriginList:
+          - https://foo.bar.org
+          - https://example.org
         accessControlMaxAge: 100
         addVaryHeader: true
 ```
@@ -295,14 +299,22 @@ The `accessControlAllowHeaders` indicates which header field names can be used a
 
 The  `accessControlAllowMethods` indicates which methods can be used during requests.
 
-### `accessControlAllowOrigin`
+### `accessControlAllowOriginList`
 
-The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values.
+The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.
-The three options for this value are:
 
-- `origin-list-or-null`
+A wildcard origin `*` can also be configured, and will match all requests.
-- `*`
+If this value is set by a backend server, it will be overwritten by Traefik
-- `null`
+
+This value can contains a list of allowed origins.
+
+More information including how to use the settings can be found on:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://www.w3.org/TR/cors/#access-control-allow-origin-response-header)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
+
+Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
 
 ### `accessControlExposeHeaders`
 
@@ -314,7 +326,7 @@ The `accessControlMaxAge` indicates how long a preflight request can be cached.
 
 ### `addVaryHeader`
 
-The `addVaryHeader` is used in conjunction with `accessControlAllowOrigin` to determine whether the vary header should be added or modified to demonstrate that server responses can differ beased on the value of the origin header.
+The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
 
 ### `allowedHosts` 
 

docs/content/middlewares/ipwhitelist.md

@@ -66,7 +66,7 @@ http:
 
 ### `sourceRange`
 
-The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
+The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
 
 ### `ipStrategy`
 

docs/content/middlewares/overview.md

@@ -5,9 +5,9 @@ Tweaking the Request
 
 ![Overview](../assets/img/middleware/overview.png)
 
-Attached to the routers, pieces of middleware are a mean of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
+Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
 
-There are many different available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
+There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
 
 Pieces of middleware can be combined in chains to fit every scenario.
 
@@ -130,7 +130,7 @@ http:
 
 ## Provider Namespace
 
-When you declare a middleware, it lives in its provider namespace.
+When you declare a middleware, it lives in its provider's namespace.
 For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.
 
 If you use multiple providers and wish to reference a middleware declared in another provider
@@ -143,11 +143,11 @@ then you'll have to append to the middleware name, the `@` separator, followed b
 
 !!! important "Kubernetes Namespace"
 
-	As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
+    As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
-with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
+    with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
-In this case, since the definition of the middleware is not in kubernetes,
+    In this case, since the definition of the middleware is not in kubernetes,
-specifying a "kubernetes namespace" when referring to the resource does not make any sense,
+    specifying a "kubernetes namespace" when referring to the resource does not make any sense,
-and therefore this specification would be ignored even if present.
+    and therefore this specification would be ignored even if present.
 
 !!! abstract "Referencing a Middleware from Another Provider"
 
@@ -188,7 +188,7 @@ and therefore this specification would be ignored even if present.
       entryPoints:
         - web
       routes:
-        - match: Host(`bar.com`)
+        - match: Host(`example.com`)
           kind: Rule
           services:
             - name: whoami

docs/content/middlewares/passtlsclientcert.md

@@ -70,6 +70,7 @@ http:
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.serialnumber=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
@@ -264,7 +265,7 @@ In the following example, you can see a complete certificate. We will use each p
             Validity
                 Not Before: Dec  6 11:10:16 2018 GMT
                 Not After : Dec  5 11:10:16 2020 GMT
-            Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
+            Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
             Subject Public Key Info:
                 Public Key Algorithm: rsaEncryption
                     RSA Public-Key: (2048 bit)
@@ -301,7 +302,7 @@ In the following example, you can see a complete certificate. We will use each p
                     keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
     
                 X509v3 Subject Alternative Name: 
-                    DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
+                    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
         Signature Algorithm: sha1WithRSAEncryption
              76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
              16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
@@ -421,7 +422,7 @@ The value of the header will be an escaped concatenation of all the selected cer
 The following example shows an unescaped result that uses all the available fields: 
 
 ```text
-Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
+Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```
 
 !!! info "Multiple certificates"
@@ -470,19 +471,19 @@ The data are taken from the following certificate part:
 
 ```text
  X509v3 Subject Alternative Name: 
-    DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@cheese.org, email:test@cheese.net
+    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
 ```
 
 The escape SANs info part will be like:
 
 ```text
-SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
+SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```
 
 !!! info "multiple values"
 
     All the SANs data are separated by a `,`.
-    
+
 #### `info.subject`
 
 The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
@@ -490,7 +491,7 @@ The `info.subject` select the specific client certificate subject details you wa
 The data are taken from the following certificate part :
 
 ```text
-Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
+Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
 ```
 
 ##### `info.subject.country`
@@ -548,7 +549,7 @@ The data are taken from the subject part with the `CN` key.
 The escape common name info in the subject part will be like :
 
 ```text
-CN=*.cheese.com
+CN=*.example.com
 ```
 
 ##### `info.subject.serialNumber`

docs/content/middlewares/ratelimit.md

@@ -3,7 +3,7 @@
 To Control the Number of Requests Going to a Service
 {: .subtitle }
 
-The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows you define what is fair.
+The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows one to define what fair is.
 
 ## Configuration Example
 
@@ -24,8 +24,8 @@ metadata:
   name: test-ratelimit
 spec:
   rateLimit:
-      average: 100
+    average: 100
-      burst: 50
+    burst: 50
 ```
 
 ```yaml tab="Consul Catalog"
@@ -74,25 +74,32 @@ http:
 
 ### `average`
 
-Average is the maximum rate, in requests/s, allowed for the given source.
+`average` is the maximum rate, by default in requests by second, allowed for the given source.
-It defaults to 0, which means no rate limiting.
+
+It defaults to `0`, which means no rate limiting.
+
+The rate is actually defined by dividing `average` by `period`.
+So for a rate below 1 req/s, one needs to define a `period` larger than a second.
 
 ```yaml tab="Docker"
+# 100 reqs/s
 labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```
 
 ```yaml tab="Kubernetes"
+# 100 reqs/s
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-ratelimit
 spec:
   rateLimit:
-      average: 100
+    average: 100
 ```
 
 ```yaml tab="Consul Catalog"
+# 100 reqs/s
 - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```
 
@@ -108,12 +115,14 @@ labels:
 ```
 
 ```toml tab="File (TOML)"
+# 100 reqs/s
 [http.middlewares]
   [http.middlewares.test-ratelimit.rateLimit]
     average = 100
 ```
 
 ```yaml tab="File (YAML)"
+# 100 reqs/s
 http:
   middlewares:
     test-ratelimit:
@@ -121,10 +130,78 @@ http:
         average: 100
 ```
 
+### `period`
+
+`period`, in combination with `average`, defines the actual maximum rate, such as:
+
+```go
+r = average / period
+```
+
+It defaults to `1` second.
+
+```yaml tab="Docker"
+# 6 reqs/minute
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```yaml tab="Kubernetes"
+# 6 reqs/minute
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    period: 1m
+    average: 6
+```
+
+```yaml tab="Consul Catalog"
+# 6 reqs/minute
+- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "6",
+  "traefik.http.middlewares.test-ratelimit.ratelimit.period": "1m",
+}
+```
+
+```yaml tab="Rancher"
+# 6 reqs/minute
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
+```toml tab="File (TOML)"
+# 6 reqs/minute
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 6
+    period = 1m
+```
+
+```yaml tab="File (YAML)"
+# 6 reqs/minute
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        average: 6
+        period: 1m
+```
+
 ### `burst`
 
-Burst is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
+`burst` is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
-It defaults to 1.
+
+It defaults to `1`.
 
 ```yaml tab="Docker"
 labels:
@@ -138,7 +215,7 @@ metadata:
   name: test-ratelimit
 spec:
   rateLimit:
-      burst: 100
+    burst: 100
 ```
 
 ```yaml tab="Consul Catalog"

docs/content/middlewares/redirectscheme.md

@@ -11,6 +11,132 @@ RedirectScheme redirect request from a scheme to another.
 
 ## Configuration Examples
 
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+    permanent = true
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+```
+
+## Configuration Options
+
+### `permanent`
+
+Set the `permanent` option to `true` to apply a permanent redirection.
+
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    # ...
+    permanent: true
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    permanent = true
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        # ...
+        permanent: true
+```
+
+### `scheme`
+
+The `scheme` option defines the scheme of the new url.
+
 ```yaml tab="Docker"
 # Redirect to https
 labels:
@@ -31,7 +157,7 @@ spec:
 ```yaml tab="Consul Catalog"
 # Redirect to https
 labels:
-- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```
 
 ```json tab="Marathon"
@@ -62,16 +188,64 @@ http:
         scheme: https
 ```
 
-## Configuration Options
-
-### `permanent`
-
-Set the `permanent` option to `true` to apply a permanent redirection.
-
-### `scheme`
-
-The `scheme` option defines the scheme of the new url.
-
 ### `port`
 
 The `port` option defines the port of the new url.
+
+```yaml tab="Docker"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    # ...
+    port: 443
+```
+
+```yaml tab="Consul Catalog"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.port": "443"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    port = 443
+```
+
+```yaml tab="File (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        # ...
+        port: 443
+```

docs/content/migration/v1-to-v2.md

@@ -40,7 +40,7 @@ Then any router can refer to an instance of the wanted middleware.
     ```
 
     ```yaml tab="K8s Ingress"
-    apiVersion: extensions/v1beta1
+    apiVersion: networking.k8s.io/v1beta1
     kind: Ingress
     metadata:
       name: traefik
@@ -97,14 +97,14 @@ Then any router can refer to an instance of the wanted middleware.
 
     ```yaml tab="Docker"
     labels:
-      - "traefik.http.routers.router0.rule=Host(`bar.com`) && PathPrefix(`/test`)"
+      - "traefik.http.routers.router0.rule=Host(`example.com`) && PathPrefix(`/test`)"
       - "traefik.http.routers.router0.middlewares=auth"
       - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
     ```
 
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the Middleware and IngressRoute kinds.
-    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    # https://docs.traefik.io/v2.2/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
@@ -184,39 +184,39 @@ Then any router can refer to an instance of the wanted middleware.
               - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
     ```
 
-## TLS Configuration Is Now Dynamic, per Router.
+## TLS Configuration is Now Dynamic, per Router.
 
 TLS parameters used to be specified in the static configuration, as an entryPoint field.
 With Traefik v2, a new dynamic TLS section at the root contains all the desired TLS configurations.
 Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one of the [TLS configurations](../https/tls.md) defined at the root, hence defining the [TLS configuration](../https/tls.md) for that router.
 
-!!! example "TLS on web-secure entryPoint becomes TLS option on Router-1"
+!!! example "TLS on websecure entryPoint becomes TLS option on Router-1"
 
     !!! info "v1"
     
     ```toml tab="File (TOML)"
     # static configuration
     [entryPoints]
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     
-        [entryPoints.web-secure.tls]
+        [entryPoints.websecure.tls]
           minVersion = "VersionTLS12"
           cipherSuites = [
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-           ]
+          ]
-          [[entryPoints.web-secure.tls.certificates]]
+          [[entryPoints.websecure.tls.certificates]]
             certFile = "path/to/my.cert"
             keyFile = "path/to/my.key"
     ```
 
     ```bash tab="CLI"
-    --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
+    --entryPoints='Name:websecure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
     ```
 
     !!! info "v2"
@@ -225,7 +225,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
     # dynamic configuration
     [http.routers]
       [http.routers.Router-1]
-        rule = "Host(`bar.com`)"
+        rule = "Host(`example.com`)"
         service = "service-id"
         # will terminate the TLS request
         [http.routers.Router-1.tls]
@@ -236,26 +236,23 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       keyFile = "/path/to/domain.key"
     
     [tls.options]
-      [tls.options.default]
-        minVersion = "VersionTLS12"
-    
       [tls.options.myTLSOptions]
-        minVersion = "VersionTLS13"
+        minVersion = "VersionTLS12"
         cipherSuites = [
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            ]
+        ]
     ```
 
     ```yaml tab="File (YAML)"
     http:
       routers:
         Router-1:
-          rule: "Host(`bar.com`)"
+          rule: "Host(`example.com`)"
           service: service-id
           # will terminate the TLS request
           tls:
@@ -267,18 +264,18 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
           keyFile: /path/to/domain.key
       options:
         myTLSOptions:
-          minVersion: VersionTLS13
+          minVersion: VersionTLS12
           cipherSuites:
 	        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-	        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+	        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-	        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+	        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 	        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 	        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     ```
 
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
-    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    # https://docs.traefik.io/v2.2/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: TLSOption
     metadata:
@@ -286,11 +283,11 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       namespace: default
     
     spec:
-      minVersion: VersionTLS13
+      minVersion: VersionTLS12
       cipherSuites:
 	    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-	    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+	    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-	    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+	    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 	    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 	    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     
@@ -304,7 +301,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       entryPoints:
         - web
       routes:
-        - match: Host(`bar.com`)
+        - match: Host(`example.com`)
           kind: Rule
           services:
             - name: whoami
@@ -322,50 +319,122 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       - "traefik.http.routers.router0.tls.options=myTLSOptions@file"
     ```
 
-## HTTP to HTTPS Redirection Is Now Configured on Routers
+## HTTP to HTTPS Redirection is Now Configured on Routers
 
 Previously on Traefik v1, the redirection was applied on an entry point or on a frontend.
-With Traefik v2 it is applied on a [Router](../routing/routers/index.md). 
+With Traefik v2 it is applied on an entry point or a [Router](../routing/routers/index.md). 
 
-To apply a redirection, one of the redirect middlewares, [RedirectRegex](../middlewares/redirectregex.md) or [RedirectScheme](../middlewares/redirectscheme.md), has to be configured and added to the router middlewares list.
+To apply a redirection:
 
-!!! example "HTTP to HTTPS redirection"
+- on an entry point, the [HTTP redirection](../routing/entrypoints.md#redirection) has to be configured.
+- on a router, one of the redirect middlewares, [RedirectRegex](../middlewares/redirectregex.md) or [RedirectScheme](../middlewares/redirectscheme.md), has to be configured and added to the router middlewares list.
+
+!!! example "Global HTTP to HTTPS redirection"
 
     !!! info "v1"
     
     ```toml tab="File (TOML)"
     # static configuration
-    defaultEntryPoints = ["http", "https"]
+    defaultEntryPoints = ["web", "websecure"]
     
     [entryPoints]
-      [entryPoints.http]
+      [entryPoints.web]
         address = ":80"
-        [entryPoints.http.redirect]
+        [entryPoints.web.redirect]
-          entryPoint = "https"
+          entryPoint = "websecure"
 
-      [entryPoints.https]
+      [entryPoints.websecure]
         address = ":443"
-        [entryPoints.https.tls]
+        [entryPoints.websecure.tls]
-          [[entryPoints.https.tls.certificates]]
-            certFile = "examples/traefik.crt"
-            keyFile = "examples/traefik.key"
     ```
 
     ```bash tab="CLI"
-    --entrypoints=Name:web Address::80 Redirect.EntryPoint:web-secure
+    --entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure
-    --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key'
+    --entryPoints='Name:websecure Address::443 TLS'
+    ```
+
+    !!! info "v2"
+    
+    ```bash tab="CLI"
+    ## static configuration
+    
+    --entrypoints.web.address=:80
+    --entrypoints.web.http.redirections.entrypoint.to=websecure
+    --entrypoints.web.http.redirections.entrypoint.scheme=https
+    --entrypoints.websecure.address=:443
+    --providers.docker=true
+    ```
+    
+    ```toml tab="File (TOML)"
+    # traefik.toml
+    ## static configuration
+    
+    [entryPoints.web]
+      address = 80
+      [entryPoints.web.http.redirections.entryPoint]
+        to = "websecure"
+        scheme = "https"
+   
+    [entryPoints.websecure]
+      address = 443
+    ```
+    
+    ```yaml tab="File (YAML)"
+    # traefik.yaml
+    ## static configuration
+    
+    entryPoints:
+      web:
+        address: 80
+        http:
+          redirections:
+            entrypoint:
+              to: websecure
+              scheme: https
+    
+      websecure:
+        address: 443
+    ```
+
+!!! example "HTTP to HTTPS redirection per domain"
+
+    !!! info "v1"
+    
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+        [entryPoints.websecure.tls]
+    
+    [file]
+    
+    [frontends]
+      [frontends.frontend1]
+        entryPoints = ["web", "websecure"]
+        [frontends.frontend1.routes]
+          [frontends.frontend1.routes.route0]
+            rule = "Host:example.net"
+        [frontends.frontend1.redirect]
+          entryPoint = "websecure"
     ```
 
     !!! info "v2"
 
     ```yaml tab="Docker"
     labels:
-    - traefik.http.routers.web.rule=Host(`foo.com`)
+      traefik.http.routers.app.rule: Host(`example.net`)
-    - traefik.http.routers.web.entrypoints=web
+      traefik.http.routers.app.entrypoints: web
-    - traefik.http.routers.web.middlewares=redirect@file
+      traefik.http.routers.app.middlewares: https_redirect
-    - traefik.http.routers.web-secured.rule=Host(`foo.com`)
+    
-    - traefik.http.routers.web-secured.entrypoints=web-secure
+      traefik.http.routers.appsecured.rule: Host(`example.net`)
-    - traefik.http.routers.web-secured.tls=true
+      traefik.http.routers.appsecured.entrypoints: websecure
+      traefik.http.routers.appsecured.tls: true
+    
+      traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
+      traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
     ```
 
     ```yaml tab="K8s IngressRoute"
@@ -378,13 +447,13 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
       entryPoints:
         - web
       routes:
-        - match: Host(`foo.com`)
+        - match: Host(`example.net`)
           kind: Rule
           services:
             - name: whoami
               port: 80
           middlewares:
-            - name: redirect
+            - name: https_redirect
     
     ---
     apiVersion: traefik.containo.us/v1alpha1
@@ -394,7 +463,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     
     spec:
       entryPoints:
-        - web-secure
+        - websecure
       routes:
         - match: Host(`foo`)
           kind: Rule
@@ -407,119 +476,76 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
-      name: redirect
+      name: https_redirect
     spec:
       redirectScheme:
         scheme: https
-      
+        permanent: true
     ```
 
     ```toml tab="File (TOML)"
-    ## static configuration
-    # traefik.toml
-    
-    [entryPoints.web]
-      address = ":80"
-    
-    [entryPoints.web-secure]
-      address = ":443"
-    
-    ##---------------------##
-    
     ## dynamic configuration
     # dynamic-conf.toml
     
     [http.routers]
       [http.routers.router0]
-        rule = "Host(`foo.com`)"
+        rule = "Host(`example.net`)"
         service = "my-service"
         entrypoints = ["web"]
-        middlewares = ["redirect"]
+        middlewares = ["https_redirect"]
     
     [http.routers.router1]
-        rule = "Host(`foo.com`)"
+        rule = "Host(`example.net`)"
         service = "my-service"
-        entrypoints = ["web-secure"]
+        entrypoints = ["websecure"]
         [http.routers.router1.tls]
-        
-    [http.services]
-      [[http.services.my-service.loadBalancer.servers]]
-        url = "http://10.10.10.1:80"
-      [[http.services.my-service.loadBalancer.servers]]
-        url = "http://10.10.10.2:80"
     
     [http.middlewares]
-      [http.middlewares.redirect.redirectScheme]
+      [http.middlewares.https_redirect.redirectScheme]
         scheme = "https"
-    
+        permanent = true
-    [[tls.certificates]]
-      certFile = "/path/to/domain.cert"
-      keyFile = "/path/to/domain.key"
     ```
 
     ```yaml tab="File (YAML)"
-    ## static configuration
-    # traefik.yml
-    
-    entryPoints:
-      web:
-        address: ":80"
-    
-      web-secure:
-        address: ":443"
-    
-    ##---------------------##
-    
     ## dynamic configuration
     # dynamic-conf.yml
     
     http:
       routers:
         router0:
-          rule: "Host(`foo.com`)"
+          rule: "Host(`example.net`)"
           entryPoints:
             - web
           middlewares:
-            - redirect
+            - https_redirect
           service: my-service
     
         router1:
-          rule: "Host(`foo.com`)"
+          rule: "Host(`example.net`)"
           entryPoints:
-            - web-secure
+            - websecure
           service: my-service
           tls: {}
     
-      services:
-        my-service:
-          loadBalancer:
-            servers:
-              - url: http://10.10.10.1:80
-              - url: http://10.10.10.2:80
-    
       middlewares:
-        redirect:
+        https_redirect:
           redirectScheme:
             scheme: https
-    
+            permanent: true
-    tls:
-      certificates:
-        - certFile: /app/certs/server/server.pem
-          keyFile: /app/certs/server/server.pem
     ```
 
 ## Strip and Rewrite Path Prefixes
 
 With the new core notions of v2 (introduced earlier in the section
 ["Frontends and Backends Are Dead... Long Live Routers, Middlewares, and Services"](#frontends-and-backends-are-dead-long-live-routers-middlewares-and-services)),
-transforming the URL path prefix of incoming requests is configured with [middlewares](../../middlewares/overview/),
+transforming the URL path prefix of incoming requests is configured with [middlewares](../middlewares/overview.md),
-after the routing step with [router rule `PathPrefix`](https://docs.traefik.io/v2.0/routing/routers/#rule).
+after the routing step with [router rule `PathPrefix`](../routing/routers/index.md#rule).
 
-Use Case: Incoming requests to `http://company.org/admin` are forwarded to the webapplication "admin",
+Use Case: Incoming requests to `http://example.org/admin` are forwarded to the webapplication "admin",
 with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, you must:
 
-* First, configure a router named `admin` with a rule matching at least the path prefix with the `PathPrefix` keyword,
+- First, configure a router named `admin` with a rule matching at least the path prefix with the `PathPrefix` keyword,
-* Then, define a middleware of type [`stripprefix`](../../middlewares/stripprefix/), which remove the prefix `/admin`, associated to the router `admin`.
+- Then, define a middleware of type [`stripprefix`](../middlewares/stripprefix.md), which removes the prefix `/admin`, associated to the router `admin`.
 
 !!! example "Strip Path Prefix When Forwarding to Backend"
 
@@ -527,7 +553,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
 
     ```yaml tab="Docker"
     labels:
-      - "traefik.frontend.rule=Host:company.org;PathPrefixStrip:/admin"
+      - "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"
     ```
 
     ```yaml tab="Kubernetes Ingress"
@@ -540,7 +566,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
         traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip
     spec:
       rules:
-      - host: company.org
+      - host: example.org
         http:
           paths:
           - path: /admin
@@ -552,14 +578,14 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     ```toml tab="File (TOML)"
     [frontends.admin]
       [frontends.admin.routes.admin_1]
-      rule = "Host:company.org;PathPrefixStrip:/admin"
+      rule = "Host:example.org;PathPrefixStrip:/admin"
     ```
 
     !!! info "v2"
 
     ```yaml tab="Docker"
     labels:
-      - "traefik.http.routers.admin.rule=Host(`company.org`) && PathPrefix(`/admin`)"
+      - "traefik.http.routers.admin.rule=Host(`example.org`) && PathPrefix(`/admin`)"
       - "traefik.http.routers.admin.middlewares=admin-stripprefix"
       - "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
     ```
@@ -575,7 +601,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
       entryPoints:
         - web
       routes:
-        - match: Host(`company.org`) && PathPrefix(`/admin`)
+        - match: Host(`example.org`) && PathPrefix(`/admin`)
           kind: Rule
           services:
             - name: admin-svc
@@ -597,7 +623,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     # dynamic-conf.toml
 
     [http.routers.router1]
-        rule = "Host(`company.org`) && PathPrefix(`/admin`)"
+        rule = "Host(`example.org`) && PathPrefix(`/admin`)"
         service = "admin-svc"
         entrypoints = ["web"]
         middlewares = ["admin-stripprefix"]
@@ -620,7 +646,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
           service: admin-svc
           middlewares:
             - "admin-stripprefix"
-          rule: "Host(`company.org`) && PathPrefix(`/admin`)"
+          rule: "Host(`example.org`) && PathPrefix(`/admin`)"
 
       middlewares:
         admin-stripprefix:
@@ -635,10 +661,10 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
 
     Instead of removing the path prefix with the [`stripprefix` middleware](../../middlewares/stripprefix/), you can also:
 
-    * Add a path prefix with the [`addprefix` middleware](../../middlewares/addprefix/)
+    - Add a path prefix with the [`addprefix` middleware](../../middlewares/addprefix/)
-    * Replace the complete path of the request with the [`replacepath` middleware](../../middlewares/replacepath/)
+    - Replace the complete path of the request with the [`replacepath` middleware](../../middlewares/replacepath/)
-    * ReplaceRewrite path using Regexp with the [`replacepathregex` middleware](../../middlewares/replacepathregex/)
+    - ReplaceRewrite path using Regexp with the [`replacepathregex` middleware](../../middlewares/replacepathregex/)
-    * And a lot more on the [`middlewares` page](../../middlewares/overview/)
+    - And a lot more on the [`middlewares` page](../../middlewares/overview/)
 
 ## ACME (LetsEncrypt)
 
@@ -650,34 +676,33 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     
     ```toml tab="File (TOML)"
     # static configuration
-    defaultEntryPoints = ["web-secure","web"]
+    defaultEntryPoints = ["websecure","web"]
     
     [entryPoints.web]
     address = ":80"
       [entryPoints.web.redirect]
       entryPoint = "webs"
-    [entryPoints.web-secure]
+    [entryPoints.websecure]
       address = ":443"
-      [entryPoints.https.tls]
+      [entryPoints.websecure.tls]
     
     [acme]
-      email = "your-email-here@my-awesome-app.org"
+      email = "your-email-here@example.com"
       storage = "acme.json"
-      entryPoint = "web-secure"
+      entryPoint = "websecure"
       onHostRule = true
-      [acme.httpChallenge]
+      [acme.tlsChallenge]
-        entryPoint = "web"
     ```
 
     ```bash tab="CLI"
-    --defaultentrypoints=web-secure,web
+    --defaultentrypoints=websecure,web
-    --entryPoints=Name:web Address::80 Redirect.EntryPoint:web-secure
+    --entryPoints=Name:web Address::80 Redirect.EntryPoint:websecure
-    --entryPoints=Name:web-secure Address::443 TLS
+    --entryPoints=Name:websecure Address::443 TLS
-    --acme.email=your-email-here@my-awesome-app.org
+    --acme.email=your-email-here@example.com
     --acme.storage=acme.json
-    --acme.entryPoint=web-secure
+    --acme.entryPoint=websecure
     --acme.onHostRule=true
-    --acme.httpchallenge.entrypoint=http
+    --acme.tlschallenge=true
     ```
 
     !!! info "v2"
@@ -688,15 +713,15 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
       [entryPoints.web]
         address = ":80"
     
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
+      [entryPoints.websecure.http.tls]
+        certResolver = "myresolver"
     
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.myresolver.acme]
-      email = "your-email@your-domain.org"
+      email = "your-email@example.com"
       storage = "acme.json"
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.myresolver.acme.tlsChallenge]
-        # used during the challenge
-        entryPoint = "web"
     ```
 
     ```yaml tab="File (YAML)"
@@ -704,25 +729,26 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
       web:
         address: ":80"
     
-      web-secure:
+      websecure:
         address: ":443"
+        http:
+          tls:
+            certResolver: myresolver
     
     certificatesResolvers:
-      sample:
+      myresolver:
         acme:
-          email: your-email@your-domain.org
+          email: your-email@example.com
           storage: acme.json
-          httpChallenge:
+          tlsChallenge: {}
-            # used during the challenge
-            entryPoint: web
     ```
 
     ```bash tab="CLI"
-    --entryPoints.web.address=:80
+    --entrypoints.web.address=:80
-    --entryPoints.websecure.address=:443
+    --entrypoints.websecure.address=:443
-    --certificatesResolvers.sample.acme.email=your-email@your-domain.org
+    --certificatesresolvers.myresolver.acme.email=your-email@example.com
-    --certificatesResolvers.sample.acme.storage=acme.json
+    --certificatesresolvers.myresolver.acme.storage=acme.json
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --certificatesresolvers.myresolver.acme.tlschallenge=true
     ```
 
 ## Traefik Logs
@@ -901,7 +927,7 @@ Each root item has been moved to a related section or removed.
     providersThrottleDuration = "2s"
     AllowMinWeightZero = true
     debug = true
-    defaultEntryPoints = ["web", "web-secure"]
+    defaultEntryPoints = ["web", "websecure"]
     keepTrailingSlash = false
     ```
 
@@ -915,7 +941,7 @@ Each root item has been moved to a related section or removed.
     --providersthrottleduration=2s
     --allowminweightzero=true
     --debug=true
-    --defaultentrypoints=web,web-secure
+    --defaultentrypoints=web,websecure
     --keeptrailingslash=true
     ```
 
@@ -971,14 +997,11 @@ Each root item has been moved to a related section or removed.
 ## Dashboard
 
 You need to activate the API to access the [dashboard](../operations/dashboard.md).
-As the dashboard access is now secured by default you can either:
 
-* define a  [specific router](../operations/api.md#configuration) with the `api@internal` service and one authentication middleware like the following example
+To activate the dashboard, you can either:
-* or use the [insecure](../operations/api.md#insecure) option of the API
 
-!!! info "Dashboard with k8s and dedicated router"
+- use the [secure mode](../operations/dashboard.md#secure-mode) with the `api@internal` service like in the following examples
-
+- or use the [insecure mode](../operations/api.md#insecure)
-    As `api@internal` is not a Kubernetes service, you have to use the file provider or the `insecure` API option.
 
 !!! example "Activate and access the dashboard"
 
@@ -988,21 +1011,21 @@ As the dashboard access is now secured by default you can either:
     ## static configuration
     # traefik.toml
     
-    [entryPoints.web-secure]
+    [entryPoints.websecure]
       address = ":443"
-      [entryPoints.web-secure.tls]
+      [entryPoints.websecure.tls]
-      [entryPoints.web-secure.auth]
+      [entryPoints.websecure.auth]
-        [entryPoints.web-secure.auth.basic]
+        [entryPoints.websecure.auth.basic]
           users = [
             "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
           ]
     
     [api]
-      entryPoint = "web-secure"
+      entryPoint = "websecure"
     ```
 
     ```bash tab="CLI"
-    --entryPoints='Name:web-secure Address::443 TLS Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
+    --entryPoints='Name:websecure Address::443 TLS Auth.Basic.Users:test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
     --api
     ```
 
@@ -1012,7 +1035,7 @@ As the dashboard access is now secured by default you can either:
     # dynamic configuration
     labels:
       - "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"
-      - "traefik.http.routers.api.entrypoints=web-secured"
+      - "traefik.http.routers.api.entrypoints=websecure"
       - "traefik.http.routers.api.service=api@internal"
       - "traefik.http.routers.api.middlewares=myAuth"
       - "traefik.http.routers.api.tls"
@@ -1023,7 +1046,7 @@ As the dashboard access is now secured by default you can either:
     ## static configuration
     # traefik.toml
     
-    [entryPoints.web-secure]
+    [entryPoints.websecure]
       address = ":443"
     
     [api]
@@ -1038,7 +1061,7 @@ As the dashboard access is now secured by default you can either:
     
     [http.routers.api]
       rule = "Host(`traefik.docker.localhost`)"
-      entrypoints = ["web-secure"]
+      entrypoints = ["websecure"]
       service = "api@internal"
       middlewares = ["myAuth"]
       [http.routers.api.tls]
@@ -1054,7 +1077,7 @@ As the dashboard access is now secured by default you can either:
     # traefik.yaml
     
     entryPoints:
-      web-secure:
+      websecure:
         address: ':443'
         
     api: {}
@@ -1073,7 +1096,7 @@ As the dashboard access is now secured by default you can either:
         api:
           rule: Host(`traefik.docker.localhost`)
           entrypoints:
-            - web-secure
+            - websecure
           service: api@internal
           middlewares:
             - myAuth
@@ -1090,28 +1113,28 @@ As the dashboard access is now secured by default you can either:
 
 Supported [providers](../providers/overview.md), for now:
 
-* [ ] Azure Service Fabric
+- [ ] Azure Service Fabric
-* [ ] BoltDB
+- [x] Consul
-* [ ] Consul
+- [x] Consul Catalog
-* [x] Consul Catalog
+- [x] Docker
-* [x] Docker
+- [ ] DynamoDB
-* [ ] DynamoDB
+- [ ] ECS
-* [ ] ECS
+- [x] Etcd
-* [ ] Etcd
+- [ ] Eureka
-* [ ] Eureka
+- [x] File
-* [x] File
+- [x] Kubernetes Ingress
-* [x] Kubernetes Ingress (without annotations)
+- [x] Kubernetes IngressRoute
-* [x] Kubernetes IngressRoute
+- [x] Marathon
-* [x] Marathon
+- [ ] Mesos
-* [ ] Mesos
+- [x] Rancher
-* [x] Rancher
+- [x] Redis
-* [x] Rest
+- [x] Rest
-* [ ] Zookeeper
+- [x] Zookeeper
 
 ## Some Tips You Should Know
 
-* Different sources of static configuration (file, CLI flags, ...) cannot be [mixed](../getting-started/configuration-overview.md#the-static-configuration).
+- Different sources of static configuration (file, CLI flags, ...) cannot be [mixed](../getting-started/configuration-overview.md#the-static-configuration).
-* Now, configuration elements can be referenced between different providers by using the provider namespace notation: `@<provider>`.
+- Now, configuration elements can be referenced between different providers by using the provider namespace notation: `@<provider>`.
   For instance, a router named `myrouter` in a File Provider can refer to a service named `myservice` defined in Docker Provider with the following notation: `myservice@docker`.
-* Middlewares are applied in the same order as their declaration in router.
+- Middlewares are applied in the same order as their declaration in router.
-* If you have any questions feel free to join our [community forum](https://community.containo.us).
+- If you have any questions feel free to join our [community forum](https://community.containo.us).

docs/content/migration/v2.md

@@ -2,8 +2,11 @@
 
 ## v2.0 to v2.1
 
-In v2.1, a new CRD called `TraefikService` was added. While updating an installation to v2.1,
+### Kubernetes CRD
-it is required to apply that CRD before as well as enhance the existing `ClusterRole` definition to allow Traefik to use that CRD.
+
+In v2.1, a new Kubernetes CRD called `TraefikService` was added.
+While updating an installation to v2.1,
+one should apply that CRD, and update the existing `ClusterRole` definition to allow Traefik to use that CRD.
 
 To add that CRD and enhance the permissions, following definitions need to be applied to the cluster.
 
@@ -58,38 +61,10 @@ rules:
       - traefik.containo.us
     resources:
       - middlewares
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - traefik.containo.us
-    resources:
       - ingressroutes
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - traefik.containo.us
-    resources:
-      - ingressroutetcps
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - traefik.containo.us
-    resources:
-      - tlsoptions
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - traefik.containo.us
-    resources:
       - traefikservices
+      - ingressroutetcps
+      - tlsoptions
     verbs:
       - get
       - list
@@ -97,3 +72,233 @@ rules:
 ```
 
 After having both resources applied, Traefik will work properly.
+
+## v2.1 to v2.2
+
+### Headers middleware: accessControlAllowOrigin
+
+`accessControlAllowOrigin` is deprecated.
+This field will be removed in future 2.x releases.
+Please configure your allowed origins in `accessControlAllowOriginList` instead.
+
+### Kubernetes CRD
+
+In v2.2, new Kubernetes CRDs called `TLSStore` and `IngressRouteUDP` were added.
+While updating an installation to v2.2,
+one should apply that CRDs, and update the existing `ClusterRole` definition to allow Traefik to use that CRDs.
+
+To add that CRDs and enhance the permissions, following definitions need to be applied to the cluster.
+
+```yaml tab="TLSStore"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsstores.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSStore
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+
+```
+
+```yaml tab="IngressRouteUDP"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressrouteudps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteUDP
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+  scope: Namespaced
+
+```
+
+```yaml tab="ClusterRole"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+    verbs:
+      - get
+      - list
+      - watch
+
+```
+
+After having both resources applied, Traefik will work properly.
+
+### Kubernetes Ingress
+
+To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in the Ingress.
+
+#### Expose an Ingress on 80 and 443
+
+Define the default TLS configuration on the HTTPS entry point. 
+
+```yaml tab="Ingress"
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: example
+
+spec:
+  tls:
+  - secretName: myTlsSecret
+
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: "/foo"
+        backend:
+          serviceName: example-com
+          servicePort: 80
+```
+
+Entry points definition and enable Ingress provider:
+
+```yaml tab="File (YAML)"
+# Static configuration
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+    http:
+      tls: {}
+
+providers:
+  kubernetesIngress: {}
+```
+
+```toml tab="File (TOML)"
+# Static configuration
+
+[entryPoints.web]
+  address = ":80"
+
+[entryPoints.websecure]
+  address = ":443"
+  [entryPoints.websecure.http]
+    [entryPoints.websecure.http.tls]
+
+[providers.kubernetesIngress]
+```
+
+```bash tab="CLI"
+# Static configuration
+
+--entryPoints.web.address=:80
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.tls=true
+--providers.kubernetesIngress=true
+```
+
+#### Use TLS only on one Ingress
+
+Define the TLS restriction with annotations.
+
+```yaml tab="Ingress"
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: example-tls
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+
+spec:
+  tls:
+  - secretName: myTlsSecret
+
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: ""
+        backend:
+          serviceName: example-com
+          servicePort: 80
+```
+
+Entry points definition and enable Ingress provider:
+
+```yaml tab="File (YAML)"
+# Static configuration
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+
+providers:
+  kubernetesIngress: {}
+```
+
+```toml tab="File (TOML)"
+# Static configuration
+
+[entryPoints.web]
+  address = ":80"
+
+[entryPoints.websecure]
+  address = ":443"
+
+[providers.kubernetesIngress]
+```
+
+```bash tab="CLI"
+# Static configuration
+
+--entryPoints.web.address=:80
+--entryPoints.websecure.address=:443
+--providers.kubernetesIngress=true
+```

docs/content/observability/access-logs.md

@@ -35,7 +35,7 @@ If the given format is unsupported, the default (CLF) is used instead.
 !!! info "Common Log Format"
     
     ```html
-    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms 
+    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
     ```
 
 ### `bufferingSize`
@@ -195,6 +195,7 @@ accessLog:
     | `RequestMethod`         | The HTTP method.                                                                                                                                                    |
     | `RequestPath`           | The HTTP request URI, not including the scheme, host or port.                                                                                                       |
     | `RequestProtocol`       | The version of HTTP requested.                                                                                                                                      |
+    | `RequestScheme`         | The HTTP scheme requested `http` or `https`.                                                                                                                        |
     | `RequestLine`           | `RequestMethod` + `RequestPath` + `RequestProtocol`                                                                                                                 |
     | `RequestContentSize`    | The number of bytes in the request entity (a.k.a. body) sent by the client.                                                                                         |
     | `OriginDuration`        | The time taken by the origin server ('upstream') to return its response.                                                                                            |

docs/content/observability/tracing/elastic.md

@@ -0,0 +1,88 @@
+# Elastic
+
+To enable the Elastic:
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic: {}
+```
+
+```bash tab="CLI"
+--tracing.elastic=true
+```
+
+#### `serverURL`
+
+_Optional, Default="http://localhost:8200"_
+
+APM ServerURL is the URL of the Elastic APM server.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    serverURL = "http://apm:8200"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic:
+    serverURL: "http://apm:8200"
+```
+
+```bash tab="CLI"
+--tracing.elastic.serverurl="http://apm:8200"
+```
+
+#### `secretToken`
+
+_Optional, Default=""_
+
+APM Secret Token is the token used to connect to Elastic APM Server.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    secretToken = "mytoken"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic:
+    secretToken: "mytoken"
+```
+
+```bash tab="CLI"
+--tracing.elastic.secrettoken="mytoken"
+```
+
+#### `serviceEnvironment`
+
+_Optional, Default=""_
+
+APM Service Environment is the name of the environment Traefik is deployed in, e.g. `production` or `staging`.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    serviceEnvironment = "production"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  elastic:
+    serviceEnvironment: "production"
+```
+
+```bash tab="CLI"
+--tracing.elastic.serviceenvironment="production"
+```
+
+### Further
+
+Additional configuration of Elastic APM Go agent can be done using environment variables.
+See [APM Go agent reference](https://www.elastic.co/guide/en/apm/agent/go/current/configuration.html).

docs/content/observability/tracing/haystack.md

@@ -40,24 +40,24 @@ tracing:
 
 #### `localAgentPort`
 
-_Require, Default=42699_
+_Require, Default=35000_
 
 Local Agent port instructs reporter to send spans to the haystack-agent at this port.
 
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    localAgentPort = 42699
+    localAgentPort = 35000
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    localAgentPort: 42699
+    localAgentPort: 35000
 ```
 
 ```bash tab="CLI"
---tracing.haystack.localAgentPort=42699
+--tracing.haystack.localAgentPort=35000
 ```
 
 #### `globalTag`
@@ -91,61 +91,61 @@ Specifies the header name that will be used to store the trace ID.
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    traceIDHeaderName = "sample"
+    traceIDHeaderName = "Trace-ID"
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    traceIDHeaderName: sample
+    traceIDHeaderName: Trace-ID
 ```
 
 ```bash tab="CLI"
---tracing.haystack.traceIDHeaderName=sample
+--tracing.haystack.traceIDHeaderName=Trace-ID
 ```
 
 #### `parentIDHeaderName`
 
 _Optional, Default=empty_
 
+Specifies the header name that will be used to store the parent ID.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    parentIDHeaderName = "Parent-Message-ID"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    parentIDHeaderName: Parent-Message-ID
+```
+
+```bash tab="CLI"
+--tracing.haystack.parentIDHeaderName=Parent-Message-ID
+```
+
+#### `spanIDHeaderName`
+
+_Optional, Default=empty_
+
 Specifies the header name that will be used to store the span ID.
 
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.haystack]
-    parentIDHeaderName = "sample"
+    spanIDHeaderName = "Message-ID"
 ```
 
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
-    parentIDHeaderName: "sample"
+    spanIDHeaderName: Message-ID
 ```
 
 ```bash tab="CLI"
---tracing.haystack.parentIDHeaderName=sample
+--tracing.haystack.spanIDHeaderName=Message-ID
-```
-
-#### `spanIDHeaderName`
-
-_Optional, Default=empty_
-
-Apply shared tag in a form of Key:Value to all the traces.
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    spanIDHeaderName = "sample:test"
-```
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack:
-    spanIDHeaderName: "sample:test"
-```
-
-```bash tab="CLI"
---tracing.haystack.spanIDHeaderName=sample:test
 ```
 
 #### `baggagePrefixHeaderName`

docs/content/operations/api.md

@@ -50,21 +50,21 @@ And then define a routing configuration on Traefik itself with the
     However, you can also use "path prefix" rule or any combination or rules.
 
     ```bash tab="Host Rule"
-    # Matches http://traefik.domain.com, http://traefik.domain.com/api
+    # Matches http://traefik.example.com, http://traefik.example.com/api
-    # or http://traefik.domain.com/hello
+    # or http://traefik.example.com/hello
-    rule = "Host(`traefik.domain.com`)"
+    rule = "Host(`traefik.example.com`)"
     ```
 
     ```bash tab="Path Prefix Rule"
-    # Matches http://api.traefik.domain.com/api or http://domain.com/api
+    # Matches http://api.traefik.example.com/api or http://example.com/api
-    # but does not match http://api.traefik.domain.com/hello
+    # but does not match http://api.traefik.example.com/hello
     rule = "PathPrefix(`/api`)"
     ```
 
     ```bash tab="Combination of Rules"
-    # Matches http://traefik.domain.com/api or http://traefik.domain.com/dashboard
+    # Matches http://traefik.example.com/api or http://traefik.example.com/dashboard
-    # but does not match http://traefik.domain.com/hello
+    # but does not match http://traefik.example.com/hello
-    rule = "Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+    rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
     ```
 
 ### `insecure`

docs/content/operations/dashboard.md

@@ -81,22 +81,22 @@ As underlined in the [documentation for the `api.dashboard` option](./api.md#das
 the [router rule](../routing/routers/index.md#rule) defined for Traefik must match
 the path prefixes `/api` and `/dashboard`.
 
-We recommend to use a "Host Based rule" as ```Host(`traefik.domain.com`)``` to match everything on the host domain,
+We recommend to use a "Host Based rule" as ```Host(`traefik.example.com`)``` to match everything on the host domain,
 or to make sure that the defined rule captures both prefixes:
 
 ```bash tab="Host Rule"
-# The dashboard can be accessed on http://traefik.domain.com/dashboard/
+# The dashboard can be accessed on http://traefik.example.com/dashboard/
-rule = "Host(`traefik.domain.com`)"
+rule = "Host(`traefik.example.com`)"
 ```
 
 ```bash tab="Path Prefix Rule"
-# The dashboard can be accessed on http://domain.com/dashboard/ or http://traefik.domain.com/dashboard/
+# The dashboard can be accessed on http://example.com/dashboard/ or http://traefik.example.com/dashboard/
 rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
 ```
 
 ```bash tab="Combination of Rules"
-# The dashboard can be accessed on http://traefik.domain.com/dashboard/
+# The dashboard can be accessed on http://traefik.example.com/dashboard/
-rule = "Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
 ```
 
 ## Insecure Mode

docs/content/operations/include-api-examples.md

@@ -1,7 +1,7 @@
 ```yaml tab="Docker"
 # Dynamic Configuration
 labels:
-  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+  - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
   - "traefik.http.routers.api.service=api@internal"
   - "traefik.http.routers.api.middlewares=auth"
   - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -11,7 +11,7 @@ labels:
 # Dynamic Configuration
 deploy:
   labels:
-    - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+    - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
     - "traefik.http.routers.api.service=api@internal"
     - "traefik.http.routers.api.middlewares=auth"
     - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -19,9 +19,33 @@ deploy:
     - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
 ```
 
+```yaml tab="Kubernetes CRD"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+spec:
+  routes:
+  - match: Host(`traefik.example.com`)
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+    middlewares:
+      - name: auth
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+spec:
+  basicAuth:
+    secret: secretName # Kubernetes secret named "secretName"
+```
+
 ```yaml tab="Consul Catalog"
 # Dynamic Configuration
-- "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+- "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
 - "traefik.http.routers.api.service=api@internal"
 - "traefik.http.routers.api.middlewares=auth"
 - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -29,7 +53,7 @@ deploy:
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.routers.api.rule": "Host(`traefik.domain.com`)",
+  "traefik.http.routers.api.rule": "Host(`traefik.example.com`)",
   "traefik.http.routers.api.service": "api@internal",
   "traefik.http.routers.api.middlewares": "auth",
   "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -39,7 +63,7 @@ deploy:
 ```yaml tab="Rancher"
 # Dynamic Configuration
 labels:
-  - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"
+  - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
   - "traefik.http.routers.api.service=api@internal"
   - "traefik.http.routers.api.middlewares=auth"
   - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -48,7 +72,7 @@ labels:
 ```toml tab="File (TOML)"
 # Dynamic Configuration
 [http.routers.my-api]
-  rule = "Host(`traefik.domain.com`)"
+  rule = "Host(`traefik.example.com`)"
   service = "api@internal"
   middlewares = ["auth"]
 
@@ -64,7 +88,7 @@ labels:
 http:
   routers:
     api:
-      rule: Host(`traefik.domain.com`)
+      rule: Host(`traefik.example.com`)
       service: api@internal
       middlewares:
         - auth

docs/content/operations/ping.md

@@ -23,7 +23,8 @@ ping: {}
 
 The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
 
-You can customize the `entryPoint` where the `/ping` is active with the `entryPoint` option (default value: `traefik`)
+The `entryPoint` where the `/ping` is active can be customized with the `entryPoint` option,
+whose default value is `traefik` (port `8080`).
 
 | Path    | Method        | Description                                                                                         |
 |---------|---------------|-----------------------------------------------------------------------------------------------------|
@@ -34,6 +35,8 @@ You can customize the `entryPoint` where the `/ping` is active with the `entryPo
 
 ### `entryPoint`
 
+_Optional, Default="traefik"_
+
 Enabling /ping on a dedicated EntryPoint.
 
 ```toml tab="File (TOML)"

docs/content/providers/consul-catalog.md

@@ -29,7 +29,7 @@ Attach tags to your services and let Traefik do the rest!
     Attaching tags to services
 
     ```yaml
-    - traefik.http.services.my-service.rule=Host(`mydomain.com`)
+    - traefik.http.services.my-service.rule=Host(`example.com`)
     ```
 
 ## Routing Configuration
@@ -565,7 +565,7 @@ Constraints is an expression that Traefik matches against the service's tags to
 That is to say, if none of the service's tags match the expression, no route for that service is created.
 If the expression is empty, all detected services are included.
 
-The expression syntax is based on the `Tag("tag")`, and `TagRegex("tag")` functions,
+The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
 as well as the usual boolean logic, as shown in examples below.
 
 ??? example "Constraints Expression Examples"

docs/content/providers/consul.md

@@ -0,0 +1,216 @@
+# Traefik & Consul
+
+A Story of KV store & Containers
+{: .subtitle }
+
+Store your configuration in Consul and let Traefik do the rest!
+
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/kv.md).
+
+## Provider Configuration
+
+### `endpoints`
+
+_Required, Default="127.0.0.1:8500"_
+
+Defines how to access to Consul.
+
+```toml tab="File (TOML)"
+[providers.consul]
+  endpoints = ["127.0.0.1:8500"]
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    endpoints:
+      - "127.0.0.1:8500"
+```
+
+```bash tab="CLI"
+--providers.consul.endpoints=127.0.0.1:8500
+```
+
+### `rootKey`
+
+Defines the root key of the configuration.
+
+_Required, Default="traefik"_
+
+```toml tab="File (TOML)"
+[providers.consul]
+  rootKey = "traefik"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    rootKey: "traefik"
+```
+
+```bash tab="CLI"
+--providers.consul.rootkey=traefik
+```
+
+### `username`
+
+Defines a username to connect with Consul.
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.consul]
+  # ...
+  username = "foo"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    # ...
+    usename: "foo"
+```
+
+```bash tab="CLI"
+--providers.consul.username=foo
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines a password to connect with Consul.
+
+```toml tab="File (TOML)"
+[providers.consul]
+  # ...
+  password = "bar"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    # ...
+    password: "bar"
+```
+
+```bash tab="CLI"
+--providers.consul.password=foo
+```
+
+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to Consul.
+
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.consul.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+Policy followed for the secured connection with TLS Client Authentication to Consul.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.consul.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to Consul.
+
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.consul.tls.cert=path/to/foo.cert
+--providers.consul.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+Private certificate used for the secured connection to Consul.
+
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.consul.tls.cert=path/to/foo.cert
+--providers.consul.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS for the connection to Consul accepts any certificate presented by the server and any host name in that certificate.
+
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.consul.tls.insecureSkipVerify=true
+```

docs/content/providers/docker.md

@@ -40,7 +40,7 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
       my-container:
         # ...
         labels:
-          - traefik.http.routers.my-container.rule=Host(`mydomain.com`)
+          - traefik.http.routers.my-container.rule=Host(`example.com`)
     ```
 
 ??? example "Configuring Docker Swarm & Deploying / Exposing Services"
@@ -79,14 +79,14 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
       my-container:
         deploy:
           labels:
-            - traefik.http.routers.my-container.rule=Host(`mydomain.com`)
+            - traefik.http.routers.my-container.rule=Host(`example.com`)
             - traefik.http.services.my-container-service.loadbalancer.server.port=8080
     ```
 
 ## Routing Configuration
 
-When using Docker as a [provider](https://docs.traefik.io/providers/overview/),
+When using Docker as a [provider](./overview.md),
-Trafik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
+Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
 
 See the list of labels in the dedicated [routing](../routing/providers/docker.md) section.
 
@@ -116,6 +116,20 @@ Ports detection works as follows:
   by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
   (Read more on this label in the dedicated section in [routing](../routing/providers/docker.md#port)).
 
+### Host networking
+
+When exposing containers that are configured with [host networking](https://docs.docker.com/network/host/),
+the IP address of the host is resolved as follows:
+
+<!-- TODO: verify and document the swarm mode case with container.Node.IPAddress coming from the API -->
+- try a lookup of `host.docker.internal`
+- otherwise fall back to `127.0.0.1`
+
+On Linux, (and until [github.com/moby/moby/pull/40007](https://github.com/moby/moby/pull/40007) is included in a release),
+for `host.docker.internal` to be defined, it should be provided as an `extra_host` to the Traefik container,
+using the `--add-host` flag. For example, to set it to the IP address of the bridge interface (docker0 by default):
+`--add-host=host.docker.internal:172.17.0.1`
+
 ### Docker API Access
 
 Traefik requires access to the docker socket to get its dynamic configuration.
@@ -135,7 +149,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
 
     ??? success "Solutions"
 
-        Expose the Docker socket over TCP, instead of the default Unix socket file.
+        Expose the Docker socket over TCP or SSH, instead of the default Unix socket file.
         It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
 
         - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
@@ -145,6 +159,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
         - Accounting at container level, by exposing the socket on a another container than Traefik's.
           With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
         - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
+        - SSH public key authentication (SSH is supported with Docker > 18.09)
 
     ??? info "More Resources and Examples"
         - ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c)
@@ -246,7 +261,7 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
 
     services:
       traefik:
-         image: traefik:v2.0 # The official v2.0 Traefik docker image
+         image: traefik:v2.2 # The official v2 Traefik docker image
          ports:
            - "80:80"
          volumes:
@@ -273,6 +288,30 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
     # ...
     ```
 
+??? example "Using SSH"
+
+    Using Docker 18.09+ you can connect Traefik to daemon using SSH
+    We specify the SSH host and user in Traefik's configuration file.
+    Note that is server requires public keys for authentication you must have those accessible for user who runs Traefik.
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      endpoint = "ssh://traefik@192.168.2.5:2022"
+      # ...
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        endpoint: "ssh://traefik@192.168.2.5:2022"
+         # ...
+    ```
+    
+    ```bash tab="CLI"
+    --providers.docker.endpoint=ssh://traefik@192.168.2.5:2022
+    # ...
+    ```
+
 ### `useBindPortIP`
 
 _Optional, Default=false_
@@ -434,24 +473,48 @@ _Optional, Default=15_
 
 ```toml tab="File (TOML)"
 [providers.docker]
-  swarmModeRefreshSeconds = "30s"
+  swarmModeRefreshSeconds = 30
   # ...
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   docker:
-    swarmModeRefreshSeconds: "30s"
+    swarmModeRefreshSeconds: 30
     # ...
 ```
 
 ```bash tab="CLI"
---providers.docker.swarmModeRefreshSeconds=30s
+--providers.docker.swarmModeRefreshSeconds=30
 # ...
 ```
 
 Defines the polling interval (in seconds) in Swarm Mode.
 
+### `watch`
+
+_Optional, Default=true_
+
+```toml tab="File (TOML)"
+[providers.docker]
+  watch = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    watch: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.watch=false
+# ...
+```
+
+Watch Docker Swarm events.
+
 ### `constraints`
 
 _Optional, Default=""_

docs/content/providers/etcd.md

@@ -0,0 +1,216 @@
+# Traefik & Etcd
+
+A Story of KV store & Containers
+{: .subtitle }
+
+Store your configuration in Etcd and let Traefik do the rest!
+
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/kv.md).
+
+## Provider Configuration
+
+### `endpoints`
+
+_Required, Default="127.0.0.1:2379"_
+
+Defines how to access to Etcd.
+
+```toml tab="File (TOML)"
+[providers.etcd]
+  endpoints = ["127.0.0.1:2379"]
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    endpoints:
+      - "127.0.0.1:2379"
+```
+
+```bash tab="CLI"
+--providers.etcd.endpoints=127.0.0.1:2379
+```
+
+### `rootKey`
+
+Defines the root key of the configuration.
+
+_Required, Default="traefik"_
+
+```toml tab="File (TOML)"
+[providers.etcd]
+  rootKey = "traefik"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    rootKey: "traefik"
+```
+
+```bash tab="CLI"
+--providers.etcd.rootkey=traefik
+```
+
+### `username`
+
+Defines a username to connect with Etcd.
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.etcd]
+  # ...
+  username = "foo"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    # ...
+    usename: "foo"
+```
+
+```bash tab="CLI"
+--providers.etcd.username=foo
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines a password to connect with Etcd.
+
+```toml tab="File (TOML)"
+[providers.etcd]
+  # ...
+  password = "bar"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    # ...
+    password: "bar"
+```
+
+```bash tab="CLI"
+--providers.etcd.password=foo
+```
+
+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to Etcd.
+
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.etcd.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+Policy followed for the secured connection with TLS Client Authentication to Etcd.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.etcd.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to Etcd.
+
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.etcd.tls.cert=path/to/foo.cert
+--providers.etcd.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+Private certificate used for the secured connection to Etcd.
+
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.etcd.tls.cert=path/to/foo.cert
+--providers.etcd.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS for the connection to Etcd accepts any certificate presented by the server and any host name in that certificate.
+
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  etcd:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.etcd.tls.insecureSkipVerify=true
+```

docs/content/providers/file.md

@@ -118,27 +118,35 @@ If you're in a hurry, maybe you'd rather go through the [dynamic configuration](
     
 ### `filename`
 
-Defines the path of the configuration file.
+Defines the path to the configuration file.
+
+!!! warning ""
+    `filename` and `directory` are mutually exclusive.
+    The recommendation is to use `directory`.
 
 ```toml tab="File (TOML)"
 [providers]
   [providers.file]
-    filename = "dynamic_conf.toml"
+    filename = "/path/to/config/dynamic_conf.toml"
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   file:
-    filename: dynamic_conf.yml
+    filename: /path/to/config/dynamic_conf.yml
 ```
 
 ```bash tab="CLI"
---providers.file.filename=dynamic_conf.toml
+--providers.file.filename=/path/to/config/dynamic_conf.toml
 ```
 
 ### `directory`
 
-Defines the directory that contains the configuration files.
+Defines the path to the directory that contains the configuration files.
+
+!!! warning ""
+    `filename` and `directory` are mutually exclusive.
+    The recommendation is to use `directory`.
 
 ```toml tab="File (TOML)"
 [providers]
@@ -186,8 +194,11 @@ providers:
     Go Templating only works along with dedicated dynamic configuration files.
     Templating does not work in the Traefik main static configuration file.
 
-Traefik allows using Go templating.  
+Traefik allows using Go templating,
-Thus, it's possible to define easily lot of routers, services and TLS certificates as described in the file `template-rules.toml` :
+it must be a valid [Go template](https://golang.org/pkg/text/template/),
+augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
+
+Thus, it's possible to define easily lot of routers, services and TLS certificates as described in the following examples:
 
 ??? example "Configuring Using Templating"
     
@@ -197,7 +208,7 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
     
       [http.routers]
       {{ range $i, $e := until 100 }}
-        [http.routers.router{{ $e }}]
+        [http.routers.router{{ $e }}-{{ env "MY_ENV_VAR" }}]
         # ...
       {{ end }}  
       
@@ -239,40 +250,38 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
     
     ```yaml tab="YAML"
     http:
-    
-    {{range $i, $e := until 100 }}
       routers:
-        router{{ $e }:
+        {{range $i, $e := until 100 }}
+        router{{ $e }}-{{ env "MY_ENV_VAR" }}:
           # ...
-    {{end}}
+        {{end}}
     
-    {{range $i, $e := until 100 }}
       services:
+        {{range $i, $e := until 100 }}
         application{{ $e }}:
           # ...
-    {{end}}
+        {{end}}
     
     tcp:
-    
-    {{range $i, $e := until 100 }}
       routers:
-        router{{ $e }:
+        {{range $i, $e := until 100 }}
+        router{{ $e }}:
           # ...
-    {{end}}
+        {{end}}
     
-    {{range $i, $e := until 100 }}
       services:
+        {{range $i, $e := until 100 }}
         service{{ $e }}:
           # ...
-    {{end}}
+        {{end}}
     
-    {{ range $i, $e := until 10 }}
     tls:
       certificates:
+      {{ range $i, $e := until 10 }}
       - certFile: "/etc/traefik/cert-{{ $e }}.pem"
         keyFile: "/etc/traefik/cert-{{ $e }}.key"
         store:
         - "my-store-foo-{{ $e }}"
         - "my-store-bar-{{ $e }}"
-    {{end}}
+      {{end}}
     ```

docs/content/providers/kubernetes-crd.md

@@ -8,9 +8,43 @@ Traefik used to support Kubernetes only through the [Kubernetes Ingress provider
 However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
 we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
 
+## Configuration Requirements
+
+!!! tip "All Steps for a Successful Deployment"
+
+    * Add/update **all** the Traefik resources [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions)
+    * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources
+    * Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment 
+        * Enable the kubernetesCRD provider
+        * Apply the needed kubernetesCRD provider [configuration](#provider-configuration)
+    * Add all needed traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
+ 
+??? example "Initializing Resource Definition and RBAC"
+
+    ```yaml tab="Traefik Resource Definition"
+    # All resources definition must be declared
+    --8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
+    ```
+
+    ```yaml tab="RBAC for Traefik CRD"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
+    ```
+
 ## Resource Configuration
 
-See the dedicated section in [routing](../routing/providers/kubernetes-crd.md).
+When using KubernetesCRD as a provider,
+Traefik uses [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to retrieve its routing configuration.
+Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are:
+
+* The usage of `name` **and** `namespace` to refer to another Kubernetes resource.
+* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensible data like:
+    * TLS certificate.
+    * Authentication data.
+* The structure of the configuration.
+* The obligation to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).
+
+The Traefik CRD are building blocks which you can assemble according to your needs.
+See the list of CRDs in the dedicated [routing section](../routing/providers/kubernetes-crd.md).
 
 ## LetsEncrypt Support with the Custom Resource Definition Provider
 
@@ -26,7 +60,7 @@ If you require LetsEncrypt with HA in a kubernetes environment, we recommend usi
 If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
 When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot interface directly with the CRDs _yet_, but this is being worked on by our team.
-A workaround it to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
+A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
 Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once created, Cert-Manager will keep the certificate renewed.
 
 ## Provider Configuration

docs/content/providers/kubernetes-ingress.md

@@ -6,7 +6,11 @@ The Kubernetes Ingress Controller.
 The Traefik Kubernetes Ingress provider is a Kubernetes Ingress controller; that is to say,
 it manages access to a cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
 
-## Enabling and using the provider
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/kubernetes-ingress.md).
+
+## Enabling and Using the Provider
 
 As usual, the provider is enabled through the static configuration:
 
@@ -23,7 +27,9 @@ providers:
 --providers.kubernetesingress=true
 ```
 
-The provider then watches for incoming ingresses events, such as the example below, and derives the corresponding dynamic configuration from it, which in turn will create the resulting routers, services, handlers, etc.
+The provider then watches for incoming ingresses events, such as the example below,
+and derives the corresponding dynamic configuration from it,
+which in turn will create the resulting routers, services, handlers, etc.
 
 ```yaml tab="File (YAML)"
 kind: Ingress
@@ -34,7 +40,7 @@ metadata:
 
 spec:
   rules:
-    - host: foo.com
+    - host: example.net
       http:
         paths:
           - path: /bar
@@ -49,17 +55,26 @@ spec:
 
 ## LetsEncrypt Support with the Ingress Provider
 
-By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
+By design, Traefik is a stateless application,
-For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
+meaning that it only derives its configuration from the environment it runs in,
+without additional configuration.
+For this reason, users can run multiple instances of Traefik at the same time to achieve HA,
+as is a common pattern in the kubernetes ecosystem.
 
-When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
+When using a single instance of Traefik with LetsEncrypt, no issues should be encountered,
-Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
+however this could be a single point of failure.
-Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled,
+because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
+Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this,
+but due to sub-optimal performance was dropped as a feature in 2.0.
 
-If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+If you require LetsEncrypt with HA in a kubernetes environment,
+we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
 
-If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+If you are wanting to continue to run Traefik Community Edition,
-When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+When using Cert-Manager to manage certificates,
+it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 
 ## Provider Configuration
 
@@ -93,7 +108,8 @@ They are both provided automatically as mounts in the pod where Traefik is deplo
 
 When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
 In which case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication
+and authorization of the associated kubeconfig.
 
 ### `token`
 
@@ -250,7 +266,7 @@ _Optional, Default: empty_
 
 ```toml tab="File (TOML)"
 [providers.kubernetesIngress.ingressEndpoint]
-  hostname = "foo.com"
+  hostname = "example.net"
   # ...
 ```
 
@@ -258,12 +274,12 @@ _Optional, Default: empty_
 providers:
   kubernetesIngress:
     ingressEndpoint:
-      hostname: "foo.com"
+      hostname: "example.net"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.hostname=foo.com
+--providers.kubernetesingress.ingressendpoint.hostname=example.net
 ```
 
 Hostname used for Kubernetes Ingress endpoints.
@@ -298,7 +314,7 @@ _Optional, Default: empty_
 
 ```toml tab="File (TOML)"
 [providers.kubernetesIngress.ingressEndpoint]
-  publishedService = "foo-service"
+  publishedService = "namespace/foo-service"
   # ...
 ```
 
@@ -306,15 +322,16 @@ _Optional, Default: empty_
 providers:
   kubernetesIngress:
     ingressEndpoint:
-      publishedService: "foo-service"
+      publishedService: "namespace/foo-service"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.publishedservice=foo-service
+--providers.kubernetesingress.ingressendpoint.publishedservice=namespace/foo-service
 ```
 
 Published Kubernetes Service to copy status from.
+Format: `namespace/servicename`.
 
 ### `throttleDuration`
 
@@ -337,6 +354,21 @@ providers:
 --providers.kubernetesingress.throttleDuration=10s
 ```
 
-## Further
+### Further
 
-If one wants to know more about the various aspects of the Ingress spec that Traefik supports, many examples of Ingresses definitions are located in the tests [data](https://github.com/containous/traefik/tree/v2.0/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+If one wants to know more about the various aspects of the Ingress spec that Traefik supports,
+many examples of Ingresses definitions are located in the tests [data](https://github.com/containous/traefik/tree/v2.2/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+
+## LetsEncrypt Support with the Ingress Provider
+
+By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
+For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
+
+When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
+Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+
+If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+
+If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).

docs/content/providers/overview.md

@@ -26,14 +26,18 @@ Even if each provider is different, we can categorize them in four groups:
 
 Below is the list of the currently supported providers in Traefik. 
 
-| Provider                              | Type         | Configuration Type |
+| Provider                              | Type         | Configuration Type         |
-|---------------------------------------|--------------|--------------------|
+|---------------------------------------|--------------|----------------------------|
-| [Docker](./docker.md)                 | Orchestrator | Label              |
+| [Docker](./docker.md)                 | Orchestrator | Label                      |
-| [Kubernetes](./kubernetes-crd.md)     | Orchestrator | Custom Resource    |
+| [Kubernetes](./kubernetes-crd.md)     | Orchestrator | Custom Resource or Ingress |
-| [Consul Catalog](./consul-catalog.md) | Orchestrator | Label              |
+| [Consul Catalog](./consul-catalog.md) | Orchestrator | Label                      |
-| [Marathon](./marathon.md)             | Orchestrator | Label              |
+| [Marathon](./marathon.md)             | Orchestrator | Label                      |
-| [Rancher](./rancher.md)               | Orchestrator | Label              |
+| [Rancher](./rancher.md)               | Orchestrator | Label                      |
-| [File](./file.md)                     | Manual       | TOML/YAML format   |
+| [File](./file.md)                     | Manual       | TOML/YAML format           |
+| [Consul](./consul.md)                 | KV           | KV                         |
+| [etcd](./etcd.md)                     | KV           | KV                         |
+| [Redis](./redis.md)                   | KV           | KV                         |
+| [ZooKeeper](./zookeeper.md)           | KV           | KV                         |
 
 !!! info "More Providers"
 

docs/content/providers/rancher.md

@@ -35,7 +35,7 @@ Attach labels to your services and let Traefik do the rest!
 
     ```yaml
     labels:
-      - traefik.http.services.my-service.rule=Host(`mydomain.com`)
+      - traefik.http.services.my-service.rule=Host(`example.com`)
     ```
 
 ## Routing Configuration

docs/content/providers/redis.md

@@ -0,0 +1,216 @@
+# Traefik & Redis
+
+A Story of KV store & Containers
+{: .subtitle }
+
+Store your configuration in Redis and let Traefik do the rest!
+
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/kv.md).
+
+## Provider Configuration
+
+### `endpoints`
+
+_Required, Default="127.0.0.1:6379"_
+
+Defines how to access to Redis.
+
+```toml tab="File (TOML)"
+[providers.redis]
+  endpoints = ["127.0.0.1:6379"]
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    endpoints:
+      - "127.0.0.1:6379"
+```
+
+```bash tab="CLI"
+--providers.redis.endpoints=127.0.0.1:6379
+```
+
+### `rootKey`
+
+Defines the root key of the configuration.
+
+_Required, Default="traefik"_
+
+```toml tab="File (TOML)"
+[providers.redis]
+  rootKey = "traefik"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    rootKey: "traefik"
+```
+
+```bash tab="CLI"
+--providers.redis.rootkey=traefik
+```
+
+### `username`
+
+Defines a username to connect with Redis.
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.redis]
+  # ...
+  username = "foo"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    # ...
+    usename: "foo"
+```
+
+```bash tab="CLI"
+--providers.redis.username=foo
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines a password to connect with Redis.
+
+```toml tab="File (TOML)"
+[providers.redis]
+  # ...
+  password = "bar"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    # ...
+    password: "bar"
+```
+
+```bash tab="CLI"
+--providers.redis.password=foo
+```
+
+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to Redis.
+
+```toml tab="File (TOML)"
+[providers.redis.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.redis.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+Policy followed for the secured connection with TLS Client Authentication to Redis.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```toml tab="File (TOML)"
+[providers.redis.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.redis.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to Redis.
+
+```toml tab="File (TOML)"
+[providers.redis.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.redis.tls.cert=path/to/foo.cert
+--providers.redis.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+Private certificate used for the secured connection to Redis.
+
+```toml tab="File (TOML)"
+[providers.redis.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.redis.tls.cert=path/to/foo.cert
+--providers.redis.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS for the connection to Redis accepts any certificate presented by the server and any host name in that certificate.
+
+```toml tab="File (TOML)"
+[providers.redis.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  redis:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.redis.tls.insecureSkipVerify=true
+```

docs/content/providers/zookeeper.md

@@ -0,0 +1,216 @@
+# Traefik & ZooKeeper
+
+A Story of KV store & Containers
+{: .subtitle }
+
+Store your configuration in ZooKeeper and let Traefik do the rest!
+
+## Routing Configuration
+
+See the dedicated section in [routing](../routing/providers/kv.md).
+
+## Provider Configuration
+
+### `endpoints`
+
+_Required, Default="127.0.0.1:2181"_
+
+Defines how to access to ZooKeeper.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper]
+  endpoints = ["127.0.0.1:2181"]
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    endpoints:
+      - "127.0.0.1:2181"
+```
+
+```bash tab="CLI"
+--providers.zookeeper.endpoints=127.0.0.1:2181
+```
+
+### `rootKey`
+
+Defines the root key of the configuration.
+
+_Required, Default="traefik"_
+
+```toml tab="File (TOML)"
+[providers.zooKeeper]
+  rootKey = "traefik"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    rootKey: "traefik"
+```
+
+```bash tab="CLI"
+--providers.zookeeper.rootkey=traefik
+```
+
+### `username`
+
+Defines a username to connect with ZooKeeper.
+
+_Optional, Default=""_
+
+```toml tab="File (TOML)"
+[providers.zooKeeper]
+  # ...
+  username = "foo"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    # ...
+    usename: "foo"
+```
+
+```bash tab="CLI"
+--providers.zookeeper.username=foo
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines a password to connect with ZooKeeper.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper]
+  # ...
+  password = "bar"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    # ...
+    password: "bar"
+```
+
+```bash tab="CLI"
+--providers.zookeeper.password=foo
+```
+
+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+Certificate Authority used for the secured connection to ZooKeeper.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.zookeeper.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+Policy followed for the secured connection with TLS Client Authentication to ZooKeeper.
+Requires `tls.ca` to be defined.
+
+- `true`: VerifyClientCertIfGiven
+- `false`: RequireAndVerifyClientCert
+- if `tls.ca` is undefined NoClientCert
+
+```toml tab="File (TOML)"
+[providers.zooKeeper.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.zookeeper.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secured connection to ZooKeeper.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.zookeeper.tls.cert=path/to/foo.cert
+--providers.zookeeper.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+Private certificate used for the secured connection to ZooKeeper.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.zookeeper.tls.cert=path/to/foo.cert
+--providers.zookeeper.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, TLS for the connection to ZooKeeper accepts any certificate presented by the server and any host name in that certificate.
+
+```toml tab="File (TOML)"
+[providers.zooKeeper.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  zooKeeper:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.zookeeper.tls.insecureSkipVerify=true
+```

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -12,100 +12,105 @@
 - "traefik.http.middlewares.middleware03.chain.middlewares=foobar, foobar"
 - "traefik.http.middlewares.middleware04.circuitbreaker.expression=foobar"
 - "traefik.http.middlewares.middleware05.compress=true"
-- "traefik.http.middlewares.middleware06.digestauth.headerfield=foobar"
+- "traefik.http.middlewares.middleware05.compress.excludedcontenttypes=foobar, foobar"
-- "traefik.http.middlewares.middleware06.digestauth.realm=foobar"
+- "traefik.http.middlewares.middleware06.contenttype.autodetect=true"
-- "traefik.http.middlewares.middleware06.digestauth.removeheader=true"
+- "traefik.http.middlewares.middleware07.digestauth.headerfield=foobar"
-- "traefik.http.middlewares.middleware06.digestauth.users=foobar, foobar"
+- "traefik.http.middlewares.middleware07.digestauth.realm=foobar"
-- "traefik.http.middlewares.middleware06.digestauth.usersfile=foobar"
+- "traefik.http.middlewares.middleware07.digestauth.removeheader=true"
-- "traefik.http.middlewares.middleware07.errors.query=foobar"
+- "traefik.http.middlewares.middleware07.digestauth.users=foobar, foobar"
-- "traefik.http.middlewares.middleware07.errors.service=foobar"
+- "traefik.http.middlewares.middleware07.digestauth.usersfile=foobar"
-- "traefik.http.middlewares.middleware07.errors.status=foobar, foobar"
+- "traefik.http.middlewares.middleware08.errors.query=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.address=foobar"
+- "traefik.http.middlewares.middleware08.errors.service=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.authresponseheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware08.errors.status=foobar, foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.ca=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.address=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.caoptional=true"
+- "traefik.http.middlewares.middleware09.forwardauth.authresponseheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.cert=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.ca=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.insecureskipverify=true"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional=true"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.key=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.cert=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.trustforwardheader=true"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify=true"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolallowcredentials=true"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.key=foobar"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolallowheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.trustforwardheader=true"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolallowmethods=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolallowcredentials=true"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolalloworigin=foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolallowheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolexposeheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolmaxage=42"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin=foobar"
-- "traefik.http.middlewares.middleware09.headers.addvaryheader=true"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlist=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.allowedhosts=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.browserxssfilter=true"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolmaxage=42"
-- "traefik.http.middlewares.middleware09.headers.contentsecuritypolicy=foobar"
+- "traefik.http.middlewares.middleware10.headers.addvaryheader=true"
-- "traefik.http.middlewares.middleware09.headers.contenttypenosniff=true"
+- "traefik.http.middlewares.middleware10.headers.allowedhosts=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.custombrowserxssvalue=foobar"
+- "traefik.http.middlewares.middleware10.headers.browserxssfilter=true"
-- "traefik.http.middlewares.middleware09.headers.customframeoptionsvalue=foobar"
+- "traefik.http.middlewares.middleware10.headers.contentsecuritypolicy=foobar"
-- "traefik.http.middlewares.middleware09.headers.customrequestheaders.name0=foobar"
+- "traefik.http.middlewares.middleware10.headers.contenttypenosniff=true"
-- "traefik.http.middlewares.middleware09.headers.customrequestheaders.name1=foobar"
+- "traefik.http.middlewares.middleware10.headers.custombrowserxssvalue=foobar"
-- "traefik.http.middlewares.middleware09.headers.customresponseheaders.name0=foobar"
+- "traefik.http.middlewares.middleware10.headers.customframeoptionsvalue=foobar"
-- "traefik.http.middlewares.middleware09.headers.customresponseheaders.name1=foobar"
+- "traefik.http.middlewares.middleware10.headers.customrequestheaders.name0=foobar"
-- "traefik.http.middlewares.middleware09.headers.featurepolicy=foobar"
+- "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1=foobar"
-- "traefik.http.middlewares.middleware09.headers.forcestsheader=true"
+- "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0=foobar"
-- "traefik.http.middlewares.middleware09.headers.framedeny=true"
+- "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1=foobar"
-- "traefik.http.middlewares.middleware09.headers.hostsproxyheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.featurepolicy=foobar"
-- "traefik.http.middlewares.middleware09.headers.isdevelopment=true"
+- "traefik.http.middlewares.middleware10.headers.forcestsheader=true"
-- "traefik.http.middlewares.middleware09.headers.publickey=foobar"
+- "traefik.http.middlewares.middleware10.headers.framedeny=true"
-- "traefik.http.middlewares.middleware09.headers.referrerpolicy=foobar"
+- "traefik.http.middlewares.middleware10.headers.hostsproxyheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.sslforcehost=true"
+- "traefik.http.middlewares.middleware10.headers.isdevelopment=true"
-- "traefik.http.middlewares.middleware09.headers.sslhost=foobar"
+- "traefik.http.middlewares.middleware10.headers.publickey=foobar"
-- "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name0=foobar"
+- "traefik.http.middlewares.middleware10.headers.referrerpolicy=foobar"
-- "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name1=foobar"
+- "traefik.http.middlewares.middleware10.headers.sslforcehost=true"
-- "traefik.http.middlewares.middleware09.headers.sslredirect=true"
+- "traefik.http.middlewares.middleware10.headers.sslhost=foobar"
-- "traefik.http.middlewares.middleware09.headers.ssltemporaryredirect=true"
+- "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0=foobar"
-- "traefik.http.middlewares.middleware09.headers.stsincludesubdomains=true"
+- "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1=foobar"
-- "traefik.http.middlewares.middleware09.headers.stspreload=true"
+- "traefik.http.middlewares.middleware10.headers.sslredirect=true"
-- "traefik.http.middlewares.middleware09.headers.stsseconds=42"
+- "traefik.http.middlewares.middleware10.headers.ssltemporaryredirect=true"
-- "traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
-- "traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.stspreload=true"
-- "traefik.http.middlewares.middleware10.ipwhitelist.sourcerange=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.stsseconds=42"
-- "traefik.http.middlewares.middleware11.inflightreq.amount=42"
+- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth=42"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware11.ipwhitelist.sourcerange=foobar, foobar"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requestheadername=foobar"
+- "traefik.http.middlewares.middleware12.inflightreq.amount=42"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requesthost=true"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth=42"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.commonname=true"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.country=true"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requestheadername=foobar"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.domaincomponent=true"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requesthost=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.locality=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.commonname=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.organization=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.country=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.province=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.domaincomponent=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.serialnumber=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.locality=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.notafter=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.organization=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.notbefore=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.province=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.sans=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.serialnumber=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.commonname=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.notafter=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.country=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.notbefore=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.domaincomponent=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.sans=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.locality=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.serialnumber=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.organization=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.commonname=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.province=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.country=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.serialnumber=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.domaincomponent=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.pem=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.locality=true"
-- "traefik.http.middlewares.middleware13.ratelimit.average=42"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organization=true"
-- "traefik.http.middlewares.middleware13.ratelimit.burst=42"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.province=true"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.serialnumber=true"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.pem=true"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requestheadername=foobar"
+- "traefik.http.middlewares.middleware14.ratelimit.average=42"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requesthost=true"
+- "traefik.http.middlewares.middleware14.ratelimit.burst=42"
-- "traefik.http.middlewares.middleware14.redirectregex.permanent=true"
+- "traefik.http.middlewares.middleware14.ratelimit.period=42"
-- "traefik.http.middlewares.middleware14.redirectregex.regex=foobar"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.depth=42"
-- "traefik.http.middlewares.middleware14.redirectregex.replacement=foobar"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
-- "traefik.http.middlewares.middleware15.redirectscheme.permanent=true"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requestheadername=foobar"
-- "traefik.http.middlewares.middleware15.redirectscheme.port=foobar"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requesthost=true"
-- "traefik.http.middlewares.middleware15.redirectscheme.scheme=foobar"
+- "traefik.http.middlewares.middleware15.redirectregex.permanent=true"
-- "traefik.http.middlewares.middleware16.replacepath.path=foobar"
+- "traefik.http.middlewares.middleware15.redirectregex.regex=foobar"
-- "traefik.http.middlewares.middleware17.replacepathregex.regex=foobar"
+- "traefik.http.middlewares.middleware15.redirectregex.replacement=foobar"
-- "traefik.http.middlewares.middleware17.replacepathregex.replacement=foobar"
+- "traefik.http.middlewares.middleware16.redirectscheme.permanent=true"
-- "traefik.http.middlewares.middleware18.retry.attempts=42"
+- "traefik.http.middlewares.middleware16.redirectscheme.port=foobar"
-- "traefik.http.middlewares.middleware19.stripprefix.forceslash=true"
+- "traefik.http.middlewares.middleware16.redirectscheme.scheme=foobar"
-- "traefik.http.middlewares.middleware19.stripprefix.prefixes=foobar, foobar"
+- "traefik.http.middlewares.middleware17.replacepath.path=foobar"
-- "traefik.http.middlewares.middleware20.stripprefixregex.regex=foobar, foobar"
+- "traefik.http.middlewares.middleware18.replacepathregex.regex=foobar"
+- "traefik.http.middlewares.middleware18.replacepathregex.replacement=foobar"
+- "traefik.http.middlewares.middleware19.retry.attempts=42"
+- "traefik.http.middlewares.middleware20.stripprefix.forceslash=true"
+- "traefik.http.middlewares.middleware20.stripprefix.prefixes=foobar, foobar"
+- "traefik.http.middlewares.middleware21.stripprefixregex.regex=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
 - "traefik.http.routers.router0.middlewares=foobar, foobar"
 - "traefik.http.routers.router0.priority=42"
@@ -130,6 +135,7 @@
 - "traefik.http.routers.router1.tls.domains[1].main=foobar"
 - "traefik.http.routers.router1.tls.domains[1].sans=foobar, foobar"
 - "traefik.http.routers.router1.tls.options=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.followredirects=true"
 - "traefik.http.services.service01.loadbalancer.healthcheck.headers.name0=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.headers.name1=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.hostname=foobar"
@@ -138,6 +144,7 @@
 - "traefik.http.services.service01.loadbalancer.healthcheck.port=42"
 - "traefik.http.services.service01.loadbalancer.healthcheck.scheme=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.timeout=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.followredirects=true"
 - "traefik.http.services.service01.loadbalancer.passhostheader=true"
 - "traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval=foobar"
 - "traefik.http.services.service01.loadbalancer.sticky=true"
@@ -170,3 +177,8 @@
 - "traefik.tcp.routers.tcprouter1.tls.passthrough=true"
 - "traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay=42"
 - "traefik.tcp.services.tcpservice01.loadbalancer.server.port=foobar"
+- "traefik.udp.routers.udprouter0.entrypoints=foobar, foobar"
+- "traefik.udp.routers.udprouter0.service=foobar"
+- "traefik.udp.routers.udprouter1.entrypoints=foobar, foobar"
+- "traefik.udp.routers.udprouter1.service=foobar"
+- "traefik.udp.services.udpservice01.loadbalancer.server.port=foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -56,6 +56,7 @@
           interval = "foobar"
           timeout = "foobar"
           hostname = "foobar"
+          followRedirects = true
           [http.services.Service01.loadBalancer.healthCheck.headers]
             name0 = "foobar"
             name1 = "foobar"
@@ -64,6 +65,7 @@
     [http.services.Service02]
       [http.services.Service02.mirroring]
         service = "foobar"
+        maxBodySize = 42
 
         [[http.services.Service02.mirroring.mirrors]]
           name = "foobar"
@@ -113,35 +115,40 @@
         expression = "foobar"
     [http.middlewares.Middleware05]
       [http.middlewares.Middleware05.compress]
+        excludedContentTypes = ["foobar", "foobar"]
     [http.middlewares.Middleware06]
-      [http.middlewares.Middleware06.digestAuth]
+      [http.middlewares.Middleware06.contentType]
+        autoDetect = true
+    [http.middlewares.Middleware07]
+      [http.middlewares.Middleware07.digestAuth]
         users = ["foobar", "foobar"]
         usersFile = "foobar"
         removeHeader = true
         realm = "foobar"
         headerField = "foobar"
-    [http.middlewares.Middleware07]
+    [http.middlewares.Middleware08]
-      [http.middlewares.Middleware07.errors]
+      [http.middlewares.Middleware08.errors]
         status = ["foobar", "foobar"]
         service = "foobar"
         query = "foobar"
-    [http.middlewares.Middleware08]
+    [http.middlewares.Middleware09]
-      [http.middlewares.Middleware08.forwardAuth]
+      [http.middlewares.Middleware09.forwardAuth]
         address = "foobar"
         trustForwardHeader = true
         authResponseHeaders = ["foobar", "foobar"]
-        [http.middlewares.Middleware08.forwardAuth.tls]
+        [http.middlewares.Middleware09.forwardAuth.tls]
           ca = "foobar"
           caOptional = true
           cert = "foobar"
           key = "foobar"
           insecureSkipVerify = true
-    [http.middlewares.Middleware09]
+    [http.middlewares.Middleware10]
-      [http.middlewares.Middleware09.headers]
+      [http.middlewares.Middleware10.headers]
         accessControlAllowCredentials = true
         accessControlAllowHeaders = ["foobar", "foobar"]
         accessControlAllowMethods = ["foobar", "foobar"]
         accessControlAllowOrigin = "foobar"
+        accessControlAllowOriginList = ["foobar", "foobar"]
         accessControlExposeHeaders = ["foobar", "foobar"]
         accessControlMaxAge = 42
         addVaryHeader = true
@@ -165,38 +172,39 @@
         referrerPolicy = "foobar"
         featurePolicy = "foobar"
         isDevelopment = true
-        [http.middlewares.Middleware09.headers.customRequestHeaders]
+        [http.middlewares.Middleware10.headers.customRequestHeaders]
           name0 = "foobar"
           name1 = "foobar"
-        [http.middlewares.Middleware09.headers.customResponseHeaders]
+        [http.middlewares.Middleware10.headers.customResponseHeaders]
           name0 = "foobar"
           name1 = "foobar"
-        [http.middlewares.Middleware09.headers.sslProxyHeaders]
+        [http.middlewares.Middleware10.headers.sslProxyHeaders]
           name0 = "foobar"
           name1 = "foobar"
-    [http.middlewares.Middleware10]
+    [http.middlewares.Middleware11]
-      [http.middlewares.Middleware10.ipWhiteList]
+      [http.middlewares.Middleware11.ipWhiteList]
         sourceRange = ["foobar", "foobar"]
-        [http.middlewares.Middleware10.ipWhiteList.ipStrategy]
+        [http.middlewares.Middleware11.ipWhiteList.ipStrategy]
           depth = 42
           excludedIPs = ["foobar", "foobar"]
-    [http.middlewares.Middleware11]
+    [http.middlewares.Middleware12]
-      [http.middlewares.Middleware11.inFlightReq]
+      [http.middlewares.Middleware12.inFlightReq]
         amount = 42
-        [http.middlewares.Middleware11.inFlightReq.sourceCriterion]
+        [http.middlewares.Middleware12.inFlightReq.sourceCriterion]
           requestHeaderName = "foobar"
           requestHost = true
-          [http.middlewares.Middleware11.inFlightReq.sourceCriterion.ipStrategy]
+          [http.middlewares.Middleware12.inFlightReq.sourceCriterion.ipStrategy]
             depth = 42
             excludedIPs = ["foobar", "foobar"]
-    [http.middlewares.Middleware12]
+    [http.middlewares.Middleware13]
-      [http.middlewares.Middleware12.passTLSClientCert]
+      [http.middlewares.Middleware13.passTLSClientCert]
         pem = true
-        [http.middlewares.Middleware12.passTLSClientCert.info]
+        [http.middlewares.Middleware13.passTLSClientCert.info]
           notAfter = true
           notBefore = true
           sans = true
-          [http.middlewares.Middleware12.passTLSClientCert.info.subject]
+          serialNumber = true
+          [http.middlewares.Middleware13.passTLSClientCert.info.subject]
             country = true
             province = true
             locality = true
@@ -204,7 +212,7 @@
             commonName = true
             serialNumber = true
             domainComponent = true
-          [http.middlewares.Middleware12.passTLSClientCert.info.issuer]
+          [http.middlewares.Middleware13.passTLSClientCert.info.issuer]
             country = true
             province = true
             locality = true
@@ -212,42 +220,43 @@
             commonName = true
             serialNumber = true
             domainComponent = true
-    [http.middlewares.Middleware13]
+    [http.middlewares.Middleware14]
-      [http.middlewares.Middleware13.rateLimit]
+      [http.middlewares.Middleware14.rateLimit]
         average = 42
+        period = 42
         burst = 42
-        [http.middlewares.Middleware13.rateLimit.sourceCriterion]
+        [http.middlewares.Middleware14.rateLimit.sourceCriterion]
           requestHeaderName = "foobar"
           requestHost = true
-          [http.middlewares.Middleware13.rateLimit.sourceCriterion.ipStrategy]
+          [http.middlewares.Middleware14.rateLimit.sourceCriterion.ipStrategy]
             depth = 42
             excludedIPs = ["foobar", "foobar"]
-    [http.middlewares.Middleware14]
+    [http.middlewares.Middleware15]
-      [http.middlewares.Middleware14.redirectRegex]
+      [http.middlewares.Middleware15.redirectRegex]
         regex = "foobar"
         replacement = "foobar"
         permanent = true
-    [http.middlewares.Middleware15]
+    [http.middlewares.Middleware16]
-      [http.middlewares.Middleware15.redirectScheme]
+      [http.middlewares.Middleware16.redirectScheme]
         scheme = "foobar"
         port = "foobar"
         permanent = true
-    [http.middlewares.Middleware16]
-      [http.middlewares.Middleware16.replacePath]
-        path = "foobar"
     [http.middlewares.Middleware17]
-      [http.middlewares.Middleware17.replacePathRegex]
+      [http.middlewares.Middleware17.replacePath]
+        path = "foobar"
+    [http.middlewares.Middleware18]
+      [http.middlewares.Middleware18.replacePathRegex]
         regex = "foobar"
         replacement = "foobar"
-    [http.middlewares.Middleware18]
-      [http.middlewares.Middleware18.retry]
-        attempts = 42
     [http.middlewares.Middleware19]
-      [http.middlewares.Middleware19.stripPrefix]
+      [http.middlewares.Middleware19.retry]
+        attempts = 42
+    [http.middlewares.Middleware20]
+      [http.middlewares.Middleware20.stripPrefix]
         prefixes = ["foobar", "foobar"]
         forceSlash = true
-    [http.middlewares.Middleware20]
+    [http.middlewares.Middleware21]
-      [http.middlewares.Middleware20.stripPrefixRegex]
+      [http.middlewares.Middleware21.stripPrefixRegex]
         regex = ["foobar", "foobar"]
 
 [tcp]
@@ -305,6 +314,34 @@
           name = "foobar"
           weight = 42
 
+[udp]
+  [udp.routers]
+    [udp.routers.UDPRouter0]
+      entryPoints = ["foobar", "foobar"]
+      service = "foobar"
+    [udp.routers.UDPRouter1]
+      entryPoints = ["foobar", "foobar"]
+      service = "foobar"
+  [udp.services]
+    [udp.services.UDPService01]
+      [udp.services.UDPService01.loadBalancer]
+
+        [[udp.services.UDPService01.loadBalancer.servers]]
+          address = "foobar"
+
+        [[udp.services.UDPService01.loadBalancer.servers]]
+          address = "foobar"
+    [udp.services.UDPService02]
+      [udp.services.UDPService02.weighted]
+
+        [[udp.services.UDPService02.weighted.services]]
+          name = "foobar"
+          weight = 42
+
+        [[udp.services.UDPService02.weighted.services]]
+          name = "foobar"
+          weight = 42
+
 [tls]
 
   [[tls.certificates]]
@@ -321,8 +358,9 @@
       minVersion = "foobar"
       maxVersion = "foobar"
       cipherSuites = ["foobar", "foobar"]
-      sniStrict = true
       curvePreferences = ["foobar", "foobar"]
+      sniStrict = true
+      preferServerCipherSuites = true
       [tls.options.Options0.clientAuth]
         caFiles = ["foobar", "foobar"]
         clientAuthType = "foobar"
@@ -330,8 +368,9 @@
       minVersion = "foobar"
       maxVersion = "foobar"
       cipherSuites = ["foobar", "foobar"]
-      sniStrict = true
       curvePreferences = ["foobar", "foobar"]
+      sniStrict = true
+      preferServerCipherSuites = true
       [tls.options.Options1.clientAuth]
         caFiles = ["foobar", "foobar"]
         clientAuthType = "foobar"

docs/content/reference/dynamic-configuration/file.yaml

@@ -62,6 +62,7 @@ http:
           interval: foobar
           timeout: foobar
           hostname: foobar
+          followRedirects: true
           headers:
             name0: foobar
             name1: foobar
@@ -71,6 +72,7 @@ http:
     Service02:
       mirroring:
         service: foobar
+        maxBodySize: 42
         mirrors:
         - name: foobar
           percent: 42
@@ -117,8 +119,14 @@ http:
       circuitBreaker:
         expression: foobar
     Middleware05:
-      compress: {}
+      compress:
+        excludedContentTypes:
+        - foobar
+        - foobar
     Middleware06:
+      contentType:
+        autoDetect: true
+    Middleware07:
       digestAuth:
         users:
         - foobar
@@ -127,14 +135,14 @@ http:
         removeHeader: true
         realm: foobar
         headerField: foobar
-    Middleware07:
+    Middleware08:
       errors:
         status:
         - foobar
         - foobar
         service: foobar
         query: foobar
-    Middleware08:
+    Middleware09:
       forwardAuth:
         address: foobar
         tls:
@@ -147,7 +155,7 @@ http:
         authResponseHeaders:
         - foobar
         - foobar
-    Middleware09:
+    Middleware10:
       headers:
         customRequestHeaders:
           name0: foobar
@@ -163,6 +171,9 @@ http:
         - foobar
         - foobar
         accessControlAllowOrigin: foobar
+        accessControlAllowOriginList:
+        - foobar
+        - foobar
         accessControlExposeHeaders:
         - foobar
         - foobar
@@ -195,7 +206,7 @@ http:
         referrerPolicy: foobar
         featurePolicy: foobar
         isDevelopment: true
-    Middleware10:
+    Middleware11:
       ipWhiteList:
         sourceRange:
         - foobar
@@ -205,7 +216,7 @@ http:
           excludedIPs:
           - foobar
           - foobar
-    Middleware11:
+    Middleware12:
       inFlightReq:
         amount: 42
         sourceCriterion:
@@ -216,7 +227,7 @@ http:
             - foobar
           requestHeaderName: foobar
           requestHost: true
-    Middleware12:
+    Middleware13:
       passTLSClientCert:
         pem: true
         info:
@@ -239,9 +250,11 @@ http:
             commonName: true
             serialNumber: true
             domainComponent: true
-    Middleware13:
+          serialNumber: true
+    Middleware14:
       rateLimit:
         average: 42
+        period: 42
         burst: 42
         sourceCriterion:
           ipstrategy:
@@ -251,33 +264,33 @@ http:
             - foobar
           requestHeaderName: foobar
           requestHost: true
-    Middleware14:
+    Middleware15:
       redirectRegex:
         regex: foobar
         replacement: foobar
         permanent: true
-    Middleware15:
+    Middleware16:
       redirectScheme:
         scheme: foobar
         port: foobar
         permanent: true
-    Middleware16:
+    Middleware17:
       replacePath:
         path: foobar
-    Middleware17:
+    Middleware18:
       replacePathRegex:
         regex: foobar
         replacement: foobar
-    Middleware18:
+    Middleware19:
       retry:
         attempts: 42
-    Middleware19:
+    Middleware20:
       stripPrefix:
         prefixes:
         - foobar
         - foobar
         forceSlash: true
-    Middleware20:
+    Middleware21:
       stripPrefixRegex:
         regex:
         - foobar
@@ -336,6 +349,31 @@ tcp:
           weight: 42
         - name: foobar
           weight: 42
+udp:
+  routers:
+    UDPRouter0:
+      entryPoints:
+      - foobar
+      - foobar
+      service: foobar
+    UDPRouter1:
+      entryPoints:
+      - foobar
+      - foobar
+      service: foobar
+  services:
+    UDPService01:
+      loadBalancer:
+        servers:
+        - address: foobar
+        - address: foobar
+    UDPService02:
+      weighted:
+        services:
+        - name: foobar
+          weight: 42
+        - name: foobar
+          weight: 42
 tls:
   certificates:
   - certFile: foobar
@@ -353,8 +391,8 @@ tls:
       minVersion: foobar
       maxVersion: foobar
       cipherSuites:
-        - foobar
+      - foobar
-        - foobar
+      - foobar
       curvePreferences:
       - foobar
       - foobar
@@ -364,12 +402,13 @@ tls:
         - foobar
         clientAuthType: foobar
       sniStrict: true
+      preferServerCipherSuites: true
     Options1:
       minVersion: foobar
       maxVersion: foobar
       cipherSuites:
-        - foobar
+      - foobar
-        - foobar
+      - foobar
       curvePreferences:
       - foobar
       - foobar
@@ -379,6 +418,7 @@ tls:
         - foobar
         clientAuthType: foobar
       sniStrict: true
+      preferServerCipherSuites: true
   stores:
     Store0:
       defaultCertificate:

docs/content/reference/dynamic-configuration/kubernetes-crd-definition.yml

@@ -12,21 +12,6 @@ spec:
     singular: ingressroute
   scope: Namespaced
 
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: ingressroutetcps.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: IngressRouteTCP
-    plural: ingressroutetcps
-    singular: ingressroutetcp
-  scope: Namespaced
-
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
@@ -42,6 +27,36 @@ spec:
     singular: middleware
   scope: Namespaced
 
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutetcps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteTCP
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressrouteudps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteUDP
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+  scope: Namespaced
+
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
@@ -57,6 +72,21 @@ spec:
     singular: tlsoption
   scope: Namespaced
 
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsstores.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSStore
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
@@ -71,90 +101,3 @@ spec:
     plural: traefikservices
     singular: traefikservice
   scope: Namespaced
-
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: traefik-ingress-controller
-
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - endpoints
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - traefik.containo.us
-    resources:
-      - middlewares
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - traefik.containo.us
-    resources:
-      - ingressroutes
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - traefik.containo.us
-    resources:
-      - ingressroutetcps
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - traefik.containo.us
-    resources:
-      - tlsoptions
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - traefik.containo.us
-    resources:
-      - traefikservices
-    verbs:
-      - get
-      - list
-      - watch
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: traefik-ingress-controller
-
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: traefik-ingress-controller
-subjects:
-  - kind: ServiceAccount
-    name: traefik-ingress-controller
-    namespace: default

docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

@@ -0,0 +1,59 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+    verbs:
+      - get
+      - list
+      - watch
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik-ingress-controller
+    namespace: default

docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml

@@ -1,77 +1,3 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: ingressroutes.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: IngressRoute
-    plural: ingressroutes
-    singular: ingressroute
-  scope: Namespaced
-
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: middlewares.traefik.containo.us
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: Middleware
-    plural: middlewares
-    singular: middleware
-  scope: Namespaced
-
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: tlsoptions.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: TLSOption
-    plural: tlsoptions
-    singular: tlsoption
-  scope: Namespaced
-
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: ingressroutetcps.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: IngressRouteTCP
-    plural: ingressroutetcps
-    singular: ingressroutetcp
-  scope: Namespaced
-
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: traefikservices.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: TraefikService
-    plural: traefikservices
-    singular: traefikservice
-  scope: Namespaced
-
----
 apiVersion: traefik.containo.us/v1alpha1
 kind: TraefikService
 metadata:
@@ -139,6 +65,8 @@ spec:
     kind: TraefikService
     mirrors:
       - name: s2
+        # Optional
+        maxBodySize: 2000000000
         # Optional, as it is the default value
         kind: Service
         percent: 20
@@ -152,9 +80,9 @@ metadata:
 spec:
   entryPoints:
     - web
-    - web-secure
+    - websecure
   routes:
-    - match: Host(`foo.com`) && PathPrefix(`/bar`)
+    - match: Host(`example.net`) && PathPrefix(`/bar`)
       kind: Rule
       priority: 12
       # defining several services is possible and allowed, but for now the servers of
@@ -219,7 +147,7 @@ spec:
   entryPoints:
     - footcp
   routes:
-    - match: HostSNI(`bar.com`)
+    - match: HostSNI(`example.com`)
       services:
         - name: whoamitcp
           port: 8080
@@ -229,3 +157,42 @@ spec:
     options:
       name: myTLSOption
       namespace: default
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteUDP
+metadata:
+  name: ingressrouteudp.crd
+  namespace: default
+
+spec:
+  entryPoints:
+    - footcp
+  routes:
+    - services:
+        - name: whoamiudp
+          port: 8080
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: tlsoption
+  namespace: default
+
+spec:
+  minVersion: foobar
+  maxVersion: foobar
+  cipherSuites:
+    - foobar
+    - foobar
+  curvePreferences:
+    - foobar
+    - foobar
+  clientAuth:
+    caFiles:
+      - foobar
+      - foobar
+    clientAuthType: foobar
+  sniStrict: true
+  preferServerCipherSuites: true

docs/content/reference/dynamic-configuration/kubernetes-crd.md

@@ -3,6 +3,20 @@
 Dynamic configuration with Kubernetes Custom Resource
 {: .subtitle }
 
+## Definitions
+
 ```yaml
---8<-- "content/reference/dynamic-configuration/kubernetes-crd.yml"
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
+```
+
+## Resources
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-resource.yml"
+```
+
+## RBAC
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
 ```

docs/content/reference/dynamic-configuration/kv-ref.md

@@ -0,0 +1,268 @@
+| `traefik/http/middlewares/Middleware00/addPrefix/prefix` | `foobar` |
+| `traefik/http/middlewares/Middleware01/basicAuth/headerField` | `foobar` |
+| `traefik/http/middlewares/Middleware01/basicAuth/realm` | `foobar` |
+| `traefik/http/middlewares/Middleware01/basicAuth/removeHeader` | `true` |
+| `traefik/http/middlewares/Middleware01/basicAuth/users/0` | `foobar` |
+| `traefik/http/middlewares/Middleware01/basicAuth/users/1` | `foobar` |
+| `traefik/http/middlewares/Middleware01/basicAuth/usersFile` | `foobar` |
+| `traefik/http/middlewares/Middleware02/buffering/maxRequestBodyBytes` | `42` |
+| `traefik/http/middlewares/Middleware02/buffering/maxResponseBodyBytes` | `42` |
+| `traefik/http/middlewares/Middleware02/buffering/memRequestBodyBytes` | `42` |
+| `traefik/http/middlewares/Middleware02/buffering/memResponseBodyBytes` | `42` |
+| `traefik/http/middlewares/Middleware02/buffering/retryExpression` | `foobar` |
+| `traefik/http/middlewares/Middleware03/chain/middlewares/0` | `foobar` |
+| `traefik/http/middlewares/Middleware03/chain/middlewares/1` | `foobar` |
+| `traefik/http/middlewares/Middleware04/circuitBreaker/expression` | `foobar` |
+| `traefik/http/middlewares/Middleware05/compress/excludedContentTypes/0` | `foobar` |
+| `traefik/http/middlewares/Middleware05/compress/excludedContentTypes/1` | `foobar` |
+| `traefik/http/middlewares/Middleware06/contentType/autoDetect` | `true` |
+| `traefik/http/middlewares/Middleware07/digestAuth/headerField` | `foobar` |
+| `traefik/http/middlewares/Middleware07/digestAuth/realm` | `foobar` |
+| `traefik/http/middlewares/Middleware07/digestAuth/removeHeader` | `true` |
+| `traefik/http/middlewares/Middleware07/digestAuth/users/0` | `foobar` |
+| `traefik/http/middlewares/Middleware07/digestAuth/users/1` | `foobar` |
+| `traefik/http/middlewares/Middleware07/digestAuth/usersFile` | `foobar` |
+| `traefik/http/middlewares/Middleware08/errors/query` | `foobar` |
+| `traefik/http/middlewares/Middleware08/errors/service` | `foobar` |
+| `traefik/http/middlewares/Middleware08/errors/status/0` | `foobar` |
+| `traefik/http/middlewares/Middleware08/errors/status/1` | `foobar` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/address` | `foobar` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeaders/0` | `foobar` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeaders/1` | `foobar` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/tls/ca` | `foobar` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/tls/caOptional` | `true` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/tls/cert` | `foobar` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/tls/insecureSkipVerify` | `true` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/tls/key` | `foobar` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/trustForwardHeader` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowCredentials` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowHeaders/0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowHeaders/1` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowMethods/0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowMethods/1` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowOrigin` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowOriginList/0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowOriginList/1` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlExposeHeaders/0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlExposeHeaders/1` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlMaxAge` | `42` |
+| `traefik/http/middlewares/Middleware10/headers/addVaryHeader` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/allowedHosts/0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/allowedHosts/1` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/browserXssFilter` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/contentSecurityPolicy` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/contentTypeNosniff` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/customBrowserXSSValue` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/customFrameOptionsValue` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/customRequestHeaders/name0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/customRequestHeaders/name1` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/customResponseHeaders/name0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/customResponseHeaders/name1` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/featurePolicy` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/forceSTSHeader` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/frameDeny` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/hostsProxyHeaders/0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/hostsProxyHeaders/1` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/isDevelopment` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/publicKey` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/referrerPolicy` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/sslForceHost` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/sslHost` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/sslProxyHeaders/name0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/sslProxyHeaders/name1` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/sslRedirect` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/sslTemporaryRedirect` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/stsIncludeSubdomains` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/stsPreload` | `true` |
+| `traefik/http/middlewares/Middleware10/headers/stsSeconds` | `42` |
+| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/depth` | `42` |
+| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/0` | `foobar` |
+| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/1` | `foobar` |
+| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/0` | `foobar` |
+| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/1` | `foobar` |
+| `traefik/http/middlewares/Middleware12/inFlightReq/amount` | `42` |
+| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/depth` | `42` |
+| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
+| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/1` | `foobar` |
+| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/requestHeaderName` | `foobar` |
+| `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/requestHost` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/issuer/commonName` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/issuer/country` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/issuer/domainComponent` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/issuer/locality` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/issuer/organization` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/issuer/province` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/issuer/serialNumber` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/notAfter` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/notBefore` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/sans` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/serialNumber` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/commonName` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/country` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/domainComponent` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/locality` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/organization` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/province` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/serialNumber` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/pem` | `true` |
+| `traefik/http/middlewares/Middleware14/rateLimit/average` | `42` |
+| `traefik/http/middlewares/Middleware14/rateLimit/burst` | `42` |
+| `traefik/http/middlewares/Middleware14/rateLimit/period` | `42` |
+| `traefik/http/middlewares/Middleware14/rateLimit/sourceCriterion/ipStrategy/depth` | `42` |
+| `traefik/http/middlewares/Middleware14/rateLimit/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
+| `traefik/http/middlewares/Middleware14/rateLimit/sourceCriterion/ipStrategy/excludedIPs/1` | `foobar` |
+| `traefik/http/middlewares/Middleware14/rateLimit/sourceCriterion/requestHeaderName` | `foobar` |
+| `traefik/http/middlewares/Middleware14/rateLimit/sourceCriterion/requestHost` | `true` |
+| `traefik/http/middlewares/Middleware15/redirectRegex/permanent` | `true` |
+| `traefik/http/middlewares/Middleware15/redirectRegex/regex` | `foobar` |
+| `traefik/http/middlewares/Middleware15/redirectRegex/replacement` | `foobar` |
+| `traefik/http/middlewares/Middleware16/redirectScheme/permanent` | `true` |
+| `traefik/http/middlewares/Middleware16/redirectScheme/port` | `foobar` |
+| `traefik/http/middlewares/Middleware16/redirectScheme/scheme` | `foobar` |
+| `traefik/http/middlewares/Middleware17/replacePath/path` | `foobar` |
+| `traefik/http/middlewares/Middleware18/replacePathRegex/regex` | `foobar` |
+| `traefik/http/middlewares/Middleware18/replacePathRegex/replacement` | `foobar` |
+| `traefik/http/middlewares/Middleware19/retry/attempts` | `42` |
+| `traefik/http/middlewares/Middleware20/stripPrefix/forceSlash` | `true` |
+| `traefik/http/middlewares/Middleware20/stripPrefix/prefixes/0` | `foobar` |
+| `traefik/http/middlewares/Middleware20/stripPrefix/prefixes/1` | `foobar` |
+| `traefik/http/middlewares/Middleware21/stripPrefixRegex/regex/0` | `foobar` |
+| `traefik/http/middlewares/Middleware21/stripPrefixRegex/regex/1` | `foobar` |
+| `traefik/http/routers/Router0/entryPoints/0` | `foobar` |
+| `traefik/http/routers/Router0/entryPoints/1` | `foobar` |
+| `traefik/http/routers/Router0/middlewares/0` | `foobar` |
+| `traefik/http/routers/Router0/middlewares/1` | `foobar` |
+| `traefik/http/routers/Router0/priority` | `42` |
+| `traefik/http/routers/Router0/rule` | `foobar` |
+| `traefik/http/routers/Router0/service` | `foobar` |
+| `traefik/http/routers/Router0/tls/certResolver` | `foobar` |
+| `traefik/http/routers/Router0/tls/domains/0/main` | `foobar` |
+| `traefik/http/routers/Router0/tls/domains/0/sans/0` | `foobar` |
+| `traefik/http/routers/Router0/tls/domains/0/sans/1` | `foobar` |
+| `traefik/http/routers/Router0/tls/domains/1/main` | `foobar` |
+| `traefik/http/routers/Router0/tls/domains/1/sans/0` | `foobar` |
+| `traefik/http/routers/Router0/tls/domains/1/sans/1` | `foobar` |
+| `traefik/http/routers/Router0/tls/options` | `foobar` |
+| `traefik/http/routers/Router1/entryPoints/0` | `foobar` |
+| `traefik/http/routers/Router1/entryPoints/1` | `foobar` |
+| `traefik/http/routers/Router1/middlewares/0` | `foobar` |
+| `traefik/http/routers/Router1/middlewares/1` | `foobar` |
+| `traefik/http/routers/Router1/priority` | `42` |
+| `traefik/http/routers/Router1/rule` | `foobar` |
+| `traefik/http/routers/Router1/service` | `foobar` |
+| `traefik/http/routers/Router1/tls/certResolver` | `foobar` |
+| `traefik/http/routers/Router1/tls/domains/0/main` | `foobar` |
+| `traefik/http/routers/Router1/tls/domains/0/sans/0` | `foobar` |
+| `traefik/http/routers/Router1/tls/domains/0/sans/1` | `foobar` |
+| `traefik/http/routers/Router1/tls/domains/1/main` | `foobar` |
+| `traefik/http/routers/Router1/tls/domains/1/sans/0` | `foobar` |
+| `traefik/http/routers/Router1/tls/domains/1/sans/1` | `foobar` |
+| `traefik/http/routers/Router1/tls/options` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/followRedirects` | `true` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/headers/name0` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/headers/name1` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/hostname` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/interval` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/path` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/port` | `42` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/scheme` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/timeout` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/passHostHeader` | `true` |
+| `traefik/http/services/Service01/loadBalancer/responseForwarding/flushInterval` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/servers/0/url` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/servers/1/url` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/sticky/cookie/httpOnly` | `true` |
+| `traefik/http/services/Service01/loadBalancer/sticky/cookie/name` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/sticky/cookie/secure` | `true` |
+| `traefik/http/services/Service02/mirroring/maxBodySize` | `42` |
+| `traefik/http/services/Service02/mirroring/mirrors/0/name` | `foobar` |
+| `traefik/http/services/Service02/mirroring/mirrors/0/percent` | `42` |
+| `traefik/http/services/Service02/mirroring/mirrors/1/name` | `foobar` |
+| `traefik/http/services/Service02/mirroring/mirrors/1/percent` | `42` |
+| `traefik/http/services/Service02/mirroring/service` | `foobar` |
+| `traefik/http/services/Service03/weighted/services/0/name` | `foobar` |
+| `traefik/http/services/Service03/weighted/services/0/weight` | `42` |
+| `traefik/http/services/Service03/weighted/services/1/name` | `foobar` |
+| `traefik/http/services/Service03/weighted/services/1/weight` | `42` |
+| `traefik/http/services/Service03/weighted/sticky/cookie/httpOnly` | `true` |
+| `traefik/http/services/Service03/weighted/sticky/cookie/name` | `foobar` |
+| `traefik/http/services/Service03/weighted/sticky/cookie/secure` | `true` |
+| `traefik/tcp/routers/TCPRouter0/entryPoints/0` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/entryPoints/1` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/rule` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/service` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/tls/certResolver` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/tls/domains/0/main` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/tls/domains/0/sans/0` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/tls/domains/0/sans/1` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/tls/domains/1/main` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/tls/domains/1/sans/0` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/tls/domains/1/sans/1` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/tls/options` | `foobar` |
+| `traefik/tcp/routers/TCPRouter0/tls/passthrough` | `true` |
+| `traefik/tcp/routers/TCPRouter1/entryPoints/0` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/entryPoints/1` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/rule` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/service` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/tls/certResolver` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/tls/domains/0/main` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/tls/domains/0/sans/0` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/tls/domains/0/sans/1` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/tls/domains/1/main` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/tls/domains/1/sans/0` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/tls/domains/1/sans/1` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/tls/options` | `foobar` |
+| `traefik/tcp/routers/TCPRouter1/tls/passthrough` | `true` |
+| `traefik/tcp/services/TCPService01/loadBalancer/servers/0/address` | `foobar` |
+| `traefik/tcp/services/TCPService01/loadBalancer/servers/1/address` | `foobar` |
+| `traefik/tcp/services/TCPService01/loadBalancer/terminationDelay` | `42` |
+| `traefik/tcp/services/TCPService02/weighted/services/0/name` | `foobar` |
+| `traefik/tcp/services/TCPService02/weighted/services/0/weight` | `42` |
+| `traefik/tcp/services/TCPService02/weighted/services/1/name` | `foobar` |
+| `traefik/tcp/services/TCPService02/weighted/services/1/weight` | `42` |
+| `traefik/tls/certificates/0/certFile` | `foobar` |
+| `traefik/tls/certificates/0/keyFile` | `foobar` |
+| `traefik/tls/certificates/0/stores/0` | `foobar` |
+| `traefik/tls/certificates/0/stores/1` | `foobar` |
+| `traefik/tls/certificates/1/certFile` | `foobar` |
+| `traefik/tls/certificates/1/keyFile` | `foobar` |
+| `traefik/tls/certificates/1/stores/0` | `foobar` |
+| `traefik/tls/certificates/1/stores/1` | `foobar` |
+| `traefik/tls/options/Options0/cipherSuites/0` | `foobar` |
+| `traefik/tls/options/Options0/cipherSuites/1` | `foobar` |
+| `traefik/tls/options/Options0/clientAuth/caFiles/0` | `foobar` |
+| `traefik/tls/options/Options0/clientAuth/caFiles/1` | `foobar` |
+| `traefik/tls/options/Options0/clientAuth/clientAuthType` | `foobar` |
+| `traefik/tls/options/Options0/curvePreferences/0` | `foobar` |
+| `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
+| `traefik/tls/options/Options0/maxVersion` | `foobar` |
+| `traefik/tls/options/Options0/minVersion` | `foobar` |
+| `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
+| `traefik/tls/options/Options0/sniStrict` | `true` |
+| `traefik/tls/options/Options1/cipherSuites/0` | `foobar` |
+| `traefik/tls/options/Options1/cipherSuites/1` | `foobar` |
+| `traefik/tls/options/Options1/clientAuth/caFiles/0` | `foobar` |
+| `traefik/tls/options/Options1/clientAuth/caFiles/1` | `foobar` |
+| `traefik/tls/options/Options1/clientAuth/clientAuthType` | `foobar` |
+| `traefik/tls/options/Options1/curvePreferences/0` | `foobar` |
+| `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
+| `traefik/tls/options/Options1/maxVersion` | `foobar` |
+| `traefik/tls/options/Options1/minVersion` | `foobar` |
+| `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |
+| `traefik/tls/options/Options1/sniStrict` | `true` |
+| `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` |
+| `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` |
+| `traefik/tls/stores/Store1/defaultCertificate/certFile` | `foobar` |
+| `traefik/tls/stores/Store1/defaultCertificate/keyFile` | `foobar` |
+| `traefik/udp/routers/UDPRouter0/entryPoints/0` | `foobar` |
+| `traefik/udp/routers/UDPRouter0/entryPoints/1` | `foobar` |
+| `traefik/udp/routers/UDPRouter0/service` | `foobar` |
+| `traefik/udp/routers/UDPRouter1/entryPoints/0` | `foobar` |
+| `traefik/udp/routers/UDPRouter1/entryPoints/1` | `foobar` |
+| `traefik/udp/routers/UDPRouter1/service` | `foobar` |
+| `traefik/udp/services/UDPService01/loadBalancer/servers/0/address` | `foobar` |
+| `traefik/udp/services/UDPService01/loadBalancer/servers/1/address` | `foobar` |
+| `traefik/udp/services/UDPService02/weighted/services/0/name` | `foobar` |
+| `traefik/udp/services/UDPService02/weighted/services/0/weight` | `42` |
+| `traefik/udp/services/UDPService02/weighted/services/1/name` | `foobar` |
+| `traefik/udp/services/UDPService02/weighted/services/1/weight` | `42` |

docs/content/reference/dynamic-configuration/kv.md

@@ -0,0 +1,8 @@
+# KV Configuration Reference
+
+Dynamic configuration with KV stores.
+{: .subtitle }
+
+| Key (Path)                                                                                   | Value       |
+|----------------------------------------------------------------------------------------------|-------------|
+--8<-- "content/reference/dynamic-configuration/kv-ref.md"

docs/content/reference/dynamic-configuration/marathon-labels.json

@@ -12,100 +12,105 @@
 "traefik.http.middlewares.middleware03.chain.middlewares": "foobar, foobar",
 "traefik.http.middlewares.middleware04.circuitbreaker.expression": "foobar",
 "traefik.http.middlewares.middleware05.compress": "true",
-"traefik.http.middlewares.middleware06.digestauth.headerfield": "foobar",
+"traefik.http.middlewares.middleware05.compress.excludedcontenttypes": "foobar, foobar",
-"traefik.http.middlewares.middleware06.digestauth.realm": "foobar",
+"traefik.http.middlewares.middleware06.contenttype.autodetect": "true",
-"traefik.http.middlewares.middleware06.digestauth.removeheader": "true",
+"traefik.http.middlewares.middleware07.digestauth.headerfield": "foobar",
-"traefik.http.middlewares.middleware06.digestauth.users": "foobar, foobar",
+"traefik.http.middlewares.middleware07.digestauth.realm": "foobar",
-"traefik.http.middlewares.middleware06.digestauth.usersfile": "foobar",
+"traefik.http.middlewares.middleware07.digestauth.removeheader": "true",
-"traefik.http.middlewares.middleware07.errors.query": "foobar",
+"traefik.http.middlewares.middleware07.digestauth.users": "foobar, foobar",
-"traefik.http.middlewares.middleware07.errors.service": "foobar",
+"traefik.http.middlewares.middleware07.digestauth.usersfile": "foobar",
-"traefik.http.middlewares.middleware07.errors.status": "foobar, foobar",
+"traefik.http.middlewares.middleware08.errors.query": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.address": "foobar",
+"traefik.http.middlewares.middleware08.errors.service": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.authresponseheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware08.errors.status": "foobar, foobar",
-"traefik.http.middlewares.middleware08.forwardauth.tls.ca": "foobar",
+"traefik.http.middlewares.middleware09.forwardauth.address": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.tls.caoptional": "true",
+"traefik.http.middlewares.middleware09.forwardauth.authresponseheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware08.forwardauth.tls.cert": "foobar",
+"traefik.http.middlewares.middleware09.forwardauth.tls.ca": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.tls.insecureskipverify": "true",
+"traefik.http.middlewares.middleware09.forwardauth.tls.caoptional": "true",
-"traefik.http.middlewares.middleware08.forwardauth.tls.key": "foobar",
+"traefik.http.middlewares.middleware09.forwardauth.tls.cert": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.trustforwardheader": "true",
+"traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify": "true",
-"traefik.http.middlewares.middleware09.headers.accesscontrolallowcredentials": "true",
+"traefik.http.middlewares.middleware09.forwardauth.tls.key": "foobar",
-"traefik.http.middlewares.middleware09.headers.accesscontrolallowheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware09.forwardauth.trustforwardheader": "true",
-"traefik.http.middlewares.middleware09.headers.accesscontrolallowmethods": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolallowcredentials": "true",
-"traefik.http.middlewares.middleware09.headers.accesscontrolalloworigin": "foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolallowheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.accesscontrolexposeheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.accesscontrolmaxage": "42",
+"traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin": "foobar",
-"traefik.http.middlewares.middleware09.headers.addvaryheader": "true",
+"traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlist": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.allowedhosts": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.browserxssfilter": "true",
+"traefik.http.middlewares.middleware10.headers.accesscontrolmaxage": "42",
-"traefik.http.middlewares.middleware09.headers.contentsecuritypolicy": "foobar",
+"traefik.http.middlewares.middleware10.headers.addvaryheader": "true",
-"traefik.http.middlewares.middleware09.headers.contenttypenosniff": "true",
+"traefik.http.middlewares.middleware10.headers.allowedhosts": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.custombrowserxssvalue": "foobar",
+"traefik.http.middlewares.middleware10.headers.browserxssfilter": "true",
-"traefik.http.middlewares.middleware09.headers.customframeoptionsvalue": "foobar",
+"traefik.http.middlewares.middleware10.headers.contentsecuritypolicy": "foobar",
-"traefik.http.middlewares.middleware09.headers.customrequestheaders.name0": "foobar",
+"traefik.http.middlewares.middleware10.headers.contenttypenosniff": "true",
-"traefik.http.middlewares.middleware09.headers.customrequestheaders.name1": "foobar",
+"traefik.http.middlewares.middleware10.headers.custombrowserxssvalue": "foobar",
-"traefik.http.middlewares.middleware09.headers.customresponseheaders.name0": "foobar",
+"traefik.http.middlewares.middleware10.headers.customframeoptionsvalue": "foobar",
-"traefik.http.middlewares.middleware09.headers.customresponseheaders.name1": "foobar",
+"traefik.http.middlewares.middleware10.headers.customrequestheaders.name0": "foobar",
-"traefik.http.middlewares.middleware09.headers.featurepolicy": "foobar",
+"traefik.http.middlewares.middleware10.headers.customrequestheaders.name1": "foobar",
-"traefik.http.middlewares.middleware09.headers.forcestsheader": "true",
+"traefik.http.middlewares.middleware10.headers.customresponseheaders.name0": "foobar",
-"traefik.http.middlewares.middleware09.headers.framedeny": "true",
+"traefik.http.middlewares.middleware10.headers.customresponseheaders.name1": "foobar",
-"traefik.http.middlewares.middleware09.headers.hostsproxyheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.featurepolicy": "foobar",
-"traefik.http.middlewares.middleware09.headers.isdevelopment": "true",
+"traefik.http.middlewares.middleware10.headers.forcestsheader": "true",
-"traefik.http.middlewares.middleware09.headers.publickey": "foobar",
+"traefik.http.middlewares.middleware10.headers.framedeny": "true",
-"traefik.http.middlewares.middleware09.headers.referrerpolicy": "foobar",
+"traefik.http.middlewares.middleware10.headers.hostsproxyheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.sslforcehost": "true",
+"traefik.http.middlewares.middleware10.headers.isdevelopment": "true",
-"traefik.http.middlewares.middleware09.headers.sslhost": "foobar",
+"traefik.http.middlewares.middleware10.headers.publickey": "foobar",
-"traefik.http.middlewares.middleware09.headers.sslproxyheaders.name0": "foobar",
+"traefik.http.middlewares.middleware10.headers.referrerpolicy": "foobar",
-"traefik.http.middlewares.middleware09.headers.sslproxyheaders.name1": "foobar",
+"traefik.http.middlewares.middleware10.headers.sslforcehost": "true",
-"traefik.http.middlewares.middleware09.headers.sslredirect": "true",
+"traefik.http.middlewares.middleware10.headers.sslhost": "foobar",
-"traefik.http.middlewares.middleware09.headers.ssltemporaryredirect": "true",
+"traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0": "foobar",
-"traefik.http.middlewares.middleware09.headers.stsincludesubdomains": "true",
+"traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1": "foobar",
-"traefik.http.middlewares.middleware09.headers.stspreload": "true",
+"traefik.http.middlewares.middleware10.headers.sslredirect": "true",
-"traefik.http.middlewares.middleware09.headers.stsseconds": "42",
+"traefik.http.middlewares.middleware10.headers.ssltemporaryredirect": "true",
-"traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware10.headers.stsincludesubdomains": "true",
-"traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.stspreload": "true",
-"traefik.http.middlewares.middleware10.ipwhitelist.sourcerange": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.stsseconds": "42",
-"traefik.http.middlewares.middleware11.inflightreq.amount": "42",
+"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth": "42",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware11.ipwhitelist.sourcerange": "foobar, foobar",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requestheadername": "foobar",
+"traefik.http.middlewares.middleware12.inflightreq.amount": "42",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requesthost": "true",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth": "42",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.commonname": "true",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.country": "true",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requestheadername": "foobar",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.domaincomponent": "true",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requesthost": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.locality": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.commonname": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.organization": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.country": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.province": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.domaincomponent": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.serialnumber": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.locality": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.notafter": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.organization": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.notbefore": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.province": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.sans": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.serialnumber": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.commonname": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.notafter": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.country": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.notbefore": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.domaincomponent": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.sans": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.locality": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.serialnumber": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.organization": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.commonname": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.province": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.country": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.serialnumber": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.domaincomponent": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.pem": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.locality": "true",
-"traefik.http.middlewares.middleware13.ratelimit.average": "42",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organization": "true",
-"traefik.http.middlewares.middleware13.ratelimit.burst": "42",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.province": "true",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.serialnumber": "true",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware13.passtlsclientcert.pem": "true",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requestheadername": "foobar",
+"traefik.http.middlewares.middleware14.ratelimit.average": "42",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requesthost": "true",
+"traefik.http.middlewares.middleware14.ratelimit.burst": "42",
-"traefik.http.middlewares.middleware14.redirectregex.permanent": "true",
+"traefik.http.middlewares.middleware14.ratelimit.period": "42",
-"traefik.http.middlewares.middleware14.redirectregex.regex": "foobar",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.depth": "42",
-"traefik.http.middlewares.middleware14.redirectregex.replacement": "foobar",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
-"traefik.http.middlewares.middleware15.redirectscheme.permanent": "true",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requestheadername": "foobar",
-"traefik.http.middlewares.middleware15.redirectscheme.port": "foobar",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requesthost": "true",
-"traefik.http.middlewares.middleware15.redirectscheme.scheme": "foobar",
+"traefik.http.middlewares.middleware15.redirectregex.permanent": "true",
-"traefik.http.middlewares.middleware16.replacepath.path": "foobar",
+"traefik.http.middlewares.middleware15.redirectregex.regex": "foobar",
-"traefik.http.middlewares.middleware17.replacepathregex.regex": "foobar",
+"traefik.http.middlewares.middleware15.redirectregex.replacement": "foobar",
-"traefik.http.middlewares.middleware17.replacepathregex.replacement": "foobar",
+"traefik.http.middlewares.middleware16.redirectscheme.permanent": "true",
-"traefik.http.middlewares.middleware18.retry.attempts": "42",
+"traefik.http.middlewares.middleware16.redirectscheme.port": "foobar",
-"traefik.http.middlewares.middleware19.stripprefix.forceslash": "true",
+"traefik.http.middlewares.middleware16.redirectscheme.scheme": "foobar",
-"traefik.http.middlewares.middleware19.stripprefix.prefixes": "foobar, foobar",
+"traefik.http.middlewares.middleware17.replacepath.path": "foobar",
-"traefik.http.middlewares.middleware20.stripprefixregex.regex": "foobar, foobar",
+"traefik.http.middlewares.middleware18.replacepathregex.regex": "foobar",
+"traefik.http.middlewares.middleware18.replacepathregex.replacement": "foobar",
+"traefik.http.middlewares.middleware19.retry.attempts": "42",
+"traefik.http.middlewares.middleware20.stripprefix.forceslash": "true",
+"traefik.http.middlewares.middleware20.stripprefix.prefixes": "foobar, foobar",
+"traefik.http.middlewares.middleware21.stripprefixregex.regex": "foobar, foobar",
 "traefik.http.routers.router0.entrypoints": "foobar, foobar",
 "traefik.http.routers.router0.middlewares": "foobar, foobar",
 "traefik.http.routers.router0.priority": "42",
@@ -128,6 +133,7 @@
 "traefik.http.routers.router1.tls.domains[1].main": "foobar",
 "traefik.http.routers.router1.tls.domains[1].sans": "foobar, foobar",
 "traefik.http.routers.router1.tls.options": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.followredirects": "true",
 "traefik.http.services.service01.loadbalancer.healthcheck.headers.name0": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.headers.name1": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.hostname": "foobar",
@@ -136,6 +142,7 @@
 "traefik.http.services.service01.loadbalancer.healthcheck.port": "42",
 "traefik.http.services.service01.loadbalancer.healthcheck.scheme": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.timeout": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.followredirects": "true",
 "traefik.http.services.service01.loadbalancer.passhostheader": "true",
 "traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval": "foobar",
 "traefik.http.services.service01.loadbalancer.sticky.cookie.httponly": "true",
@@ -165,3 +172,8 @@
 "traefik.tcp.routers.tcprouter1.tls.passthrough": "true",
 "traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay": "42",
 "traefik.tcp.services.tcpservice01.loadbalancer.server.port": "foobar",
+"traefik.udp.routers.udprouter0.entrypoints": "foobar, foobar",
+"traefik.udp.routers.udprouter0.service": "foobar",
+"traefik.udp.routers.udprouter1.entrypoints": "foobar, foobar",
+"traefik.udp.routers.udprouter1.service": "foobar",
+"traefik.udp.services.udpservice01.loadbalancer.server.port": "foobar",

docs/content/reference/static-configuration/cli-ref.md

@@ -99,6 +99,42 @@ Trust all forwarded headers. (Default: ```false```)
 `--entrypoints.<name>.forwardedheaders.trustedips`:  
 Trust only forwarded headers from selected IPs.
 
+`--entrypoints.<name>.http`:  
+HTTP configuration.
+
+`--entrypoints.<name>.http.middlewares`:  
+Default middlewares for the routers linked to the entry point.
+
+`--entrypoints.<name>.http.redirections.entrypoint.permanent`:  
+Applied a permanent redirection. Defaults to true. (Default: ```true```)
+
+`--entrypoints.<name>.http.redirections.entrypoint.priority`:  
+Priority of the generated router. Defaults to 1. (Default: ```1```)
+
+`--entrypoints.<name>.http.redirections.entrypoint.scheme`:  
+Scheme used for the redirection. Defaults to https. (Default: ```https```)
+
+`--entrypoints.<name>.http.redirections.entrypoint.to`:  
+Targeted entry point of the redirection.
+
+`--entrypoints.<name>.http.tls`:  
+Default TLS configuration for the routers linked to the entry point. (Default: ```false```)
+
+`--entrypoints.<name>.http.tls.certresolver`:  
+Default certificate resolver for the routers linked to the entry point.
+
+`--entrypoints.<name>.http.tls.domains`:  
+Default TLS domains for the routers linked to the entry point.
+
+`--entrypoints.<name>.http.tls.domains[n].main`:  
+Default subject name.
+
+`--entrypoints.<name>.http.tls.domains[n].sans`:  
+Subject alternative names.
+
+`--entrypoints.<name>.http.tls.options`:  
+Default TLS options for the routers linked to the entry point.
+
 `--entrypoints.<name>.proxyprotocol`:  
 Proxy-Protocol configuration. (Default: ```false```)
 
@@ -243,6 +279,36 @@ EntryPoint (Default: ```traefik```)
 `--ping.manualrouting`:  
 Manual routing (Default: ```false```)
 
+`--providers.consul`:  
+Enable Consul backend with default settings. (Default: ```false```)
+
+`--providers.consul.endpoints`:  
+KV store endpoints (Default: ```127.0.0.1:8500```)
+
+`--providers.consul.password`:  
+KV Password
+
+`--providers.consul.rootkey`:  
+Root key used for KV store (Default: ```traefik```)
+
+`--providers.consul.tls.ca`:  
+TLS CA
+
+`--providers.consul.tls.caoptional`:  
+TLS CA.Optional (Default: ```false```)
+
+`--providers.consul.tls.cert`:  
+TLS cert
+
+`--providers.consul.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--providers.consul.tls.key`:  
+TLS key
+
+`--providers.consul.username`:  
+KV Username
+
 `--providers.consulcatalog.cache`:  
 Use local agent caching for catalog reads. (Default: ```false```)
 
@@ -346,7 +412,37 @@ TLS key
 Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
 
 `--providers.docker.watch`:  
-Watch provider. (Default: ```true```)
+Watch Docker Swarm events. (Default: ```true```)
+
+`--providers.etcd`:  
+Enable Etcd backend with default settings. (Default: ```false```)
+
+`--providers.etcd.endpoints`:  
+KV store endpoints (Default: ```127.0.0.1:2379```)
+
+`--providers.etcd.password`:  
+KV Password
+
+`--providers.etcd.rootkey`:  
+Root key used for KV store (Default: ```traefik```)
+
+`--providers.etcd.tls.ca`:  
+TLS CA
+
+`--providers.etcd.tls.caoptional`:  
+TLS CA.Optional (Default: ```false```)
+
+`--providers.etcd.tls.cert`:  
+TLS cert
+
+`--providers.etcd.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--providers.etcd.tls.key`:  
+TLS key
+
+`--providers.etcd.username`:  
+KV Username
 
 `--providers.file.debugloggeneratedtemplate`:  
 Enable debug logging of generated configuration template. (Default: ```false```)
@@ -516,12 +612,72 @@ Defines the polling interval in seconds. (Default: ```15```)
 `--providers.rancher.watch`:  
 Watch provider. (Default: ```true```)
 
+`--providers.redis`:  
+Enable Redis backend with default settings. (Default: ```false```)
+
+`--providers.redis.endpoints`:  
+KV store endpoints (Default: ```127.0.0.1:6379```)
+
+`--providers.redis.password`:  
+KV Password
+
+`--providers.redis.rootkey`:  
+Root key used for KV store (Default: ```traefik```)
+
+`--providers.redis.tls.ca`:  
+TLS CA
+
+`--providers.redis.tls.caoptional`:  
+TLS CA.Optional (Default: ```false```)
+
+`--providers.redis.tls.cert`:  
+TLS cert
+
+`--providers.redis.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--providers.redis.tls.key`:  
+TLS key
+
+`--providers.redis.username`:  
+KV Username
+
 `--providers.rest`:  
 Enable Rest backend with default settings. (Default: ```false```)
 
 `--providers.rest.insecure`:  
 Activate REST Provider directly on the entryPoint named traefik. (Default: ```false```)
 
+`--providers.zookeeper`:  
+Enable ZooKeeper backend with default settings. (Default: ```false```)
+
+`--providers.zookeeper.endpoints`:  
+KV store endpoints (Default: ```127.0.0.1:2181```)
+
+`--providers.zookeeper.password`:  
+KV Password
+
+`--providers.zookeeper.rootkey`:  
+Root key used for KV store (Default: ```traefik```)
+
+`--providers.zookeeper.tls.ca`:  
+TLS CA
+
+`--providers.zookeeper.tls.caoptional`:  
+TLS CA.Optional (Default: ```false```)
+
+`--providers.zookeeper.tls.cert`:  
+TLS cert
+
+`--providers.zookeeper.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--providers.zookeeper.tls.key`:  
+TLS key
+
+`--providers.zookeeper.username`:  
+KV Username
+
 `--serverstransport.forwardingtimeouts.dialtimeout`:  
 The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
 
@@ -570,6 +726,18 @@ Specifies the header name that will be used to store the sampling priority.
 `--tracing.datadog.traceidheadername`:  
 Specifies the header name that will be used to store the trace ID.
 
+`--tracing.elastic`:  
+Settings for Elastic. (Default: ```false```)
+
+`--tracing.elastic.secrettoken`:  
+Set the token used to connect to Elastic APM Server.
+
+`--tracing.elastic.serverurl`:  
+Set the URL of the Elastic APM server.
+
+`--tracing.elastic.serviceenvironment`:  
+Set the name of the environment Traefik is deployed in, e.g. 'production' or 'staging'.
+
 `--tracing.haystack`:  
 Settings for Haystack. (Default: ```false```)
 
@@ -580,7 +748,7 @@ Specifies the header name prefix that will be used to store baggage items in a m
 Key:Value tag to be set on all the spans.
 
 `--tracing.haystack.localagenthost`:  
-Set haystack-agent's host that the reporter will used. (Default: ```LocalAgentHost```)
+Set haystack-agent's host that the reporter will used. (Default: ```127.0.0.1```)
 
 `--tracing.haystack.localagentport`:  
 Set haystack-agent's port that the reporter will used. (Default: ```35000```)

docs/content/reference/static-configuration/env-ref.md

@@ -99,6 +99,42 @@ Trust all forwarded headers. (Default: ```false```)
 `TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_TRUSTEDIPS`:  
 Trust only forwarded headers from selected IPs.
 
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP`:  
+HTTP configuration.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_MIDDLEWARES`:  
+Default middlewares for the routers linked to the entry point.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_REDIRECTIONS_ENTRYPOINT_PERMANENT`:  
+Applied a permanent redirection. Defaults to true. (Default: ```true```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_REDIRECTIONS_ENTRYPOINT_PRIORITY`:  
+Priority of the generated router. Defaults to 1. (Default: ```1```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME`:  
+Scheme used for the redirection. Defaults to https. (Default: ```https```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_REDIRECTIONS_ENTRYPOINT_TO`:  
+Targeted entry point of the redirection.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_TLS`:  
+Default TLS configuration for the routers linked to the entry point. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_TLS_CERTRESOLVER`:  
+Default certificate resolver for the routers linked to the entry point.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_TLS_DOMAINS`:  
+Default TLS domains for the routers linked to the entry point.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_TLS_DOMAINS[n]_MAIN`:  
+Default subject name.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_TLS_DOMAINS[n]_SANS`:  
+Subject alternative names.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_TLS_OPTIONS`:  
+Default TLS options for the routers linked to the entry point.
+
 `TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL`:  
 Proxy-Protocol configuration. (Default: ```false```)
 
@@ -243,6 +279,9 @@ EntryPoint (Default: ```traefik```)
 `TRAEFIK_PING_MANUALROUTING`:  
 Manual routing (Default: ```false```)
 
+`TRAEFIK_PROVIDERS_CONSUL`:  
+Enable Consul backend with default settings. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_CONSULCATALOG_CACHE`:  
 Use local agent caching for catalog reads. (Default: ```false```)
 
@@ -303,6 +342,33 @@ Forces the read to be fully consistent. (Default: ```false```)
 `TRAEFIK_PROVIDERS_CONSULCATALOG_STALE`:  
 Use stale consistency for catalog reads. (Default: ```false```)
 
+`TRAEFIK_PROVIDERS_CONSUL_ENDPOINTS`:  
+KV store endpoints (Default: ```127.0.0.1:8500```)
+
+`TRAEFIK_PROVIDERS_CONSUL_PASSWORD`:  
+KV Password
+
+`TRAEFIK_PROVIDERS_CONSUL_ROOTKEY`:  
+Root key used for KV store (Default: ```traefik```)
+
+`TRAEFIK_PROVIDERS_CONSUL_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_PROVIDERS_CONSUL_TLS_CAOPTIONAL`:  
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSUL_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_PROVIDERS_CONSUL_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSUL_TLS_KEY`:  
+TLS key
+
+`TRAEFIK_PROVIDERS_CONSUL_USERNAME`:  
+KV Username
+
 `TRAEFIK_PROVIDERS_DOCKER`:  
 Enable Docker backend with default settings. (Default: ```false```)
 
@@ -346,7 +412,37 @@ TLS key
 Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
 
 `TRAEFIK_PROVIDERS_DOCKER_WATCH`:  
-Watch provider. (Default: ```true```)
+Watch Docker Swarm events. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_ETCD`:  
+Enable Etcd backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_ETCD_ENDPOINTS`:  
+KV store endpoints (Default: ```127.0.0.1:2379```)
+
+`TRAEFIK_PROVIDERS_ETCD_PASSWORD`:  
+KV Password
+
+`TRAEFIK_PROVIDERS_ETCD_ROOTKEY`:  
+Root key used for KV store (Default: ```traefik```)
+
+`TRAEFIK_PROVIDERS_ETCD_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_PROVIDERS_ETCD_TLS_CAOPTIONAL`:  
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_ETCD_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_PROVIDERS_ETCD_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_ETCD_TLS_KEY`:  
+TLS key
+
+`TRAEFIK_PROVIDERS_ETCD_USERNAME`:  
+KV Username
 
 `TRAEFIK_PROVIDERS_FILE_DEBUGLOGGENERATEDTEMPLATE`:  
 Enable debug logging of generated configuration template. (Default: ```false```)
@@ -516,12 +612,72 @@ Defines the polling interval in seconds. (Default: ```15```)
 `TRAEFIK_PROVIDERS_RANCHER_WATCH`:  
 Watch provider. (Default: ```true```)
 
+`TRAEFIK_PROVIDERS_REDIS`:  
+Enable Redis backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_REDIS_ENDPOINTS`:  
+KV store endpoints (Default: ```127.0.0.1:6379```)
+
+`TRAEFIK_PROVIDERS_REDIS_PASSWORD`:  
+KV Password
+
+`TRAEFIK_PROVIDERS_REDIS_ROOTKEY`:  
+Root key used for KV store (Default: ```traefik```)
+
+`TRAEFIK_PROVIDERS_REDIS_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_PROVIDERS_REDIS_TLS_CAOPTIONAL`:  
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_REDIS_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_PROVIDERS_REDIS_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_REDIS_TLS_KEY`:  
+TLS key
+
+`TRAEFIK_PROVIDERS_REDIS_USERNAME`:  
+KV Username
+
 `TRAEFIK_PROVIDERS_REST`:  
 Enable Rest backend with default settings. (Default: ```false```)
 
 `TRAEFIK_PROVIDERS_REST_INSECURE`:  
 Activate REST Provider directly on the entryPoint named traefik. (Default: ```false```)
 
+`TRAEFIK_PROVIDERS_ZOOKEEPER`:  
+Enable ZooKeeper backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_ZOOKEEPER_ENDPOINTS`:  
+KV store endpoints (Default: ```127.0.0.1:2181```)
+
+`TRAEFIK_PROVIDERS_ZOOKEEPER_PASSWORD`:  
+KV Password
+
+`TRAEFIK_PROVIDERS_ZOOKEEPER_ROOTKEY`:  
+Root key used for KV store (Default: ```traefik```)
+
+`TRAEFIK_PROVIDERS_ZOOKEEPER_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_PROVIDERS_ZOOKEEPER_TLS_CAOPTIONAL`:  
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_ZOOKEEPER_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_PROVIDERS_ZOOKEEPER_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_ZOOKEEPER_TLS_KEY`:  
+TLS key
+
+`TRAEFIK_PROVIDERS_ZOOKEEPER_USERNAME`:  
+KV Username
+
 `TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_DIALTIMEOUT`:  
 The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
 
@@ -570,6 +726,18 @@ Specifies the header name that will be used to store the sampling priority.
 `TRAEFIK_TRACING_DATADOG_TRACEIDHEADERNAME`:  
 Specifies the header name that will be used to store the trace ID.
 
+`TRAEFIK_TRACING_ELASTIC`:  
+Settings for Elastic. (Default: ```false```)
+
+`TRAEFIK_TRACING_ELASTIC_SECRETTOKEN`:  
+Set the token used to connect to Elastic APM Server.
+
+`TRAEFIK_TRACING_ELASTIC_SERVERURL`:  
+Set the URL of the Elastic APM server.
+
+`TRAEFIK_TRACING_ELASTIC_SERVICEENVIRONMENT`:  
+Set the name of the environment Traefik is deployed in, e.g. 'production' or 'staging'.
+
 `TRAEFIK_TRACING_HAYSTACK`:  
 Settings for Haystack. (Default: ```false```)
 
@@ -580,7 +748,7 @@ Specifies the header name prefix that will be used to store baggage items in a m
 Key:Value tag to be set on all the spans.
 
 `TRAEFIK_TRACING_HAYSTACK_LOCALAGENTHOST`:  
-Set haystack-agent's host that the reporter will used. (Default: ```LocalAgentHost```)
+Set haystack-agent's host that the reporter will used. (Default: ```127.0.0.1```)
 
 `TRAEFIK_TRACING_HAYSTACK_LOCALAGENTPORT`:  
 Set haystack-agent's port that the reporter will used. (Default: ```35000```)

docs/content/reference/static-configuration/file.toml

@@ -28,6 +28,25 @@
     [entryPoints.EntryPoint0.forwardedHeaders]
       insecure = true
       trustedIPs = ["foobar", "foobar"]
+    [entryPoints.EntryPoint0.http]
+      middlewares = ["foobar", "foobar"]
+      [entryPoints.EntryPoint0.http.redirections]
+        [entryPoints.EntryPoint0.http.redirections.entryPoint]
+          to = "foobar"
+          scheme = "foobar"
+          permanent = true
+          priority = 42
+      [entryPoints.EntryPoint0.http.tls]
+        options = "foobar"
+        certResolver = "foobar"
+
+        [[entryPoints.EntryPoint0.http.tls.domains]]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
+
+        [[entryPoints.EntryPoint0.http.tls.domains]]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
 
 [providers]
   providersThrottleDuration = 42
@@ -96,7 +115,7 @@
     namespaces = ["foobar", "foobar"]
     labelSelector = "foobar"
     ingressClass = "foobar"
-    throttleDuration = "10s"
+    throttleDuration = 42
   [providers.rest]
     insecure = true
   [providers.rancher]
@@ -110,20 +129,67 @@
     prefix = "foobar"
   [providers.consulCatalog]
     constraints = "foobar"
-    prefix = "traefik"
+    prefix = "foobar"
-    defaultRule = "foobar"
+    refreshInterval = 42
-    exposedByDefault = true
-    refreshInterval = 15
     requireConsistent = true
     stale = true
     cache = true
+    exposedByDefault = true
+    defaultRule = "foobar"
     [providers.consulCatalog.endpoint]
-     address = "foobar"
+      address = "foobar"
-     scheme = "foobar"
+      scheme = "foobar"
-     datacenter = "foobar"
+      datacenter = "foobar"
-     token = "foobar"
+      token = "foobar"
-     endpointWaitTime = "15s"
+      endpointWaitTime = 42
-     [providers.consulCatalog.endpoint.tls]
+      [providers.consulCatalog.endpoint.tls]
+        ca = "foobar"
+        caOptional = true
+        cert = "foobar"
+        key = "foobar"
+        insecureSkipVerify = true
+      [providers.consulCatalog.endpoint.httpAuth]
+        username = "foobar"
+        password = "foobar"
+  [providers.consul]
+    rootKey = "traefik"
+    endpoints = ["foobar", "foobar"]
+    username = "foobar"
+    password = "foobar"
+    [providers.consul.tls]
+      ca = "foobar"
+      caOptional = true
+      cert = "foobar"
+      key = "foobar"
+      insecureSkipVerify = true
+  [providers.etcd]
+    rootKey = "traefik"
+    endpoints = ["foobar", "foobar"]
+    username = "foobar"
+    password = "foobar"
+    [providers.etcd.tls]
+      ca = "foobar"
+      caOptional = true
+      cert = "foobar"
+      key = "foobar"
+      insecureSkipVerify = true
+  [providers.zooKeeper]
+    rootKey = "traefik"
+    endpoints = ["foobar", "foobar"]
+    username = "foobar"
+    password = "foobar"
+    [providers.zooKeeper.tls]
+      ca = "foobar"
+      caOptional = true
+      cert = "foobar"
+      key = "foobar"
+      insecureSkipVerify = true
+  [providers.redis]
+    rootKey = "traefik"
+    endpoints = ["foobar", "foobar"]
+    username = "foobar"
+    password = "foobar"
+    [providers.redis.tls]
       ca = "foobar"
       caOptional = true
       cert = "foobar"
@@ -144,19 +210,19 @@
     manualRouting = true
   [metrics.datadog]
     address = "foobar"
-    pushInterval = "10s"
+    pushInterval = "42s"
     addEntryPointsLabels = true
     addServicesLabels = true
   [metrics.statsD]
     address = "foobar"
-    pushInterval = "10s"
+    pushInterval = "42s"
     addEntryPointsLabels = true
     addServicesLabels = true
-    prefix = "traefik"
+    prefix = "foobar"
   [metrics.influxDB]
     address = "foobar"
     protocol = "foobar"
-    pushInterval = "10s"
+    pushInterval = "42s"
     database = "foobar"
     retentionPolicy = "foobar"
     username = "foobar"
@@ -233,6 +299,10 @@
     parentIDHeaderName = "foobar"
     spanIDHeaderName = "foobar"
     baggagePrefixHeaderName = "foobar"
+  [tracing.elastic]
+    serverURL = "foobar"
+    secretToken = "foobar"
+    serviceEnvironment = "foobar"
 
 [hostResolver]
   cnameFlattening = true

docs/content/reference/static-configuration/file.yaml

@@ -32,6 +32,28 @@ entryPoints:
       trustedIPs:
       - foobar
       - foobar
+    http:
+      redirections:
+        entryPoint:
+          to: foobar
+          scheme: foobar
+          permanent: true
+          priority: 42
+      middlewares:
+      - foobar
+      - foobar
+      tls:
+        options: foobar
+        certResolver: foobar
+        domains:
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
+        - main: foobar
+          sans:
+          - foobar
+          - foobar
 providers:
   providersThrottleDuration: 42
   docker:
@@ -88,7 +110,7 @@ providers:
     - foobar
     labelSelector: foobar
     ingressClass: foobar
-    throttleDuration: 10s
+    throttleDuration: 42s
     ingressEndpoint:
       ip: foobar
       hostname: foobar
@@ -117,25 +139,80 @@ providers:
     prefix: foobar
   consulCatalog:
     constraints: foobar
-    prefix: traefik
+    prefix: foobar
-    defaultRule: foobar
+    refreshInterval: 42s
-    exposedByDefault: true
-    refreshInterval: 15
     requireConsistent: true
     stale: true
     cache: true
+    exposedByDefault: true
+    defaultRule: foobar
     endpoint:
       address: foobar
       scheme: foobar
       datacenter: foobar
       token: foobar
-      endpointWaitTime: 15s
+      endpointWaitTime: 42s
       tls:
         ca: foobar
         caOptional: true
         cert: foobar
         key: foobar
         insecureSkipVerify: true
+      httpAuth:
+        username: foobar
+        password: foobar
+  consul:
+    rootKey: traefik
+    endpoints:
+    - foobar
+    - foobar
+    username: foobar
+    password: foobar
+    tls:
+      ca: foobar
+      caOptional: true
+      cert: foobar
+      key: foobar
+      insecureSkipVerify: true
+  etcd:
+    rootKey: traefik
+    endpoints:
+    - foobar
+    - foobar
+    username: foobar
+    password: foobar
+    tls:
+      ca: foobar
+      caOptional: true
+      cert: foobar
+      key: foobar
+      insecureSkipVerify: true
+  zooKeeper:
+    rootKey: traefik
+    endpoints:
+      - foobar
+      - foobar
+    username: foobar
+    password: foobar
+    tls:
+      ca: foobar
+      caOptional: true
+      cert: foobar
+      key: foobar
+      insecureSkipVerify: true
+  redis:
+    rootKey: traefik
+    endpoints:
+      - foobar
+      - foobar
+    username: foobar
+    password: foobar
+    tls:
+      ca: foobar
+      caOptional: true
+      cert: foobar
+      key: foobar
+      insecureSkipVerify: true
 api:
   insecure: true
   dashboard: true
@@ -159,7 +236,7 @@ metrics:
     pushInterval: 42
     addEntryPointsLabels: true
     addServicesLabels: true
-    prefix: traefik
+    prefix: foobar
   influxDB:
     address: foobar
     protocol: foobar
@@ -238,6 +315,10 @@ tracing:
     parentIDHeaderName: foobar
     spanIDHeaderName: foobar
     baggagePrefixHeaderName: foobar
+  elastic:
+    serverURL: foobar
+    secretToken: foobar
+    serviceEnvironment: foobar
 hostResolver:
   cnameFlattening: true
   resolvConfig: foobar

docs/content/routing/entrypoints.md

@@ -6,7 +6,8 @@ Opening Connections for Incoming Requests
 ![entryPoints](../assets/img/entrypoints.png)
 
 EntryPoints are the network entry points into Traefik.
-They define the port which will receive the requests (whether HTTP or TCP).
+They define the port which will receive the packets,
+and whether to listen for TCP or UDP.
 
 ## Configuration Examples
 
@@ -41,7 +42,7 @@ They define the port which will receive the requests (whether HTTP or TCP).
       [entryPoints.web]
         address = ":80"
     
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     ```
     
@@ -51,18 +52,39 @@ They define the port which will receive the requests (whether HTTP or TCP).
       web:
         address: ":80"
      
-      web-secure:
+      websecure:
         address: ":443"
     ```
     
     ```bash tab="CLI"
     ## Static configuration
     --entryPoints.web.address=:80
-    --entryPoints.web-secure.address=:443
+    --entryPoints.websecure.address=:443
     ```
 
-    - Two entrypoints are defined: one called `web`, and the other called `web-secure`.
+    - Two entrypoints are defined: one called `web`, and the other called `websecure`.
-    - `web` listens on port `80`, and `web-secure` on port `443`. 
+    - `web` listens on port `80`, and `websecure` on port `443`. 
+
+??? example "UDP on port 1704"
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.streaming]
+        address = ":1704/udp"
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      streaming:
+        address: ":1704/udp"
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.streaming.address=:1704/udp
+    ```
 
 ## Configuration
 
@@ -77,7 +99,7 @@ You can define them using a toml file, CLI arguments, or a key-value store.
     ## Static configuration
     [entryPoints]
       [entryPoints.name]
-        address = ":8888"
+        address = ":8888" # same as ":8888/tcp"
         [entryPoints.name.transport]
           [entryPoints.name.transport.lifeCycle]
             requestAcceptGraceTimeout = 42
@@ -98,7 +120,7 @@ You can define them using a toml file, CLI arguments, or a key-value store.
     ## Static configuration
     entryPoints:
       name:
-        address: ":8888"
+        address: ":8888" # same as ":8888/tcp"
         transport:
           lifeCycle:
             requestAcceptGraceTimeout: 42
@@ -121,7 +143,7 @@ You can define them using a toml file, CLI arguments, or a key-value store.
     
     ```bash tab="CLI"
     ## Static configuration
-    --entryPoints.name.address=:8888
+    --entryPoints.name.address=:8888 # same as :8888/tcp
     --entryPoints.name.transport.lifeCycle.requestAcceptGraceTimeout=42
     --entryPoints.name.transport.lifeCycle.graceTimeOut=42
     --entryPoints.name.transport.respondingTimeouts.readTimeout=42
@@ -133,7 +155,46 @@ You can define them using a toml file, CLI arguments, or a key-value store.
     --entryPoints.name.forwardedHeaders.trustedIPs=127.0.0.1,192.168.0.1
     ```
 
-### Forwarded Header
+### Address
+
+The address defines the port, and optionally the hostname, on which to listen for incoming connections and packets.
+It also defines the protocol to use (TCP or UDP).
+If no protocol is specified, the default is TCP.
+The format is:
+
+```bash
+[host]:port[/tcp|/udp]
+```
+
+If both TCP and UDP are wanted for the same port, two entryPoints definitions are needed, such as in the example below.
+
+??? example "Both TCP and UDP on port 3179"
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.tcpep]
+        address = ":3179"
+      [entryPoints.udpep]
+        address = ":3179/udp"
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      tcpep:
+       address: ":3179"
+      udpep:
+       address: ":3179/udp"
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.tcpep.address=:3179
+    --entryPoints.udpep.address=:3179/udp
+    ```
+
+### Forwarded Headers
 
 You can configure Traefik to trust the forwarded headers information (`X-Forwarded-*`).
 
@@ -202,6 +263,7 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
 #### `respondingTimeouts`
 
 `respondingTimeouts` are timeouts for incoming requests to the Traefik instance.
+Setting them has no effect for UDP entryPoints.
 
 ??? info "`transport.respondingTimeouts.readTimeout`"
     
@@ -467,3 +529,274 @@ If the Proxy Protocol header is passed, then the version is determined automatic
 
     When queuing Traefik behind another load-balancer, make sure to configure Proxy Protocol on both sides.
     Not doing so could introduce a security risk in your system (enabling request forgery).
+
+## HTTP Options
+
+This whole section is dedicated to options, keyed by entry point, that will apply only to HTTP routing.
+
+### Redirection
+
+??? example "HTTPS redirection (80 to 443)"
+    
+    ```toml tab="File (TOML)"
+    [entryPoints.web]
+      address = ":80"
+      
+      [entryPoints.web.http]
+        [entryPoints.web.http.redirections]
+          [entryPoints.web.http.redirections.entryPoint]
+            to = "websecure"
+            scheme = "https"
+    
+    [entryPoints.websecure]
+      address = ":443"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: :80
+        http:
+          redirections:
+            entryPoint:
+              to: websecure
+              scheme: https
+    
+      websecure:
+        address: :443
+    ```
+    
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.web.http.redirections.entryPoint.to=websecure
+    --entrypoints.web.http.redirections.entryPoint.https=true
+    --entrypoints.websecure.address=:443
+    ```
+
+#### `entryPoint`
+
+This section is a convenience to enable (permanent) redirecting of all incoming requests on an entry point (e.g. port `80`) to another entry point (e.g. port `443`) or an explicit port (`:443`).
+
+??? info "`entryPoint.to`"
+    
+    _Required_
+    
+    The target element, it can be:
+    
+      - an entry point name (ex: `websecure`)
+      - a port (`:443`)
+      
+    ```toml tab="File (TOML)"
+    [entryPoints.foo]
+      # ...
+      [entryPoints.foo.http.redirections]
+        [entryPoints.foo.http.redirections.entryPoint]
+          to = "websecure"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      foo:
+        # ...
+        http:
+          redirections:
+            entryPoint:
+              to: websecure
+    ```
+    
+    ```bash tab="CLI"
+    --entrypoints.foo.http.redirections.entryPoint.to=websecure
+    ```
+
+??? info "`entryPoint.scheme`"
+    
+    _Optional, Default="https"_
+    
+    The redirection target scheme.
+
+    ```toml tab="File (TOML)"
+    [entryPoints.foo]
+      # ...
+      [entryPoints.foo.http.redirections]
+        [entryPoints.foo.http.redirections.entryPoint]
+          # ...
+          scheme = "https"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      foo:
+        # ...
+        http:
+          redirections:
+            entryPoint:
+              # ...
+              scheme: https
+    ```
+    
+    ```bash tab="CLI"
+    --entrypoints.foo.http.redirections.entryPoint.scheme=https
+    ```
+
+??? info "`entryPoint.permanent`"
+   
+    _Optional, Default=true_
+    
+    To apply a permanent redirection.
+
+    ```toml tab="File (TOML)"
+    [entryPoints.foo]
+      # ...
+      [entryPoints.foo.http.redirections]
+        [entryPoints.foo.http.redirections.entryPoint]
+          # ...
+          permanent = true
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      foo:
+        # ...
+        http:
+          redirections:
+            entryPoint:
+              # ...
+              permanent: true
+    ```
+    
+    ```bash tab="CLI"
+    --entrypoints.foo.http.redirections.entrypoint.permanent=true
+    ```
+
+??? info "`entryPoint.priority`"
+  
+    _Optional, Default=1_
+    
+    Priority of the generated router.
+
+    ```toml tab="File (TOML)"
+    [entryPoints.foo]
+      # ...
+      [entryPoints.foo.http.redirections]
+        [entryPoints.foo.http.redirections.entryPoint]
+          # ...
+          priority = 10
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      foo:
+        # ...
+        http:
+          redirections:
+            entryPoint:
+              # ...
+              priority: 10
+    ```
+    
+    ```bash tab="CLI"
+    --entrypoints.foo.http.redirections.entrypoint.priority=10
+    ```
+
+### Middlewares
+
+The list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point.
+
+```toml tab="File (TOML)"
+[entryPoints.websecure]
+  address = ":443"
+
+  [entryPoints.websecure.http]
+    middlewares = ["auth@file", "strip@file"]
+```
+
+```yaml tab="File (YAML)"
+entryPoints:
+  websecure:
+    address: ':443'
+    http:
+      middlewares:
+        - auth@file
+        - strip@file
+```
+
+```bash tab="CLI"
+entrypoints.websecure.address=:443
+entrypoints.websecure.http.middlewares=auth@file,strip@file
+```
+
+### TLS
+
+This section is about the default TLS configuration applied to all routers associated with the named entry point.
+
+If a TLS section (i.e. any of its fields) is user-defined, then the default configuration does not apply at all.
+
+The TLS section is the same as the [TLS section on HTTP routers](./routers/index.md#tls).
+
+```toml tab="File (TOML)"
+[entryPoints.websecure]
+  address = ":443"
+
+    [entryPoints.websecure.http.tls]
+      options = "foobar"
+      certResolver = "leresolver"
+      [[entryPoints.websecure.http.tls.domains]]
+        main = "example.com"
+        sans = ["foo.example.com", "bar.example.com"]
+      [[entryPoints.websecure.http.tls.domains]]
+        main = "test.com"
+        sans = ["foo.test.com", "bar.test.com"]
+```
+
+```yaml tab="File (YAML)"
+entryPoints:
+  websecure:
+    address: ':443'
+    http:
+      tls:
+        options: foobar
+        certResolver: leresolver
+        domains:
+          - main: example.com
+            sans:
+              - foo.example.com
+              - bar.example.com
+          - main: test.com
+            sans:
+              - foo.test.com
+              - bar.test.com
+```
+
+```bash tab="CLI"
+entrypoints.websecure.address=:443
+entrypoints.websecure.http.tls.options=foobar
+entrypoints.websecure.http.tls.certResolver=leresolver
+entrypoints.websecure.http.tls.domains[0].main=example.com
+entrypoints.websecure.http.tls.domains[0].sans=foo.example.com,bar.example.com
+entrypoints.websecure.http.tls.domains[1].main=test.com
+entrypoints.websecure.http.tls.domains[1].sans=foo.test.com,bar.test.com
+```
+
+??? example "Let's Encrypt"
+    
+    ```toml tab="File (TOML)"
+    [entryPoints.websecure]
+      address = ":443"
+    
+        [entryPoints.websecure.http.tls]
+          certResolver = "leresolver"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      websecure:
+        address: ':443'
+        http:
+          tls:
+            certResolver: leresolver
+    ```
+    
+    ```bash tab="CLI"
+    entrypoints.websecure.address=:443
+    entrypoints.websecure.http.tls.certResolver=leresolver
+    ```

docs/content/routing/overview.md

@@ -66,7 +66,7 @@ Dynamic configuration:
   [http.routers]
      # Define a connection between requests and services
      [http.routers.to-whoami]
-      rule = "Host(`domain`) && PathPrefix(`/whoami/`)"
+      rule = "Host(`example.com`) && PathPrefix(`/whoami/`)"
       # If the rule matches, applies the middleware
       middlewares = ["test-user"]
       # If the rule matches, forward to the whoami service (declared below)
@@ -90,7 +90,7 @@ http:
   routers:
     # Define a connection between requests and services
     to-whoami:
-      rule: "Host(`domain`) && PathPrefix(`/whoami/`)"
+      rule: "Host(`example.com`) && PathPrefix(`/whoami/`)"
        # If the rule matches, applies the middleware
       middlewares:
       - test-user
@@ -122,7 +122,7 @@ http:
     In this example, we've defined routing rules for http requests only.
     Traefik also supports TCP requests. To add [TCP routers](./routers/index.md) and [TCP services](./services/index.md), declare them in a TCP section like in the following.
 
-    ??? example "Adding a TCP route for TLS requests on whoami.traefik.io"
+    ??? example "Adding a TCP route for TLS requests on whoami.example.com"
 
         **Static Configuration**
         
@@ -165,7 +165,7 @@ http:
           [http.routers]
             # Define a connection between requests and services
             [http.routers.to-whoami]
-              rule = "Host(`domain`) && PathPrefix(`/whoami/`)"
+              rule = "Host(`example.com`) && PathPrefix(`/whoami/`)"
               # If the rule matches, applies the middleware
               middlewares = ["test-user"]
               # If the rule matches, forward to the whoami service (declared below)
@@ -185,7 +185,7 @@ http:
         [tcp]
           [tcp.routers]
             [tcp.routers.to-whoami-tcp]
-              rule = "HostSNI(`whoami-tcp.traefik.io`)"
+              rule = "HostSNI(`whoami-tcp.example.com`)"
               service = "whoami-tcp"
               [tcp.routers.to-whoami-tcp.tls]
 
@@ -202,7 +202,7 @@ http:
           routers:
             # Define a connection between requests and services
             to-whoami:
-              rule: Host(`domain`) && PathPrefix(`/whoami/`)
+              rule: Host(`example.com`) && PathPrefix(`/whoami/`)
               # If the rule matches, applies the middleware
               middlewares:
               - test-user
@@ -227,7 +227,7 @@ http:
           routers:
             to-whoami-tcp:
               service: whoami-tcp
-              rule: HostSNI(`whoami-tcp.traefik.io`)
+              rule: HostSNI(`whoami-tcp.example.com`)
 
           services:
             whoami-tcp:

docs/content/routing/providers/consul-catalog.md

@@ -24,14 +24,14 @@ The Service automatically gets a server per instance in this consul Catalog serv
 
 To update the configuration of the Router automatically attached to the service, add tags starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change.
 
-For example, to change the rule, you could add the tag ```traefik.http.routers.my-service.rule=Host(`mydomain.com`)```.
+For example, to change the rule, you could add the tag ```traefik.http.routers.my-service.rule=Host(`example.com`)```.
 
 ??? info "`traefik.http.routers.<router_name>.rule`"
     
     See [rule](../routers/index.md#rule) for more information.
     
     ```yaml
-    traefik.http.routers.myrouter.rule=Host(`mydomain.com`)
+    traefik.http.routers.myrouter.rule=Host(`example.com`)
     ```
 
 ??? info "`traefik.http.routers.<router_name>.entrypoints`"
@@ -79,7 +79,7 @@ For example, to change the rule, you could add the tag ```traefik.http.routers.m
     See [domains](../routers/index.md#domains) for more information.
     
     ```yaml
-    traefik.http.routers.myrouter.tls.domains[0].main=foobar.com
+    traefik.http.routers.myrouter.tls.domains[0].main=example.org
     ```
 
 ??? info "`traefik.http.routers.<router_name>.tls.domains[n].sans`"
@@ -87,7 +87,7 @@ For example, to change the rule, you could add the tag ```traefik.http.routers.m
     See [domains](../routers/index.md#domains) for more information.
     
     ```yaml
-    traefik.http.routers.myrouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com
+    traefik.http.routers.myrouter.tls.domains[0].sans=test.example.org,dev.example.org
     ```
 
 ??? info "`traefik.http.routers.<router_name>.tls.options`"
@@ -150,7 +150,7 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     See [health check](../services/index.md#health-check) for more information.
     
     ```yaml
-    traefik.http.services.myservice.loadbalancer.healthcheck.hostname=foobar.com
+    traefik.http.services.myservice.loadbalancer.healthcheck.hostname=example.org
     ```
 
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.interval`"
@@ -193,6 +193,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.followredirects=true
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky`"
     
     See [sticky sessions](../services/index.md#sticky-sessions) for more information.
@@ -263,7 +271,7 @@ You can declare TCP Routers and/or Services using tags.
 ??? example "Declaring TCP Routers and Services"
 
     ```yaml
-    traefik.tcp.routers.my-router.rule=HostSNI(`my-host.com`)
+    traefik.tcp.routers.my-router.rule=HostSNI(`example.com`)
     traefik.tcp.routers.my-router.tls=true
     traefik.tcp.services.my-service.loadbalancer.server.port=4123
     ```
@@ -288,7 +296,7 @@ You can declare TCP Routers and/or Services using tags.
     See [rule](../routers/index.md#rule_1) for more information.
     
     ```yaml
-    traefik.tcp.routers.mytcprouter.rule=HostSNI(`myhost.com`)
+    traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.service`"
@@ -320,7 +328,7 @@ You can declare TCP Routers and/or Services using tags.
     See [domains](../routers/index.md#domains_1) for more information.
     
     ```yaml
-    traefik.tcp.routers.mytcprouter.tls.domains[0].main=foobar.com
+    traefik.tcp.routers.mytcprouter.tls.domains[0].main=example.org
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].sans`"
@@ -328,7 +336,7 @@ You can declare TCP Routers and/or Services using tags.
     See [domains](../routers/index.md#domains_1) for more information.
     
     ```yaml
-    traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com
+    traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.example.org,dev.example.org
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.tls.options`"
@@ -365,6 +373,50 @@ You can declare TCP Routers and/or Services using tags.
     traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100
     ```
 
+### UDP
+
+You can declare UDP Routers and/or Services using tags.
+
+??? example "Declaring UDP Routers and Services"
+
+    ```yaml
+    traefik.udp.routers.my-router.entrypoints=udp
+    traefik.udp.services.my-service.loadbalancer.server.port=4123
+    ```
+
+!!! warning "UDP and HTTP"
+
+    If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined).
+    You can declare both a UDP Router/Service and an HTTP Router/Service for the same consul service (but you have to do so manually).
+
+#### UDP Routers
+
+??? info "`traefik.udp.routers.<router_name>.entrypoints`"
+    
+    See [entry points](../routers/index.md#entrypoints_2) for more information.
+    
+    ```yaml
+    traefik.udp.routers.myudprouter.entrypoints=ep1,ep2
+    ```
+
+??? info "`traefik.udp.routers.<router_name>.service`"
+    
+    See [service](../routers/index.md#services_1) for more information.
+    
+    ```yaml
+    traefik.udp.routers.myudprouter.service=myservice
+    ```
+
+#### UDP Services
+
+??? info "`traefik.udp.services.<service_name>.loadbalancer.server.port`"
+    
+    Registers a port of the application.
+    
+    ```yaml
+    traefik.udp.services.myudpservice.loadbalancer.server.port=423
+    ```
+
 ### Specific Provider Options
 
 #### `traefik.enable`

docs/content/routing/providers/crd_ingress_route.yml

@@ -1,28 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: ingressroutes.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: IngressRoute
-    plural: ingressroutes
-    singular: ingressroute
-  scope: Namespaced
-
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: ingressroutetcps.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: IngressRouteTCP
-    plural: ingressroutetcps
-    singular: ingressroutetcp
-  scope: Namespaced

docs/content/routing/providers/crd_middlewares.yml

@@ -1,13 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: middlewares.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: Middleware
-    plural: middlewares
-    singular: middleware
-  scope: Namespaced

docs/content/routing/providers/crd_tls_option.yml

@@ -1,13 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: tlsoptions.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: TLSOption
-    plural: tlsoptions
-    singular: tlsoption
-  scope: Namespaced

docs/content/routing/providers/crd_traefikservice.yml

@@ -1,13 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: traefikservices.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: TraefikService
-    plural: traefikservices
-    singular: traefikservice
-  scope: Namespaced

docs/content/routing/providers/docker.md

@@ -34,12 +34,12 @@ Attach labels to your containers and let Traefik do the rest!
       my-container:
         # ...
         labels:
-          - traefik.http.routers.my-container.rule=Host(`mydomain.com`)
+          - traefik.http.routers.my-container.rule=Host(`example.com`)
     ```
 
 ??? example "Specify a Custom Port for the Container"
 
-    Forward requests for `http://mydomain.com` to `http://<private IP of container>:12345`:
+    Forward requests for `http://example.com` to `http://<private IP of container>:12345`:
 
     ```yaml
     version: "3"
@@ -47,7 +47,7 @@ Attach labels to your containers and let Traefik do the rest!
       my-container:
         # ...
         labels:
-          - traefik.http.routers.my-container.rule=Host(`mydomain.com`)
+          - traefik.http.routers.my-container.rule=Host(`example.com`)
           # Tell Traefik to use the port 12345 to connect to `my-container`
           - traefik.http.services.my-service.loadbalancer.server.port=12345
     ```
@@ -94,7 +94,7 @@ Attach labels to your containers and let Traefik do the rest!
       my-container:
         deploy:
           labels:
-            - traefik.http.routers.my-container.rule=Host(`mydomain.com`)
+            - traefik.http.routers.my-container.rule=Host(`example.com`)
             - traefik.http.services.my-container-service.loadbalancer.server.port=8080
     ```
 
@@ -127,7 +127,7 @@ and the router automatically gets a rule defined by `defaultRule` (if no rule fo
 
     ```yaml
     labels:
-      - "traefik.http.routers.myproxy.rule=Host(`foo.com`)"
+      - "traefik.http.routers.myproxy.rule=Host(`example.net`)"
       # service myservice gets automatically assigned to router myproxy
       - "traefik.http.services.myservice.loadbalancer.server.port=80"
     ```
@@ -140,7 +140,7 @@ and the router automatically gets a rule defined by `defaultRule` (if no rule fo
     labels:
       # no service specified or defined and yet one gets automatically created
       # and assigned to router myproxy.
-      - "traefik.http.routers.myproxy.rule=Host(`foo.com`)"
+      - "traefik.http.routers.myproxy.rule=Host(`example.net`)"
     ```
 
 ### Routers
@@ -148,7 +148,7 @@ and the router automatically gets a rule defined by `defaultRule` (if no rule fo
 To update the configuration of the Router automatically attached to the container,
 add labels starting with `traefik.http.routers.<name-of-your-choice>.` and followed by the option you want to change.
 
-For example, to change the rule, you could add the label ```traefik.http.routers.my-container.rule=Host(`mydomain.com`)```.
+For example, to change the rule, you could add the label ```traefik.http.routers.my-container.rule=Host(`example.com`)```.
 
 !!! warning "The character `@` is not authorized in the router name `<router_name>`."
 
@@ -157,7 +157,7 @@ For example, to change the rule, you could add the label ```traefik.http.routers
     See [rule](../routers/index.md#rule) for more information.
 
     ```yaml
-    - "traefik.http.routers.myrouter.rule=Host(`mydomain.com`)"
+    - "traefik.http.routers.myrouter.rule=Host(`example.com`)"
     ```
 
 ??? info "`traefik.http.routers.<router_name>.entrypoints`"
@@ -178,7 +178,7 @@ For example, to change the rule, you could add the label ```traefik.http.routers
 
 ??? info "`traefik.http.routers.<router_name>.service`"
 
-    See [rule](../routers/index.md#service) for more information.
+    See [service](../routers/index.md#service) for more information.
 
     ```yaml
     - "traefik.http.routers.myrouter.service=myservice"
@@ -205,7 +205,7 @@ For example, to change the rule, you could add the label ```traefik.http.routers
     See [domains](../routers/index.md#domains) for more information.
 
     ```yaml
-    - "traefik.http.routers.myrouter.tls.domains[0].main=foobar.com"
+    - "traefik.http.routers.myrouter.tls.domains[0].main=example.org"
     ```
 
 ??? info "`traefik.http.routers.<router_name>.tls.domains[n].sans`"
@@ -213,7 +213,7 @@ For example, to change the rule, you could add the label ```traefik.http.routers
     See [domains](../routers/index.md#domains) for more information.
 
     ```yaml
-    - "traefik.http.routers.myrouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com"
+    - "traefik.http.routers.myrouter.tls.domains[0].sans=test.example.org,dev.example.org"
     ```
 
 ??? info "`traefik.http.routers.<router_name>.tls.options`"
@@ -283,7 +283,7 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     See [health check](../services/index.md#health-check) for more information.
 
     ```yaml
-    - "traefik.http.services.myservice.loadbalancer.healthcheck.hostname=foobar.com"
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.hostname=example.org"
     ```
 
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.interval`"
@@ -326,6 +326,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.followredirects=true"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky`"
 
     See [sticky sessions](../services/index.md#sticky-sessions) for more information.
@@ -406,7 +414,7 @@ You can declare TCP Routers and/or Services using labels.
          my-container:
            # ...
            labels:
-             - "traefik.tcp.routers.my-router.rule=HostSNI(`my-host.com`)"
+             - "traefik.tcp.routers.my-router.rule=HostSNI(`example.com`)"
              - "traefik.tcp.routers.my-router.tls=true"
              - "traefik.tcp.services.my-service.loadbalancer.server.port=4123"
     ```
@@ -431,7 +439,7 @@ You can declare TCP Routers and/or Services using labels.
     See [rule](../routers/index.md#rule_1) for more information.
 
     ```yaml
-    - "traefik.tcp.routers.mytcprouter.rule=HostSNI(`myhost.com`)"
+    - "traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)"
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.service`"
@@ -463,7 +471,7 @@ You can declare TCP Routers and/or Services using labels.
     See [domains](../routers/index.md#domains_1) for more information.
 
     ```yaml
-    - "traefik.tcp.routers.mytcprouter.tls.domains[0].main=foobar.com"
+    - "traefik.tcp.routers.mytcprouter.tls.domains[0].main=example.org"
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].sans`"
@@ -471,7 +479,7 @@ You can declare TCP Routers and/or Services using labels.
     See [domains](../routers/index.md#domains_1) for more information.
 
     ```yaml
-    - "traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com"
+    - "traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.example.org,dev.example.org"
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.tls.options`"
@@ -508,6 +516,54 @@ You can declare TCP Routers and/or Services using labels.
     - "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100"
     ```
 
+### UDP
+
+You can declare UDP Routers and/or Services using labels.
+
+??? example "Declaring UDP Routers and Services"
+
+    ```yaml
+       services:
+         my-container:
+           # ...
+           labels:
+             - "traefik.udp.routers.my-router.entrypoint=udp"
+             - "traefik.udp.services.my-service.loadbalancer.server.port=4123"
+    ```
+
+!!! warning "UDP and HTTP"
+
+    If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined).
+    You can declare both a UDP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).
+
+#### UDP Routers
+
+??? info "`traefik.udp.routers.<router_name>.entrypoints`"
+
+    See [entry points](../routers/index.md#entrypoints_2) for more information.
+
+    ```yaml
+    - "traefik.udp.routers.myudprouter.entrypoints=ep1,ep2"
+    ```
+
+??? info "`traefik.udp.routers.<router_name>.service`"
+
+    See [service](../routers/index.md#services_1) for more information.
+
+    ```yaml
+    - "traefik.udp.routers.myudprouter.service=myservice"
+    ```
+
+#### UDP Services
+
+??? info "`traefik.udp.services.<service_name>.loadbalancer.server.port`"
+
+    Registers a port of the application.
+
+    ```yaml
+    - "traefik.udp.services.myudpservice.loadbalancer.server.port=423"
+    ```
+
 ### Specific Provider Options
 
 #### `traefik.enable`

docs/content/routing/providers/kubernetes-ingress.md

@@ -0,0 +1,408 @@
+# Traefik & Kubernetes
+
+The Kubernetes Ingress Controller.
+{: .subtitle }
+
+## Routing Configuration
+
+The provider then watches for incoming ingresses events, such as the example below,
+and derives the corresponding dynamic configuration from it,
+which in turn will create the resulting routers, services, handlers, etc.
+
+## Configuration Example
+
+??? example "Configuring Kubernetes Ingress Controller"
+    
+    ```yaml tab="RBAC"
+    ---
+    kind: ClusterRole
+    apiVersion: rbac.authorization.k8s.io/v1beta1
+    metadata:
+      name: traefik-ingress-controller
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - services
+          - endpoints
+          - secrets
+        verbs:
+          - get
+          - list
+          - watch
+      - apiGroups:
+          - extensions
+        resources:
+          - ingresses
+        verbs:
+          - get
+          - list
+          - watch
+      - apiGroups:
+          - extensions
+        resources:
+          - ingresses/status
+        verbs:
+          - update
+    
+    ---
+    kind: ClusterRoleBinding
+    apiVersion: rbac.authorization.k8s.io/v1beta1
+    metadata:
+      name: traefik-ingress-controller
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: traefik-ingress-controller
+    subjects:
+      - kind: ServiceAccount
+        name: traefik-ingress-controller
+        namespace: default
+    ```
+    
+    ```yaml tab="Ingress"
+    kind: Ingress
+    apiVersion: networking.k8s.io/v1beta1
+    metadata:
+      name: myingress
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: web
+    
+    spec:
+      rules:
+        - host: example.com
+          http:
+            paths:
+              - path: /bar
+                backend:
+                  serviceName: whoami
+                  servicePort: 80
+              - path: /foo
+                backend:
+                  serviceName: whoami
+                  servicePort: 80
+    ```
+    
+    ```yaml tab="Traefik"
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: traefik-ingress-controller
+    
+    ---
+    kind: Deployment
+    apiVersion: apps/v1
+    metadata:
+      name: traefik
+      labels:
+        app: traefik
+    
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app: traefik
+      template:
+        metadata:
+          labels:
+            app: traefik
+        spec:
+          serviceAccountName: traefik-ingress-controller
+          containers:
+            - name: traefik
+              image: traefik:v2.2
+              args:
+                - --log.level=DEBUG
+                - --api
+                - --api.insecure
+                - --entrypoints.web.address=:80
+                - --providers.kubernetesingress
+              ports:
+                - name: web
+                  containerPort: 80
+                - name: admin
+                  containerPort: 8080
+    
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: traefik
+    spec:
+      type: LoadBalancer
+      selector:
+        app: traefik
+      ports:
+        - protocol: TCP
+          port: 80
+          name: web
+          targetPort: 80
+        - protocol: TCP
+          port: 8080
+          name: admin
+          targetPort: 8080
+    ```
+    
+    ```yaml tab="Whoami"
+    kind: Deployment
+    apiVersion: apps/v1
+    metadata:
+      name: whoami
+      labels:
+        app: containous
+        name: whoami
+    
+    spec:
+      replicas: 2
+      selector:
+        matchLabels:
+          app: containous
+          task: whoami
+      template:
+        metadata:
+          labels:
+            app: containous
+            task: whoami
+        spec:
+          containers:
+            - name: containouswhoami
+              image: containous/whoami
+              ports:
+                - containerPort: 80
+    
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: whoami
+    
+    spec:
+      ports:
+        - name: http
+          port: 80
+      selector:
+        app: containous
+        task: whoami
+    ```
+
+## Annotations
+
+#### On Ingress
+
+??? info "`traefik.ingress.kubernetes.io/router.entrypoints`"
+
+    See [entry points](../routers/index.md#entrypoints) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/router.entrypoints: ep1,ep2
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/router.middlewares`"
+
+    See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/router.middlewares: auth@file,prefix@kuberntescrd,cb@file
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/router.priority`"
+
+    See [priority](../routers/index.md#priority) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/router.priority: "42"
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/router.pathmatcher`"
+
+    Overrides the default router rule type used for a path.  
+    Only path-related matcher name can be specified: `Path`, `PathPrefix`.
+    
+    Default `PathPrefix`
+
+    ```yaml
+    traefik.ingress.kubernetes.io/router.pathmatcher: Path
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/router.tls`"
+
+    See [tls](../routers/index.md#tls) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/router.tls.certresolver`"
+
+    See [certResolver](../routers/index.md#certresolver) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/router.tls.certresolver: myresolver
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/router.tls.domains.n.main`"
+
+    See [domains](../routers/index.md#domains) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/router.tls.domains.0.main: example.org
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/router.tls.domains.n.sans`"
+
+    See [domains](../routers/index.md#domains) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/router.tls.domains.0.sans: test.example.org,dev.example.org
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/router.tls.options`"
+
+    See [options](../routers/index.md#options) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/router.tls.options: foobar
+    ```
+
+#### On Service
+
+??? info "`traefik.ingress.kubernetes.io/service.serversscheme`"
+
+    Overrides the default scheme.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/service.serversscheme: h2c
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/service.passhostheader`"
+
+    See [pass Host header](../services/index.md#pass-host-header) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/service.passhostheader: "true"
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/service.sticky`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/service.sticky: "true"
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.httponly`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/service.sticky.cookie.httponly: "true"
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.name`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/service.sticky.cookie.name: foobar
+    ```
+
+??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.secure`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/service.sticky.cookie.secure: "true"
+    ```
+
+### TLS
+
+#### Communication Between Traefik and Pods
+
+Traefik automatically requests endpoint information based on the service provided in the ingress spec.
+Although Traefik will connect directly to the endpoints (pods),
+it still checks the service port to see if TLS communication is required.
+
+There are 3 ways to configure Traefik to use https to communicate with pods:
+
+1. If the service port defined in the ingress spec is `443` (note that you can still use `targetPort` to use a different port on your pod).
+1. If the service port defined in the ingress spec has a name that starts with https (such as `https-api`, `https-web` or just `https`).
+1. If the ingress spec includes the annotation `traefik.ingress.kubernetes.io/service.serversscheme: https`.
+
+If either of those configuration options exist, then the backend communication protocol is assumed to be TLS,
+and will connect via TLS automatically.
+
+!!! info
+    
+    Please note that by enabling TLS communication between traefik and your pods,
+    you will have to have trusted certificates that have the proper trust chain and IP subject name.
+    If this is not an option, you may need to skip TLS certificate verification.
+    See the [insecureSkipVerify](../../routing/overview.md#insecureskipverify) setting for more details.
+
+#### Certificates Management
+
+??? example "Using a secret"
+    
+    ```yaml tab="Ingress"
+    kind: Ingress
+    apiVersion: networking.k8s.io/v1beta1
+    metadata:
+      name: foo
+      namespace: production
+    
+    spec:
+      rules:
+      - host: example.net
+        http:
+          paths:
+          - path: /bar
+            backend:
+              serviceName: service1
+              servicePort: 80
+    
+      tls:
+      - secretName: supersecret
+    ```
+      
+    ```yaml tab="Secret"
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: supersecret
+    
+    data:
+      tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+      tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+    ```
+
+TLS certificates can be managed in Secrets objects.
+
+!!! info
+    
+    Only TLS certificates provided by users can be stored in Kubernetes Secrets.
+    [Let's Encrypt](../../https/acme.md) certificates cannot be managed in Kubernetes Secrets yet.
+
+## Global Default Backend Ingresses
+
+Ingresses can be created that look like the following:
+
+```yaml
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+ name: cheese
+
+spec:
+ backend:
+   serviceName: stilton
+   servicePort: 80
+```
+
+This ingress follows the Global Default Backend property of ingresses.
+This will allow users to create a "default router" that will match all unmatched requests.
+
+!!! info
+    
+    Due to Traefik's use of priorities, you may have to set this ingress priority lower than other ingresses in your environment,
+    to avoid this global ingress from satisfying requests that could match other ingresses.
+    
+    To do this, use the `traefik.ingress.kubernetes.io/router.priority` annotation (as seen in [Annotations on Ingress](#on-ingress)) on your ingresses accordingly.

docs/content/routing/providers/kv.md

@@ -0,0 +1,392 @@
+# Traefik & KV Stores
+
+A Story of key & values
+{: .subtitle }
+
+## Routing Configuration
+
+!!! info "Keys"
+
+    - Keys are case insensitive.
+    - The complete list of keys can be found in [the reference page](../../reference/dynamic-configuration/kv.md).
+
+### Routers
+
+!!! warning "The character `@` is not authorized in the router name `<router_name>`."
+
+??? info "`traefik/http/routers/<router_name>/rule`"
+
+    See [rule](../routers/index.md#rule) for more information.
+    
+    | Key (Path)                           | Value                      |
+    |--------------------------------------|----------------------------|
+    | `traefik/http/routers/myrouter/rule` | ```Host(`example.com`)```  |
+
+??? info "`traefik/http/routers/<router_name>/entrypoints`"
+
+    See [entry points](../routers/index.md#entrypoints) for more information.
+
+    | Key (Path)                                    | Value       |
+    |-----------------------------------------------|-------------|
+    | `traefik.http.routers.myrouter.entrypoints/0` | `web`       |
+    | `traefik.http.routers.myrouter.entrypoints/1` | `websecure` |
+
+??? info "`traefik/http/routers/<router_name>/middlewares`"
+
+    See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information.
+
+    | Key (Path)                                    | Value       |
+    |-----------------------------------------------|-------------|
+    | `traefik/http/routers/myrouter/middlewares/0` | `auth`      |
+    | `traefik/http/routers/myrouter/middlewares/1` | `prefix`    |
+    | `traefik/http/routers/myrouter/middlewares/2` | `cb`        |
+
+??? info "`traefik/http/routers/<router_name>/service`"
+
+    See [rule](../routers/index.md#service) for more information.
+
+    | Key (Path)                              | Value       |
+    |-----------------------------------------|-------------|
+    | `traefik/http/routers/myrouter/service` | `myservice` |
+
+??? info "`traefik/http/routers/<router_name>/tls`"
+
+    See [tls](../routers/index.md#tls) for more information.
+
+    | Key (Path)                          | Value  |
+    |-------------------------------------|--------|
+    | `traefik/http/routers/myrouter/tls` | `true` |
+    
+??? info "`traefik/http/routers/<router_name>/tls/certresolver`"
+
+    See [certResolver](../routers/index.md#certresolver) for more information.
+
+    | Key (Path)                                       | Value        |
+    |--------------------------------------------------|--------------|
+    | `traefik/http/routers/myrouter/tls/certresolver` | `myresolver` |    
+
+??? info "`traefik/http/routers/<router_name>/tls/domains/<n>/main`"
+
+    See [domains](../routers/index.md#domains) for more information.
+
+    | Key (Path)                                         | Value         |
+    |----------------------------------------------------|---------------|
+    | `traefik/http/routers/myrouter/tls/domains/0/main` | `example.org` |
+    
+??? info "`traefik/http/routers/<router_name>/tls/domains/<n>/sans/<n>`"
+
+    See [domains](../routers/index.md#domains) for more information.
+
+    | Key (Path)                                           | Value              |
+    |------------------------------------------------------|--------------------|
+    | `traefik/http/routers/myrouter/tls/domains/0/sans/0` | `test.example.org` |
+    | `traefik/http/routers/myrouter/tls/domains/0/sans/1` | `dev.example.org`  |
+    
+??? info "`traefik/http/routers/<router_name>/tls/options`"
+
+    See [options](../routers/index.md#options) for more information.
+
+    | Key (Path)                                  | Value    |
+    |---------------------------------------------|----------|
+    | `traefik/http/routers/myrouter/tls/options` | `foobar` |
+
+??? info "`traefik/http/routers/<router_name>/priority`"
+
+    See [priority](../routers/index.md#priority) for more information.
+
+    | Key (Path)                               | Value |
+    |------------------------------------------|-------|
+    | `traefik/http/routers/myrouter/priority` | `42`  |
+
+### Services
+
+!!! warning "The character `@` is not authorized in the service name `<service_name>`."
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/servers/<n>/url`"
+
+    See [servers](../services/index.md#servers) for more information.
+
+    | Key (Path)                                                      | Value  |
+    |-----------------------------------------------------------------|--------|
+    | `traefik/http/services/myservice/loadbalancer/servers/0/scheme` | `http` |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/servers/<n>/scheme`"
+
+    Overrides the default scheme.
+
+    | Key (Path)                                                      | Value  |
+    |-----------------------------------------------------------------|--------|
+    | `traefik/http/services/myservice/loadbalancer/servers/0/scheme` | `http` |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/passhostheader`"
+
+    See [pass Host header](../services/index.md#pass-host-header) for more information.
+
+    | Key (Path)                                                      | Value  |
+    |-----------------------------------------------------------------|--------|
+    | `traefik/http/services/myservice/loadbalancer/passhostheader`   | `true` |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/headers/<header_name>`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    | Key (Path)                                                               | Value    |
+    |--------------------------------------------------------------------------|----------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/headers/X-Foo` | `foobar` |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/hostname`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    | Key (Path)                                                          | Value         |
+    |---------------------------------------------------------------------|---------------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/hostname` | `example.org` |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/interval`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    | Key (Path)                                                          | Value |
+    |---------------------------------------------------------------------|-------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/interval` | `10`  |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/path`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    | Key (Path)                                                      | Value  |
+    |-----------------------------------------------------------------|--------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/path` | `/foo` |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/port`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    | Key (Path)                                                      | Value |
+    |-----------------------------------------------------------------|-------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/port` | `42`  |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/scheme`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    | Key (Path)                                                        | Value  |
+    |-------------------------------------------------------------------|--------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/scheme` | `http` |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/timeout`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    | Key (Path)                                                         | Value |
+    |--------------------------------------------------------------------|-------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/timeout` | `10`  |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/sticky`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    | Key (Path)                                            | Value  |
+    |-------------------------------------------------------|--------|
+    | `traefik/http/services/myservice/loadbalancer/sticky` | `true` |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/httponly`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    | Key (Path)                                                            | Value  |
+    |-----------------------------------------------------------------------|--------|
+    | `traefik/http/services/myservice/loadbalancer/sticky/cookie/httponly` | `true` |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/name`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    | Key (Path)                                                        | Value    |
+    |-------------------------------------------------------------------|----------|
+    | `traefik/http/services/myservice/loadbalancer/sticky/cookie/name` | `foobar` |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/secure`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    | Key (Path)                                                          | Value  |
+    |---------------------------------------------------------------------|--------|
+    | `traefik/http/services/myservice/loadbalancer/sticky/cookie/secure` | `true` |
+
+??? info "`traefik/http/services/<service_name>/loadbalancer/responseforwarding/flushinterval`"
+
+    See [response forwarding](../services/index.md#response-forwarding) for more information.
+
+    | Key (Path)                                                                      | Value |
+    |---------------------------------------------------------------------------------|-------|
+    | `traefik/http/services/myservice/loadbalancer/responseforwarding/flushinterval` | `10`  |
+
+??? info "`traefik/http/services/<service_name>/mirroring/service`"
+
+    | Key (Path)                                               | Value    |
+    |----------------------------------------------------------|----------|
+    | `traefik/http/services/<service_name>/mirroring/service` | `foobar` |
+
+??? info "`traefik/http/services/<service_name>/mirroring/mirrors/<n>/name`"
+
+    | Key (Path)                                                        | Value    |
+    |-------------------------------------------------------------------|----------|
+    | `traefik/http/services/<service_name>/mirroring/mirrors/<n>/name` | `foobar` |
+
+??? info "`traefik/http/services/<service_name>/mirroring/mirrors/<n>/percent`"
+
+    | Key (Path)                                                           | Value |
+    |----------------------------------------------------------------------|-------|
+    | `traefik/http/services/<service_name>/mirroring/mirrors/<n>/percent` | `42`  |
+
+??? info "`traefik/http/services/<service_name>/weighted/services/<n>/name`"
+
+    | Key (Path)                                                        | Value    |
+    |-------------------------------------------------------------------|----------|
+    | `traefik/http/services/<service_name>/weighted/services/<n>/name` | `foobar` |
+
+??? info "`traefik/http/services/<service_name>/weighted/services/<n>/weight`"
+
+    | Key (Path)                                                          | Value |
+    |---------------------------------------------------------------------|-------|
+    | `traefik/http/services/<service_name>/weighted/services/<n>/weight` | `42`  |
+
+??? info "`traefik/http/services/<service_name>/weighted/sticky/cookie/name`"
+
+    | Key (Path)                                                         | Value    |
+    |--------------------------------------------------------------------|----------|
+    | `traefik/http/services/<service_name>/weighted/sticky/cookie/name` | `foobar` |
+
+??? info "`traefik/http/services/<service_name>/weighted/sticky/cookie/secure`"
+
+    | Key (Path)                                                           | Value  |
+    |----------------------------------------------------------------------|--------|
+    | `traefik/http/services/<service_name>/weighted/sticky/cookie/secure` | `true` |
+
+??? info "`traefik/http/services/<service_name>/weighted/sticky/cookie/httpOnly`"
+
+    | Key (Path)                                                             | Value  |
+    |------------------------------------------------------------------------|--------|
+    | `traefik/http/services/<service_name>/weighted/sticky/cookie/httpOnly` | `true` |
+
+### Middleware
+
+More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).
+
+!!! warning "The character `@` is not authorized in the middleware name."
+
+!!! warning "Conflicts in Declaration"
+
+    If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
+
+### TCP
+
+You can declare TCP Routers and/or Services using KV.
+
+#### TCP Routers
+
+??? info "`traefik/tcp/routers/<router_name>/entrypoints`"
+
+    See [entry points](../routers/index.md#entrypoints_1) for more information.
+
+    | Key (Path)                                      | Value |
+    |-------------------------------------------------|-------|
+    | `traefik/tcp/routers/mytcprouter/entrypoints/0` | `ep1` |
+    | `traefik/tcp/routers/mytcprouter/entrypoints/1` | `ep2` |
+    
+??? info "`traefik/tcp/routers/<router_name>/rule`"
+
+    See [rule](../routers/index.md#rule_1) for more information.
+
+    | Key (Path)                           | Value                        |
+    |--------------------------------------|------------------------------|
+    | `traefik/tcp/routers/my-router/rule` | ```HostSNI(`example.com`)``` |  
+
+??? info "`traefik/tcp/routers/<router_name>/service`"
+
+    See [service](../routers/index.md#services) for more information.
+    
+    | Key (Path)                                | Value       |
+    |-------------------------------------------|-------------|
+    | `traefik/tcp/routers/mytcprouter/service` | `myservice` |
+
+??? info "`traefik/tcp/routers/<router_name>/tls`"
+
+    See [TLS](../routers/index.md#tls_1) for more information.
+
+    | Key (Path)                            | Value  |
+    |---------------------------------------|--------|
+    | `traefik/tcp/routers/mytcprouter/tls` | `true` |
+
+??? info "`traefik/tcp/routers/<router_name>/tls/certresolver`"
+
+    See [certResolver](../routers/index.md#certresolver_1) for more information.
+
+    | Key (Path)                                         | Value        |
+    |----------------------------------------------------|--------------|
+    | `traefik/tcp/routers/mytcprouter/tls/certresolver` | `myresolver` |
+
+??? info "`traefik/tcp/routers/<router_name>/tls/domains/<n>/main`"
+
+    See [domains](../routers/index.md#domains_1) for more information.
+
+    | Key (Path)                                           | Value         |
+    |------------------------------------------------------|---------------|
+    | `traefik/tcp/routers/mytcprouter/tls/domains/0/main` | `example.org` |
+        
+??? info "`traefik/tcp/routers/<router_name>/tls/domains/<n>/sans`"
+
+    See [domains](../routers/index.md#domains_1) for more information.
+
+    | Key (Path)                                             | Value              |
+    |--------------------------------------------------------|--------------------|
+    | `traefik/tcp/routers/mytcprouter/tls/domains/0/sans/0` | `test.example.org` |
+    | `traefik/tcp/routers/mytcprouter/tls/domains/0/sans/1` | `dev.example.org`  |
+    
+??? info "`traefik/tcp/routers/<router_name>/tls/options`"
+
+    See [options](../routers/index.md#options_1) for more information.
+
+    | Key (Path)                                    | Value    |
+    |-----------------------------------------------|----------|
+    | `traefik/tcp/routers/mytcprouter/tls/options` | `foobar` |
+    
+
+??? info "`traefik/tcp/routers/<router_name>/tls/passthrough`"
+
+    See [TLS](../routers/index.md#tls_1) for more information.
+
+    | Key (Path)                                        | Value  |
+    |---------------------------------------------------|--------|
+    | `traefik/tcp/routers/mytcprouter/tls/passthrough` | `true` |
+
+#### TCP Services
+
+??? info "`traefik/tcp/services/<service_name>/loadbalancer/servers/<n>/url`"
+
+    See [servers](../services/index.md#servers) for more information.
+
+    | Key (Path)                                                        | Value  |
+    |-------------------------------------------------------------------|--------|
+    | `traefik/tcp/services/mytcpservice/loadbalancer/servers/0/scheme` | `http` |
+
+??? info "`traefik/tcp/services/<service_name>/loadbalancer/terminationdelay`"
+
+    See [termination delay](../services/index.md#termination-delay) for more information.
+
+    | Key (Path)                                                        | Value |
+    |-------------------------------------------------------------------|-------|
+    | `traefik/tcp/services/mytcpservice/loadbalancer/terminationdelay` | `100` |
+
+??? info "`traefik/tcp/services/<service_name>/weighted/services/<n>/name`"
+
+    | Key (Path)                                                          | Value    |
+    |---------------------------------------------------------------------|----------|
+    | `traefik/tcp/services/<service_name>/weighted/services/0/name`      | `foobar` |
+
+??? info "`traefik/tcp/services/<service_name>/weighted/services/<n>/weight`"
+
+    | Key (Path)                                                       | Value |
+    |------------------------------------------------------------------|-------|
+    | `traefik/tcp/services/<service_name>/weighted/services/0/weight` | `42`  |

docs/content/routing/providers/marathon.md

@@ -29,7 +29,7 @@ and the router automatically gets a rule defined by defaultRule (if no rule for
 
     ```json
     labels: {
-      "traefik.http.routers.myproxy.rule": "Host(`foo.com`)",
+      "traefik.http.routers.myproxy.rule": "Host(`example.net`)",
       "traefik.http.services.myservice.loadbalancer.server.port": "80"
     }
     ```
@@ -41,7 +41,7 @@ and the router automatically gets a rule defined by defaultRule (if no rule for
 
     ```json
     labels: {
-      "traefik.http.routers.myproxy.rule": "Host(`foo.com`)"
+      "traefik.http.routers.myproxy.rule": "Host(`example.net`)"
 	}
     ```
 
@@ -50,7 +50,7 @@ and the router automatically gets a rule defined by defaultRule (if no rule for
 To update the configuration of the Router automatically attached to the application,
 add labels starting with `traefik.http.routers.{router-name-of-your-choice}.` and followed by the option you want to change.
 
-For example, to change the routing rule, you could add the label ```"traefik.http.routers.routername.rule": "Host(`mydomain.com`)"```.
+For example, to change the routing rule, you could add the label ```"traefik.http.routers.routername.rule": "Host(`example.com`)"```.
 
 !!! warning "The character `@` is not authorized in the router name `<router_name>`."
 
@@ -59,7 +59,7 @@ For example, to change the routing rule, you could add the label ```"traefik.htt
     See [rule](../routers/index.md#rule) for more information. 
     
     ```json
-    "traefik.http.routers.myrouter.rule": "Host(`mydomain.com`)"
+    "traefik.http.routers.myrouter.rule": "Host(`example.com`)"
     ```
 
 ??? info "`traefik.http.routers.<router_name>.entrypoints`"
@@ -107,7 +107,7 @@ For example, to change the routing rule, you could add the label ```"traefik.htt
     See [domains](../routers/index.md#domains) for more information.
     
     ```json
-    "traefik.http.routers.myrouter.tls.domains[0].main": "foobar.com"
+    "traefik.http.routers.myrouter.tls.domains[0].main": "example.org"
     ```
 
 ??? info "`traefik.http.routers.<router_name>.tls.domains[n].sans`"
@@ -115,7 +115,7 @@ For example, to change the routing rule, you could add the label ```"traefik.htt
     See [domains](../routers/index.md#domains) for more information.
     
     ```json
-    "traefik.http.routers.myrouter.tls.domains[0].sans": "test.foobar.com,dev.foobar.com"
+    "traefik.http.routers.myrouter.tls.domains[0].sans": "test.example.org,dev.example.org"
     ```
 
 ??? info "`traefik.http.routers.<router_name>.tls.options`"
@@ -181,7 +181,7 @@ For example, to change the passHostHeader behavior, you'd add the label `"traefi
     See [health check](../services/index.md#health-check) for more information.
     
     ```json
-    "traefik.http.services.myservice.loadbalancer.healthcheck.hostname": "foobar.com"
+    "traefik.http.services.myservice.loadbalancer.healthcheck.hostname": "example.org"
     ```
 
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.interval`"
@@ -224,6 +224,14 @@ For example, to change the passHostHeader behavior, you'd add the label `"traefi
     "traefik.http.services.myservice.loadbalancer.healthcheck.timeout": "10"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.healthcheck.followredirects": "true"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky`"
     
     See [sticky sessions](../services/index.md#sticky-sessions) for more information.
@@ -300,7 +308,7 @@ You can declare TCP Routers and/or Services using labels.
 	{
 		...
 		"labels": {
-			"traefik.tcp.routers.my-router.rule": "HostSNI(`my-host.com`)",
+			"traefik.tcp.routers.my-router.rule": "HostSNI(`example.com`)",
 			"traefik.tcp.routers.my-router.tls": "true",
 			"traefik.tcp.services.my-service.loadbalancer.server.port": "4123"
 		}
@@ -328,7 +336,7 @@ You can declare TCP Routers and/or Services using labels.
     See [rule](../routers/index.md#rule_1) for more information.
     
     ```json
-    "traefik.tcp.routers.mytcprouter.rule": "HostSNI(`myhost.com`)"
+    "traefik.tcp.routers.mytcprouter.rule": "HostSNI(`example.com`)"
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.service`"
@@ -360,7 +368,7 @@ You can declare TCP Routers and/or Services using labels.
     See [domains](../routers/index.md#domains_1) for more information.
     
     ```json
-    "traefik.tcp.routers.mytcprouter.tls.domains[0].main": "foobar.com"
+    "traefik.tcp.routers.mytcprouter.tls.domains[0].main": "example.org"
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].sans`"
@@ -368,7 +376,7 @@ You can declare TCP Routers and/or Services using labels.
     See [domains](../routers/index.md#domains_1) for more information.
     
     ```json
-    "traefik.tcp.routers.mytcprouter.tls.domains[0].sans": "test.foobar.com,dev.foobar.com"
+    "traefik.tcp.routers.mytcprouter.tls.domains[0].sans": "test.example.org,dev.example.org"
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.tls.options`"
@@ -405,6 +413,55 @@ You can declare TCP Routers and/or Services using labels.
     "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay": "100"
     ```
 
+### UDP
+
+You can declare UDP Routers and/or Services using labels.
+
+??? example "Declaring UDP Routers and Services"
+
+    ```json
+	{
+		...
+		"labels": {
+			"traefik.udp.routers.my-router.entrypoints": "udp",
+			"traefik.udp.services.my-service.loadbalancer.server.port": "4123"
+		}
+	}
+    ```
+
+!!! warning "UDP and HTTP"
+
+    If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined).
+    You can declare both a UDP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).
+
+#### UDP Routers
+
+??? info "`traefik.udp.routers.<router_name>.entrypoints`"
+    
+    See [entry points](../routers/index.md#entrypoints_2) for more information.
+    
+     ```json
+     "traefik.udp.routers.myudprouter.entrypoints": "ep1,ep2"
+     ```
+
+??? info "`traefik.udp.routers.<router_name>.service`"
+    
+    See [service](../routers/index.md#services_1) for more information.
+    
+    ```json
+    "traefik.udp.routers.myudprouter.service": "myservice"
+    ```
+
+#### UDP Services
+
+??? info "`traefik.udp.services.<service_name>.loadbalancer.server.port`"
+    
+    Registers a port of the application.
+    
+    ```json
+    "traefik.udp.services.myudpservice.loadbalancer.server.port": "423"
+    ```
+
 ### Specific Provider Options
 
 #### `traefik.enable`

docs/content/routing/providers/rancher.md

@@ -35,7 +35,7 @@ The Service automatically gets a server per container in this rancher service, a
 
     ```yaml
     labels:
-      - "traefik.http.routers.myproxy.rule=Host(`foo.com`)"
+      - "traefik.http.routers.myproxy.rule=Host(`example.net`)"
       # service myservice gets automatically assigned to router myproxy
       - "traefik.http.services.myservice.loadbalancer.server.port=80"
     ```
@@ -48,14 +48,14 @@ The Service automatically gets a server per container in this rancher service, a
     labels:
       # no service specified or defined and yet one gets automatically created
       # and assigned to router myproxy.
-      - "traefik.http.routers.myproxy.rule=Host(`foo.com`)"
+      - "traefik.http.routers.myproxy.rule=Host(`example.net`)"
     ```
 
 ### Routers
 
 To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change.
 
-For example, to change the rule, you could add the label ```traefik.http.routers.my-container.rule=Host(`mydomain.com`)```.
+For example, to change the rule, you could add the label ```traefik.http.routers.my-container.rule=Host(`example.com`)```.
 
 !!! warning "The character `@` is not authorized in the router name `<router_name>`."
 
@@ -64,7 +64,7 @@ For example, to change the rule, you could add the label ```traefik.http.routers
     See [rule](../routers/index.md#rule) for more information. 
     
     ```yaml
-    - "traefik.http.routers.myrouter.rule=Host(`mydomain.com`)"
+    - "traefik.http.routers.myrouter.rule=Host(`example.com`)"
     ```
 
 ??? info "`traefik.http.routers.<router_name>.entrypoints`"
@@ -112,7 +112,7 @@ For example, to change the rule, you could add the label ```traefik.http.routers
     See [domains](../routers/index.md#domains) for more information.
     
     ```yaml
-    - "traefik.http.routers.myrouter.tls.domains[0].main=foobar.com"
+    - "traefik.http.routers.myrouter.tls.domains[0].main=example.org"
     ```
 
 ??? info "`traefik.http.routers.<router_name>.tls.domains[n].sans`"
@@ -120,7 +120,7 @@ For example, to change the rule, you could add the label ```traefik.http.routers
     See [domains](../routers/index.md#domains) for more information.
     
     ```yaml
-    - "traefik.http.routers.myrouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com"
+    - "traefik.http.routers.myrouter.tls.domains[0].sans=test.example.org,dev.example.org"
     ```
 
 ??? info "`traefik.http.routers.<router_name>.tls.options`"
@@ -187,7 +187,7 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
     See [health check](../services/index.md#health-check) for more information.
     
     ```yaml
-    - "traefik.http.services.myservice.loadbalancer.healthcheck.hostname=foobar.com"
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.hostname=example.org"
     ```
 
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.interval`"
@@ -230,6 +230,14 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.followredirects=true"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky`"
     
     See [sticky sessions](../services/index.md#sticky-sessions) for more information.
@@ -306,7 +314,7 @@ You can declare TCP Routers and/or Services using labels.
          my-container:
            # ...
            labels:
-             - "traefik.tcp.routers.my-router.rule=HostSNI(`my-host.com`)"
+             - "traefik.tcp.routers.my-router.rule=HostSNI(`example.com`)"
              - "traefik.tcp.routers.my-router.tls=true"
              - "traefik.tcp.services.my-service.loadbalancer.server.port=4123"
     ```
@@ -331,7 +339,7 @@ You can declare TCP Routers and/or Services using labels.
     See [rule](../routers/index.md#rule_1) for more information.
     
     ```yaml
-    - "traefik.tcp.routers.mytcprouter.rule=HostSNI(`myhost.com`)"
+    - "traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)"
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.service`"
@@ -363,7 +371,7 @@ You can declare TCP Routers and/or Services using labels.
     See [domains](../routers/index.md#domains_1) for more information.
     
     ```yaml
-    - "traefik.tcp.routers.mytcprouter.tls.domains[0].main=foobar.com"
+    - "traefik.tcp.routers.mytcprouter.tls.domains[0].main=example.org"
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.tls.domains[n].sans`"
@@ -371,7 +379,7 @@ You can declare TCP Routers and/or Services using labels.
     See [domains](../routers/index.md#domains_1) for more information.
     
     ```yaml
-    - "traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.foobar.com,dev.foobar.com"
+    - "traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.example.org,dev.example.org"
     ```
 
 ??? info "`traefik.tcp.routers.<router_name>.tls.options`"
@@ -408,6 +416,54 @@ You can declare TCP Routers and/or Services using labels.
     - "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100"
     ```
 
+### UDP
+
+You can declare UDP Routers and/or Services using labels.
+
+??? example "Declaring UDP Routers and Services"
+
+    ```yaml
+       services:
+         my-container:
+           # ...
+           labels:
+             - "traefik.udp.routers.my-router.entrypoints=udp"
+             - "traefik.udp.services.my-service.loadbalancer.server.port=4123"
+    ```
+
+!!! warning "UDP and HTTP"
+
+    If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined).
+    You can declare both a UDP Router/Service and an HTTP Router/Service for the same container (but you have to do so manually).
+
+#### UDP Routers
+
+??? info "`traefik.udp.routers.<router_name>.entrypoints`"
+    
+    See [entry points](../routers/index.md#entrypoints_2) for more information.
+    
+    ```yaml
+    - "traefik.udp.routers.myudprouter.entrypoints=ep1,ep2"
+    ```
+
+??? info "`traefik.udp.routers.<router_name>.service`"
+    
+    See [service](../routers/index.md#services_1) for more information.
+    
+    ```yaml
+    - "traefik.udp.routers.myudprouter.service=myservice"
+    ```
+
+#### UDP Services
+
+??? info "`traefik.udp.services.<service_name>.loadbalancer.server.port`"
+    
+    Registers a port of the application.
+    
+    ```yaml
+    - "traefik.udp.services.myudpservice.loadbalancer.server.port=423"
+    ```
+
 ### Specific Provider Options
 
 #### `traefik.enable`

docs/content/routing/routers/index.md

@@ -6,7 +6,8 @@ Connecting Requests to Services
 ![routers](../../assets/img/routers.png)
 
 A router is in charge of connecting incoming requests to the services that can handle them.
-In the process, routers may use pieces of [middleware](../../middlewares/overview.md) to update the request, or act before forwarding the request to the service.
+In the process, routers may use pieces of [middleware](../../middlewares/overview.md) to update the request,
+or act before forwarding the request to the service.
 
 ## Configuration Example
 
@@ -100,7 +101,7 @@ If you want to limit the router scope to a set of entry points, set the `entryPo
     [http.routers]
       [http.routers.Router-1]
         # By default, routers listen to every entry points
-        rule = "Host(`traefik.io`)"
+        rule = "Host(`example.com`)"
         service = "service-1"
     ```
     
@@ -110,7 +111,7 @@ If you want to limit the router scope to a set of entry points, set the `entryPo
       routers:
         Router-1:
           # By default, routers listen to every entry points
-          rule: "Host(`traefik.io`)"
+          rule: "Host(`example.com`)"
           service: "service-1"
     ```
     
@@ -155,7 +156,7 @@ If you want to limit the router scope to a set of entry points, set the `entryPo
       [http.routers.Router-1]
         # won't listen to entry point web
         entryPoints = ["websecure", "other"]
-        rule = "Host(`traefik.io`)"
+        rule = "Host(`example.com`)"
         service = "service-1"
     ```
     
@@ -168,7 +169,7 @@ If you want to limit the router scope to a set of entry points, set the `entryPo
           entryPoints:
             - "websecure"
             - "other"
-          rule: "Host(`traefik.io`)"
+          rule: "Host(`example.com`)"
           service: "service-1"
     ```
 
@@ -213,30 +214,30 @@ If the rule is verified, the router becomes active, calls middlewares, and then
     
     Single quotes `'` are not accepted as values are [Golang's String Literals](https://golang.org/ref/spec#String_literals).
 
-!!! example "Host is traefik.io"
+!!! example "Host is example.com"
 
     ```toml
-    rule = "Host(`traefik.io`)"
+    rule = "Host(`example.com`)"
     ```
 
-!!! example "Host is traefik.io OR Host is containo.us AND path is /traefik"
+!!! example "Host is example.com OR Host is example.org AND path is /traefik"
 
     ```toml
-    rule = "Host(`traefik.io`) || (Host(`containo.us`) && Path(`/traefik`))"
+    rule = "Host(`example.com`) || (Host(`example.org`) && Path(`/traefik`))"
     ```
 
 The table below lists all the available matchers:
 
-| Rule                                                                 | Description                                                                                                    |
+| Rule                                                                   | Description                                                                                                    |
-|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
+|------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
-| ```Headers(`key`, `value`)```                                        | Check if there is a key `key`defined in the headers, with the value `value`                                    |
+| ```Headers(`key`, `value`)```                                          | Check if there is a key `key`defined in the headers, with the value `value`                                    |
-| ```HeadersRegexp(`key`, `regexp`)```                                 | Check if there is a key `key`defined in the headers, with a value that matches the regular expression `regexp` |
+| ```HeadersRegexp(`key`, `regexp`)```                                   | Check if there is a key `key`defined in the headers, with a value that matches the regular expression `regexp` |
-| ```Host(`domain-1`, ...)```                                          | Check if the request domain targets one of the given `domains`.                                                |
+| ```Host(`example.com`, ...)```                                         | Check if the request domain targets one of the given `domains`.                                                |
-| ```HostRegexp(`traefik.io`, `{subdomain:[a-z]+}.traefik.io`, ...)``` | Check if the request domain matches the given `regexp`.                                                        |
+| ```HostRegexp(`example.com`, `{subdomain:[a-z]+}.example.com`, ...)``` | Check if the request domain matches the given `regexp`.                                                        |
-| ```Method(`GET`, ...)```                                             | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`)            |
+| ```Method(`GET`, ...)```                                               | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`)            |
-| ```Path(`/path`, `/articles/{category}/{id:[0-9]+}`, ...)```         | Match exact request path. It accepts a sequence of literal and regular expression paths.                       |
+| ```Path(`/path`, `/articles/{category}/{id:[0-9]+}`, ...)```           | Match exact request path. It accepts a sequence of literal and regular expression paths.                       |
-| ```PathPrefix(`/products/`, `/articles/{category}/{id:[0-9]+}`)```   | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths.               |
+| ```PathPrefix(`/products/`, `/articles/{category}/{id:[0-9]+}`)```     | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths.               |
-| ```Query(`foo=bar`, `bar=baz`)```                                    | Match Query String parameters. It accepts a sequence of key=value pairs.                                      |
+| ```Query(`foo=bar`, `bar=baz`)```                                      | Match Query String parameters. It accepts a sequence of key=value pairs.                                       |
 
 !!! important "Regexp Syntax"
 
@@ -385,7 +386,7 @@ but there are exceptions for label-based providers.
 See the specific [docker](../providers/docker.md#service-definition), [rancher](../providers/rancher.md#service-definition),
 or [marathon](../providers/marathon.md#service-definition) documentation.
 
-!!! warning "The character `@` is not authorized in the middleware name."
+!!! warning "The character `@` is not authorized in the service name."
 
 !!! important "HTTP routers can only target HTTP services (not TCP services)."
 
@@ -487,8 +488,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
         minVersion = "VersionTLS12"
         cipherSuites = [
           "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
           "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
           "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         ]
@@ -511,8 +512,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
           minVersion: VersionTLS12
           cipherSuites:
             - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-            - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+            - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
             - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
             - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     ```
@@ -579,7 +580,7 @@ http:
 ```
 
 !!! info "Multiple Hosts in a Rule"
-    The rule ```Host(`test1.traefik.io`,`test2.traefik.io`)``` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`.
+    The rule ```Host(`test1.example.com`,`test2.example.com`)``` will request a certificate with the main domain `test1.example.com` and SAN `test2.example.com`.
 
 #### `domains`
 
@@ -653,7 +654,7 @@ If you want to limit the router scope to a set of entry points, set the entry po
     [tcp.routers]
       [tcp.routers.Router-1]
         # By default, routers listen to every entrypoints
-        rule = "HostSNI(`traefik.io`)"
+        rule = "HostSNI(`example.com`)"
         service = "service-1"
         # will route TLS requests (and ignore non tls requests)
         [tcp.routers.Router-1.tls]
@@ -666,7 +667,7 @@ If you want to limit the router scope to a set of entry points, set the entry po
       routers:
         Router-1:
           # By default, routers listen to every entrypoints
-          rule: "HostSNI(`traefik.io`)"
+          rule: "HostSNI(`example.com`)"
           service: "service-1"
           # will route TLS requests (and ignore non tls requests)
           tls: {}
@@ -715,7 +716,7 @@ If you want to limit the router scope to a set of entry points, set the entry po
       [tcp.routers.Router-1]
         # won't listen to entry point web
         entryPoints = ["websecure", "other"]
-        rule = "HostSNI(`traefik.io`)"
+        rule = "HostSNI(`example.com`)"
         service = "service-1"
         # will route TLS requests (and ignore non tls requests)
         [tcp.routers.Router-1.tls]
@@ -730,7 +731,7 @@ If you want to limit the router scope to a set of entry points, set the entry po
           entryPoints:
             - "websecure"
             - "other"
-          rule: "HostSNI(`traefik.io`)"
+          rule: "HostSNI(`example.com`)"
           service: "service-1"
           # will route TLS requests (and ignore non tls requests)
           tls: {}
@@ -792,11 +793,12 @@ Services are the target for the router.
 
 #### General
 
- When a TLS section is specified, it instructs Traefik that the current router is dedicated to TLS requests only (and that the router should ignore non-TLS requests).
+When a TLS section is specified,
- 
+it instructs Traefik that the current router is dedicated to TLS requests only (and that the router should ignore non-TLS requests).
- By default, Traefik will terminate the SSL connections (meaning that it will send decrypted data to the services), but Traefik can be configured in order to let the requests pass through (keeping the data encrypted), and be forwarded to the service "as is". 
 
-??? example "Configuring TLS Termination"
+By default, a router with a TLS section will terminate the TLS connections, meaning that it will send decrypted data to the services.
+
+??? example "Router for TLS requests"
 
     ```toml tab="File (TOML)"
     ## Dynamic configuration
@@ -819,6 +821,13 @@ Services are the target for the router.
           tls: {}
     ```
 
+#### `passthrough`
+
+As seen above, a TLS router will terminate the TLS connection by default.
+However, the `passthrough` option can be specified to set whether the requests should be forwarded "as is", keeping all data encrypted.
+
+It defaults to `false`.
+
 ??? example "Configuring passthrough"
 
     ```toml tab="File (TOML)"
@@ -864,8 +873,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
         minVersion = "VersionTLS12"
         cipherSuites = [
           "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
           "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
           "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         ]
@@ -888,8 +897,8 @@ It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied
           minVersion: VersionTLS12
           cipherSuites:
             - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-            - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+            - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
             - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
             - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     ```
@@ -946,3 +955,157 @@ tcp:
             sans: 
               - "*.snitest.com"
 ```
+
+## Configuring UDP Routers
+
+!!! warning "The character `@` is not allowed in the router name"
+
+### General
+
+Similarly to TCP, as UDP is the transport layer, there is no concept of a request,
+so there is no notion of an URL path prefix to match an incoming UDP packet with.
+Furthermore, as there is no good TLS support at the moment for multiple hosts,
+there is no Host SNI notion to match against either.
+Therefore, there is no criterion that could be used as a rule to match incoming packets in order to route them.
+So UDP "routers" at this time are pretty much only load-balancers in one form or another.
+
+!!! important "Sessions and timeout"
+
+	Even though UDP is connectionless (and because of that),
+	the implementation of an UDP router in Traefik relies on what we (and a couple of other implementations) call a `session`.
+	It basically means that some state is kept about an ongoing communication between a client and a backend,
+	notably so that the proxy knows where to forward a response packet from a backend.
+	As expected, a `timeout` is associated to each of these sessions,
+	so that they get cleaned out if they go through a period of inactivity longer than a given duration (that is hardcoded to 3 seconds for now).
+	Making this timeout configurable will be considered later if we get more usage feedback on this matter.
+
+### EntryPoints
+
+If not specified, UDP routers will accept packets from all defined (UDP) entry points.
+If one wants to limit the router scope to a set of entry points, one should set the entry points option.
+
+??? example "Listens to Every Entry Point"
+
+    **Dynamic Configuration**
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+
+    [udp.routers]
+      [udp.routers.Router-1]
+        # By default, routers listen to all UDP entrypoints,
+        # i.e. "other", and "streaming".
+        service = "service-1"
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+
+    udp:
+      routers:
+        Router-1:
+          # By default, routers listen to all UDP entrypoints
+          # i.e. "other", and "streaming".
+          service: "service-1"
+    ```
+
+    **Static Configuration**
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+
+    [entryPoints]
+      # not used by UDP routers
+      [entryPoints.web]
+        address = ":80"
+      # used by UDP routers
+      [entryPoints.other]
+        address = ":9090/udp"
+      [entryPoints.streaming]
+        address = ":9191/udp"
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+
+    entryPoints:
+      # not used by UDP routers
+      web:
+        address: ":80"
+      # used by UDP routers
+      other:
+        address: ":9090/udp"
+      streaming:
+        address: ":9191/udp"
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entrypoints.web.address=":80"
+    --entrypoints.other.address=":9090/udp"
+    --entrypoints.streaming.address=":9191/udp"
+    ```
+
+??? example "Listens to Specific Entry Points"
+
+    **Dynamic Configuration**
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [udp.routers]
+      [udp.routers.Router-1]
+        # does not listen on "other" entry point
+        entryPoints = ["streaming"]
+        service = "service-1"
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    udp:
+      routers:
+        Router-1:
+          # does not listen on "other" entry point
+          entryPoints:
+            - "streaming"
+          service: "service-1"
+    ```
+
+    **Static Configuration**
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+      [entryPoints.other]
+        address = ":9090/udp"
+      [entryPoints.streaming]
+        address = ":9191/udp"
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+
+    entryPoints:
+      web:
+        address: ":80"
+      other:
+        address: ":9090/udp"
+      streaming:
+        address: ":9191/udp"
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entrypoints.web.address=":80"
+    --entrypoints.other.address=":9090/udp"
+    --entrypoints.streaming.address=":9191/udp"
+    ```
+
+### Services
+
+There must be one (and only one) UDP [service](../services/index.md) referenced per UDP router.
+Services are the target for the router.
+
+!!! important "UDP routers can only target UDP services (and not HTTP or TCP services)."

docs/content/routing/services/index.md

@@ -55,6 +55,28 @@ The `Services` are responsible for configuring how to reach the actual services
             - address: "<private-ip-server-2>:<private-port-server-2>"
     ```
 
+??? example "Declaring a UDP Service with Two Servers -- Using the [File Provider](../../providers/file.md)"
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [udp.services]
+      [udp.services.my-service.loadBalancer]
+         [[udp.services.my-service.loadBalancer.servers]]
+           address = "<private-ip-server-1>:<private-port-server-1>"
+         [[udp.services.my-service.loadBalancer.servers]]
+           address = "<private-ip-server-2>:<private-port-server-2>"
+    ```
+
+    ```yaml tab="YAML"
+    udp:
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+            - address: "<private-ip-server-1>:<private-port-server-1>"
+            - address: "<private-ip-server-2>:<private-port-server-2>"
+    ```
+
 ## Configuring HTTP Services
 
 ### Servers Load Balancer
@@ -145,8 +167,12 @@ For now, only round robin load balancing is supported:
 
 #### Sticky sessions
 
-When sticky sessions are enabled, a cookie is set on the initial request to track which server handles the first response.
+When sticky sessions are enabled, a cookie is set on the initial request and response to let the client know which server handles the first response.
-On subsequent requests, the client is forwarded to the same server.
+On subsequent requests, to keep the session alive with the same server, the client should resend the same cookie.
+
+!!! info "Stickiness on multiple levels"
+
+    When chaining or mixing load-balancers (e.g. a load-balancer of servers is one of the "children" of a load-balancer of services), for stickiness to work all the way, the option needs to be specified at all required levels. Which means the client needs to send a cookie with as many key/value pairs as there are sticky levels.
 
 !!! info "Stickiness & Unhealthy Servers"
 
@@ -204,6 +230,80 @@ On subsequent requests, the client is forwarded to the same server.
                 httpOnly: true
     ```
 
+??? example "Setting Stickiness on all the required levels -- Using the [File Provider](../../providers/file.md)"
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [http.services]
+      [http.services.wrr1]
+        [http.services.wrr1.weighted.sticky.cookie]
+          name = "lvl1"
+        [[http.services.wrr1.weighted.services]]
+          name = "whoami1"
+          weight = 1
+        [[http.services.wrr1.weighted.services]]
+          name = "whoami2"
+          weight = 1
+
+      [http.services.whoami1]
+        [http.services.whoami1.loadBalancer]
+          [http.services.whoami1.loadBalancer.sticky.cookie]
+            name = "lvl2"
+          [[http.services.whoami1.loadBalancer.servers]]
+            url = "http://127.0.0.1:8081"
+          [[http.services.whoami1.loadBalancer.servers]]
+            url = "http://127.0.0.1:8082"
+
+      [http.services.whoami2]
+        [http.services.whoami2.loadBalancer]
+          [http.services.whoami2.loadBalancer.sticky.cookie]
+            name = "lvl2"
+          [[http.services.whoami2.loadBalancer.servers]]
+            url = "http://127.0.0.1:8083"
+          [[http.services.whoami2.loadBalancer.servers]]
+            url = "http://127.0.0.1:8084"
+    ```
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    http:
+      services:
+        wrr1:
+          weighted:
+            sticky:
+              cookie:
+                name: lvl1
+            services:
+              - name: whoami1
+                weight: 1
+              - name: whoami2
+                weight: 1
+
+        whoami1:
+          loadBalancer:
+            sticky:
+              cookie:
+                name: lvl2
+            servers:
+              - url: http://127.0.0.1:8081
+              - url: http://127.0.0.1:8082
+
+        whoami2:
+          loadBalancer:
+            sticky:
+              cookie:
+                name: lvl2
+            servers:
+              - url: http://127.0.0.1:8083
+              - url: http://127.0.0.1:8084
+    ```
+
+    To keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:
+    
+    ```
+    curl -b "lvl1=whoami1; lvl2=http://127.0.0.1:8081" http://localhost:8000
+    ```
+
 #### Health Check
 
 Configure health check to remove unhealthy servers from the load balancing rotation.
@@ -218,6 +318,7 @@ Below are the available options for the health check mechanism:
 - `interval` defines the frequency of the health check calls.
 - `timeout` defines the maximum duration Traefik will wait for a health check request before considering the server failed (unhealthy).
 - `headers` defines custom headers to be sent to the health check endpoint.
+- `followRedirects` defines whether redirects should be followed during the health check calls (default: true).
 
 !!! info "Interval & Timeout Format"
 
@@ -439,6 +540,8 @@ http:
 ### Mirroring (service)
 
 The mirroring is able to mirror requests sent to a service to other services.
+Please note that by default the whole request is buffered in memory while it is being mirrored.
+See the maxBodySize option in the example below for how to modify this behaviour.
 
 !!! info "Supported Providers"
     
@@ -450,6 +553,10 @@ The mirroring is able to mirror requests sent to a service to other services.
   [http.services.mirrored-api]
     [http.services.mirrored-api.mirroring]
       service = "appv1"
+      # maxBodySize is the maximum size in bytes allowed for the body of the request.
+      # If the body is larger, the request is not mirrored.
+      # Default value is -1, which means unlimited size.
+      maxBodySize = 1024
     [[http.services.mirrored-api.mirroring.mirrors]]
       name = "appv2"
       percent = 10
@@ -472,6 +579,10 @@ http:
     mirrored-api:
       mirroring:
         service: appv1
+        # maxBodySize is the maximum size allowed for the body of the request.
+        # If the body is larger, the request is not mirrored.
+        # Default value is -1, which means unlimited size.
+        maxBodySize = 1024
         mirrors:
         - name: appv2
           percent: 10
@@ -635,3 +746,117 @@ tcp:
         servers:
         - address: "xxx.xxx.xxx.xxx:8080"
 ```
+
+## Configuring UDP Services
+
+### General
+
+Each of the fields of the service section represents a kind of service.
+Which means, that for each specified service, one of the fields, and only one,
+has to be enabled to define what kind of service is created.
+Currently, the two available kinds are `LoadBalancer`, and `Weighted`.
+
+### Servers Load Balancer
+
+The servers load balancer is in charge of balancing the requests between the servers of the same service.
+
+??? example "Declaring a Service with Two Servers -- Using the [File Provider](../../providers/file.md)"
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [udp.services]
+      [udp.services.my-service.loadBalancer]
+        [[udp.services.my-service.loadBalancer.servers]]
+          address = "xx.xx.xx.xx:xx"
+        [[udp.services.my-service.loadBalancer.servers]]
+          address = "xx.xx.xx.xx:xx"
+    ```
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    udp:
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+            - address: "xx.xx.xx.xx:xx"
+            - address: "xx.xx.xx.xx:xx"
+    ```
+
+#### Servers
+
+The Servers field defines all the servers that are part of this load-balancing group,
+i.e. each address (IP:Port) on which an instance of the service's program is deployed.
+
+??? example "A Service with One Server -- Using the [File Provider](../../providers/file.md)"
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [udp.services]
+      [udp.services.my-service.loadBalancer]
+        [[udp.services.my-service.loadBalancer.servers]]
+          address = "xx.xx.xx.xx:xx"
+    ```
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    udp:
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+              - address: "xx.xx.xx.xx:xx"
+    ```
+
+### Weighted Round Robin
+
+The Weighted Round Robin (alias `WRR`) load-balancer of services is in charge of balancing the requests between multiple services based on provided weights.
+
+This strategy is only available to load balance between [services](./index.md) and not between [servers](./index.md#servers).
+
+This strategy can only be defined with [File](../../providers/file.md).
+
+```toml tab="TOML"
+## Dynamic configuration
+[udp.services]
+  [udp.services.app]
+    [[udp.services.app.weighted.services]]
+      name = "appv1"
+      weight = 3
+    [[udp.services.app.weighted.services]]
+      name = "appv2"
+      weight = 1
+
+  [udp.services.appv1]
+    [udp.services.appv1.loadBalancer]
+      [[udp.services.appv1.loadBalancer.servers]]
+        address = "private-ip-server-1:8080/"
+
+  [udp.services.appv2]
+    [udp.services.appv2.loadBalancer]
+      [[udp.services.appv2.loadBalancer.servers]]
+        address = "private-ip-server-2:8080/"
+```
+
+```yaml tab="YAML"
+## Dynamic configuration
+udp:
+  services:
+    app:
+      weighted:
+        services:
+        - name: appv1
+          weight: 3
+        - name: appv2
+          weight: 1
+
+    appv1:
+      loadBalancer:
+        servers:
+        - address: "xxx.xxx.xxx.xxx:8080"
+
+    appv2:
+      loadBalancer:
+        servers:
+        - address: "xxx.xxx.xxx.xxx:8080"
+```

docs/content/user-guides/crd-acme/03-deployments.yml

@@ -26,19 +26,19 @@ spec:
       serviceAccountName: traefik-ingress-controller
       containers:
         - name: traefik
-          image: traefik:v2.0
+          image: traefik:v2.2
           args:
             - --api.insecure
             - --accesslog
             - --entrypoints.web.Address=:8000
             - --entrypoints.websecure.Address=:4443
             - --providers.kubernetescrd
-            - --certificatesresolvers.default.acme.tlschallenge
+            - --certificatesresolvers.myresolver.acme.tlschallenge
-            - --certificatesresolvers.default.acme.email=foo@you.com
+            - --certificatesresolvers.myresolver.acme.email=foo@you.com
-            - --certificatesresolvers.default.acme.storage=acme.json
+            - --certificatesresolvers.myresolver.acme.storage=acme.json
             # Please note that this is the staging Let's Encrypt server.
             # Once you get things working, you should remove that whole line altogether.
-            - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+            - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
           ports:
             - name: web
               containerPort: 8000

docs/content/user-guides/crd-acme/04-ingressroutes.yml

@@ -7,7 +7,7 @@ spec:
   entryPoints:
     - web
   routes:
-  - match: Host(`your.domain.com`) && PathPrefix(`/notls`)
+  - match: Host(`your.example.com`) && PathPrefix(`/notls`)
     kind: Rule
     services:
     - name: whoami
@@ -23,10 +23,10 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`your.domain.com`) && PathPrefix(`/tls`)
+  - match: Host(`your.example.com`) && PathPrefix(`/tls`)
     kind: Rule
     services:
     - name: whoami
       port: 80
   tls:
-    certResolver: default
+    certResolver: myresolver

docs/content/user-guides/crd-acme/index.md

@@ -43,7 +43,10 @@ First, the definition of the `IngressRoute` and the `Middleware` kinds.
 Also note the RBAC authorization resources; they'll be referenced through the `serviceAccountName` of the deployment, later on.
 
 ```yaml
---8<-- "content/user-guides/crd-acme/01-crd.yml"
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
+
+---
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
 ```
 
 ### Services
@@ -94,11 +97,11 @@ Give it a few seconds for the ACME TLS challenge to complete, and you should the
 Both with or (just for fun, do not do that in production) without TLS:
 
 ```bash
-curl [-k] https://your.domain.com/tls
+curl [-k] https://your.example.com/tls
 ```
 
 ```bash
-curl [-k] http://your.domain.com:8000/notls
+curl http://your.example.com:8000/notls
 ```
 
 Note that you'll have to use `-k` as long as you're using the staging server of Let's Encrypt, since it is not an authorized certificate authority on systems where it hasn't been manually added.

docs/content/user-guides/crd-acme/k3s.yml

@@ -1,5 +1,5 @@
 server:
-  image: rancher/k3s:v0.8.0
+  image: rancher/k3s:v1.17.2-k3s1
   command: server --disable-agent --no-deploy traefik
   environment:
     - K3S_CLUSTER_SECRET=somethingtotallyrandom
@@ -17,7 +17,7 @@ server:
     - 6443:6443
 
 node:
-  image: rancher/k3s:v0.8.0
+  image: rancher/k3s:v1.17.2-k3s1
   privileged: true
   links:
     - server
@@ -26,5 +26,5 @@ node:
     - K3S_CLUSTER_SECRET=somethingtotallyrandom
   volumes:
     # this is where you would place a alternative traefik image (saved as a .tar file with
-    # 'docker save'), if you want to use it, instead of the traefik:v2.0 image.
+    # 'docker save'), if you want to use it, instead of the traefik:v2.2 image.
     - /sowewhere/on/your/host/custom-image:/var/lib/rancher/k3s/agent/images

docs/content/user-guides/docker-compose/acme-dns/docker-compose.yml

@@ -3,7 +3,7 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v2.0.0-rc3"
+    image: "traefik:v2.2"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"
@@ -12,11 +12,11 @@ services:
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
-      - "--certificatesresolvers.mydnschallenge.acme.dnschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
-      - "--certificatesresolvers.mydnschallenge.acme.dnschallenge.provider=ovh"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=ovh"
-      #- "--certificatesresolvers.mydnschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
-      - "--certificatesresolvers.mydnschallenge.acme.email=postmaster@mydomain.com"
+      - "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
-      - "--certificatesresolvers.mydnschallenge.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
     ports:
       - "80:80"
       - "443:443"
@@ -35,6 +35,6 @@ services:
     container_name: "simple-service"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
       - "traefik.http.routers.whoami.entrypoints=websecure"
-      - "traefik.http.routers.whoami.tls.certresolver=mydnschallenge"
+      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

docs/content/user-guides/docker-compose/acme-dns/docker-compose_secrets.yml

@@ -13,7 +13,7 @@ secrets:
 services:
 
   traefik:
-    image: "traefik:v2.0.0-rc3"
+    image: "traefik:v2.2"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"
@@ -22,11 +22,11 @@ services:
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
-      - "--certificatesresolvers.mydnschallenge.acme.dnschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
-      - "--certificatesresolvers.mydnschallenge.acme.dnschallenge.provider=ovh"
+      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=ovh"
-      #- "--certificatesresolvers.mydnschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
-      - "--certificatesresolvers.mydnschallenge.acme.email=postmaster@mydomain.com"
+      - "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
-      - "--certificatesresolvers.mydnschallenge.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
     ports:
       - "80:80"
       - "443:443"
@@ -50,6 +50,6 @@ services:
     container_name: "simple-service"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
       - "traefik.http.routers.whoami.entrypoints=websecure"
-      - "traefik.http.routers.whoami.tls.certresolver=mydnschallenge"
+      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

docs/content/user-guides/docker-compose/acme-dns/index.md

@@ -7,7 +7,7 @@ Please also read the [basic example](../basic-example) for details on how to exp
 
 For the DNS challenge, you'll need:
 
-- A working [provider](https://docs.traefik.io/v2.0/https/acme/#providers) along with the credentials allowing to create and remove DNS records.  
+- A working [provider](../../../https/acme.md#providers) along with the credentials allowing to create and remove DNS records.  
 
 !!! info "Variables may vary depending on the Provider."
 	 Please note this guide may vary depending on the provider you use.
@@ -32,13 +32,13 @@ For the DNS challenge, you'll need:
       - "OVH_CONSUMER_KEY=[YOUR_OWN_VALUE]"
     ```
 
-- Replace `postmaster@mydomain.com` by your **own email** within the `certificatesresolvers.mydnschallenge.acme.email` command line argument of the `traefik` service.
+- Replace `postmaster@example.com` by your **own email** within the `certificatesresolvers.myresolver.acme.email` command line argument of the `traefik` service.
-- Replace `whoami.mydomain.com` by your **own domain** within the `traefik.http.routers.whoami.rule` label of the `whoami` service.
+- Replace `whoami.example.com` by your **own domain** within the `traefik.http.routers.whoami.rule` label of the `whoami` service.
 - Optionally uncomment the following lines if you want to test/debug: 
 
 	```yaml
 	#- "--log.level=DEBUG"
-	#- "--certificatesresolvers.mydnschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+	#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
 	```
 
 - Run `docker-compose up -d` within the folder where you created the previous file.
@@ -68,12 +68,12 @@ ports:
 
 ```yaml
 command:
-  # Enable a dns challenge named "mydnschallenge"
+  # Enable a dns challenge named "myresolver"
-  - "--certificatesresolvers.mydnschallenge.acme.dnschallenge=true"
+  - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
   # Tell which provider to use
-  - "--certificatesresolvers.mydnschallenge.acme.dnschallenge.provider=ovh"
+  - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=ovh"
   # The email to provide to let's encrypt
-  - "--certificatesresolvers.mydnschallenge.acme.email=postmaster@mydomain.com"
+  - "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
 ```
 
 - We provide the required configuration to our provider via environment variables: 
@@ -101,14 +101,14 @@ volumes:
 
 command:
   # Tell to store the certificate on a path under our volume
-  - "--certificatesresolvers.mydnschallenge.acme.storage=/letsencrypt/acme.json"
+  - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
 ```
 
-- We configure the `whoami` service to tell Traefik to use the certificate resolver named `mydnschallenge` we just configured:
+- We configure the `whoami` service to tell Traefik to use the certificate resolver named `myresolver` we just configured:
 
 ```yaml
 labels:
-	- "traefik.http.routers.whoami.tls.certresolver=mydnschallenge" # Uses the Host rule to define which certificate to issue
+	- "traefik.http.routers.whoami.tls.certresolver=myresolver" # Uses the Host rule to define which certificate to issue
 ```
 
 ## Use Secrets
@@ -141,7 +141,7 @@ The point is to manage those secret files by another mean, and read them from th
 
 !!! Note
 
-    Still think about changing `postmaster@mydomain.com` & `whoami.mydomain.com` by your own values.
+    Still think about changing `postmaster@example.com` & `whoami.example.com` by your own values.
 
 Let's explain a bit what we just did:
 

docs/content/user-guides/docker-compose/acme-http/docker-compose.yml

@@ -3,7 +3,7 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v2.0.0-rc3"
+    image: "traefik:v2.2"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"
@@ -12,11 +12,11 @@ services:
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
-      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
-      - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
-      #- "--certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
-      - "--certificatesresolvers.myhttpchallenge.acme.email=postmaster@mydomain.com"
+      - "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
-      - "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
     ports:
       - "80:80"
       - "443:443"
@@ -30,6 +30,6 @@ services:
     container_name: "simple-service"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
       - "traefik.http.routers.whoami.entrypoints=websecure"
-      - "traefik.http.routers.whoami.tls.certresolver=myhttpchallenge"
+      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

docs/content/user-guides/docker-compose/acme-http/index.md

@@ -18,13 +18,13 @@ For the HTTP challenge you will need:
 --8<-- "content/user-guides/docker-compose/acme-http/docker-compose.yml"
 ```
 
-- Replace `postmaster@mydomain.com` by your **own email** within the `certificatesresolvers.myhttpchallenge.acme.email` command line argument of the `traefik` service.
+- Replace `postmaster@example.com` by your **own email** within the `certificatesresolvers.myresolver.acme.email` command line argument of the `traefik` service.
-- Replace `whoami.mydomain.com` by your **own domain** within the `traefik.http.routers.whoami.rule` label of the `whoami` service.
+- Replace `whoami.example.com` by your **own domain** within the `traefik.http.routers.whoami.rule` label of the `whoami` service.
 - Optionally uncomment the following lines if you want to test/debug:
 
 	```yaml
 	#- "--log.level=DEBUG"
-	#- "--certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+	#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
 	```
 
 - Run `docker-compose up -d` within the folder where you created the previous file.
@@ -54,12 +54,12 @@ ports:
 
 ```yaml
 command:
-  # Enable a http challenge named "myhttpchallenge"
+  # Enable a http challenge named "myresolver"
-  - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
+  - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
   # Tell it to use our predefined entrypoint named "web"
-  - "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
+  - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
   # The email to provide to let's encrypt
-  - "--certificatesresolvers.myhttpchallenge.acme.email=postmaster@mydomain.com"
+  - "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
 ```
 
 - We add a volume to store our certificates:
@@ -71,13 +71,13 @@ volumes:
 
 command:
   # Tell to store the certificate on a path under our volume
-  - "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
+  - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
 ```
 
-- We configure the `whoami` service to tell Traefik to use the certificate resolver named `myhttpchallenge` we just configured:
+- We configure the `whoami` service to tell Traefik to use the certificate resolver named `myresolver` we just configured:
 
 ```yaml
 labels:
   # Uses the Host rule to define which certificate to issue
-  - "traefik.http.routers.whoami.tls.certresolver=myhttpchallenge"
+  - "traefik.http.routers.whoami.tls.certresolver=myresolver"
 ```

docs/content/user-guides/docker-compose/acme-tls/docker-compose.yml

@@ -3,7 +3,7 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v2.0.0-rc3"
+    image: "traefik:v2.2"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"
@@ -11,10 +11,10 @@ services:
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.websecure.address=:443"
-      - "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
-      #- "--certificatesresolvers.mytlschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
-      - "--certificatesresolvers.mytlschallenge.acme.email=postmaster@mydomain.com"
+      - "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
-      - "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
     ports:
       - "443:443"
       - "8080:8080"
@@ -27,6 +27,6 @@ services:
     container_name: "simple-service"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.whoami.rule=Host(`whoami.mydomain.com`)"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
       - "traefik.http.routers.whoami.entrypoints=websecure"
-      - "traefik.http.routers.whoami.tls.certresolver=mytlschallenge"
+      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

docs/content/user-guides/docker-compose/acme-tls/index.md

@@ -18,13 +18,13 @@ For the TLS challenge you will need:
 --8<-- "content/user-guides/docker-compose/acme-tls/docker-compose.yml"
 ```
 
-- Replace `postmaster@mydomain.com` by your **own email** within the `certificatesresolvers.mytlschallenge.acme.email` command line argument of the `traefik` service.
+- Replace `postmaster@example.com` by your **own email** within the `certificatesresolvers.myresolver.acme.email` command line argument of the `traefik` service.
-- Replace `whoami.mydomain.com` by your **own domain** within the `traefik.http.routers.whoami.rule` label of the `whoami` service.
+- Replace `whoami.example.com` by your **own domain** within the `traefik.http.routers.whoami.rule` label of the `whoami` service.
 - Optionally uncomment the following lines if you want to test/debug:
 
 	```yaml
 	#- "--log.level=DEBUG"
-	#- "--certificatesresolvers.mytlschallenge.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+	#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
 	```
 
 - Run `docker-compose up -d` within the folder where you created the previous file.
@@ -54,8 +54,8 @@ ports:
 
 ```yaml
 command:
-  # Enable a tls challenge named "mytlschallenge"
+  # Enable a tls challenge named "myresolver"
-  - "--certificatesresolvers.mytlschallenge.acme.tlschallenge=true"
+  - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
 ```
 
 - We add a volume to store our certificates:
@@ -67,13 +67,13 @@ volumes:
 
 command:
   # Tell to store the certificate on a path under our volume
-  - "--certificatesresolvers.mytlschallenge.acme.storage=/letsencrypt/acme.json"
+  - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
 ```
 
-- We configure the `whoami` service to tell Traefik to use the certificate resolver named `mytlschallenge` we just configured:
+- We configure the `whoami` service to tell Traefik to use the certificate resolver named `myresolver` we just configured:
 
 ```yaml
 labels:
   # Uses the Host rule to define which certificate to issue
-  - "traefik.http.routers.whoami.tls.certresolver=mytlschallenge"
+  - "traefik.http.routers.whoami.tls.certresolver=myresolver"
 ```

docs/content/user-guides/docker-compose/basic-example/docker-compose.yml

@@ -3,7 +3,7 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v2.0.0-rc3"
+    image: "traefik:v2.2"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"