Prepare release v2.5.0

Update Go version to v1.17
Fix dashboard title for TCP middlewares
2025-09-06 05:44:21 +03:00 · 2021-08-17 18:04:05 +02:00 · 2021-08-17 17:20:12 +02:00 · 2021-08-17 15:02:15 +02:00 · 2021-08-17 10:05:22 +02:00 · 2021-08-16 17:26:14 +02:00
1071 changed files with 70179 additions and 32068 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,24 +0,0 @@
-provider/kubernetes/**  @containous/kubernetes
-provider/rancher/**     @containous/rancher
-provider/marathon/**    @containous/marathon
-provider/docker/**      @containous/docker
-
-docs/user-guide/kubernetes.md       @containous/kubernetes
-docs/user-guide/marathon.md         @containous/marathon
-docs/user-guide/swarm.md            @containous/docker
-docs/user-guide/swarm-mode.md       @containous/docker
-
-docs/configuration/backends/docker.md       @containous/docker
-docs/configuration/backends/kubernetes.md   @containous/kubernetes
-docs/configuration/backends/marathon.md     @containous/marathon
-docs/configuration/backends/rancher.md      @containous/rancher
-
-examples/k8s/                   @containous/kubernetes
-examples/compose-k8s.yaml       @containous/kubernetes
-examples/k8s.namespace.yaml     @containous/kubernetes
-examples/compose-rancher.yml    @containous/rancher
-examples/compose-marathon.yml   @containous/marathon
-
-vendor/github.com/gambol99/go-marathon  @containous/marathon
-vendor/github.com/rancher               @containous/rancher
-vendor/k8s.io/                          @containous/kubernetes
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -17,7 +17,7 @@ Bug
 <!--

 The configurations between 1.X and 2.X are NOT compatible.
-Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.

 -->

--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -1,82 +0,0 @@
---
-name: Bug report
-about: Create a report to help us improve
-
---
-<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
-
-### Do you want to request a *feature* or report a *bug*?
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
- the Traefik community forum: https://community.containo.us/
-
-->
-
-Bug
-
-<!--
-
-The configurations between 1.X and 2.X are NOT compatible.
-Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
-
-->
-
-### What did you do?
-
-<!--
-
-HOW TO WRITE A GOOD BUG REPORT?
-
- Respect the issue template as much as possible.
- The title should be short and descriptive.
- Explain the conditions which led you to report this issue: the context.
- The context should lead to something, an idea or a problem that you’re facing.
- Remain clear and concise.
- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
-->
-
-### What did you expect to see?
-
-
-
-### What did you see instead?
-
-
-
-### Output of `traefik version`: (_What version of Traefik are you using?_)
-
-<!--
-`latest` is not considered as a valid version.
-
-For the Traefik Docker image:
-    docker run [IMAGE] version
-    ex: docker run traefik version
-
-->
-
-```
-(paste your output here)
-```
-
-### What is your environment & configuration (arguments, toml, provider, platform, ...)?
-
-```toml
-# (paste your configuration here)
-```
-
-<!--
-Add more configuration information here.
-->
-
-
-### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
-
-```
-(paste your output here)
-```
--- a/.github/ISSUE_TEMPLATE/Feature_request.md
+++ b/.github/ISSUE_TEMPLATE/Feature_request.md
@@ -1,35 +0,0 @@
---
-name: Feature request
-about: Suggest an idea for this project
-
---
-<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
-
-### Do you want to request a *feature* or report a *bug*?
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
- the Traefik community forum: https://community.containo.us/
-
-->
-
-Feature
-
-### What did you expect to see?
-
-<!--
-
-HOW TO WRITE A GOOD ISSUE?
-
- Respect the issue template as much as possible.
- The title should be short and descriptive.
- Explain the conditions which led you to report this issue: the context.
- The context should lead to something, an idea or a problem that you’re facing.
- Remain clear and concise.
- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
-->
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,80 @@
+name: Bug Report (Traefik)
+description: Create a report to help us improve.
+body:
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Welcome!
+      description: |
+        The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
+        - the Traefik community forum: https://community.containo.us/
+
+        The configurations between 1.X and 2.X are NOT compatible. Please have a look [here](https://doc.traefik.io/traefik/getting-started/configuration-overview/).
+
+        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+      options:
+        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
+          required: true
+        - label: Yes, I've searched similar issues on the [Traefik community forum](https://community.containo.us) and didn't find any.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: What did you do?
+      description: |
+        How to write a good bug report?
+
+        - Respect the issue template as much as possible.
+        - The title should be short and descriptive.
+        - Explain the conditions which led you to report this issue: the context.
+        - The context should lead to something, an idea or a problem that you’re facing.
+        - Remain clear and concise.
+        - Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+      placeholder: What did you do?
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What did you see instead?
+      placeholder: What did you see instead?
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What version of Traefik are you using?
+      description: |
+        `latest` is not considered as a valid version.
+
+        Output of `traefik version`.
+
+        For the Traefik Docker image (`docker run [IMAGE] version`), example:
+        ```console
+        $ docker run traefik version
+        ```
+      placeholder: Paste your output here.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What is your environment & configuration?
+      description: arguments, toml, provider, platform, ...
+      placeholder: Add information here.
+      value: |
+        ```yaml
+        # (paste your configuration here)
+        ```
+
+        Add more configuration information here.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: If applicable, please paste the log output in DEBUG level
+      description: "`--log.level=DEBUG` switch."
+      placeholder: Paste your output here.
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Traefik Community Support
+    url: https://community.traefik.io/
+    about: If you have a question, or are looking for advice, please post on our Discuss forum! The community loves to chime in to help. Happy Coding!
+  - name: Traefik Helm Chart Issues
+    url: https://github.com/traefik/traefik-helm-chart
+    about: Are you submitting an issue or feature enhancement for the Traefik helm chart? Please post in the traefik-helm-chart GitHub Issues.
--- a/.github/ISSUE_TEMPLATE/feature-request.yml
+++ b/.github/ISSUE_TEMPLATE/feature-request.yml
@@ -0,0 +1,33 @@
+name: Feature Request (Traefik)
+description: Suggest an idea for this project.
+body:
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Welcome!
+      description: |
+        The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
+        - the Traefik community forum: https://community.containo.us/
+
+        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+      options:
+        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
+          required: true
+        - label: Yes, I've searched similar issues on the [Traefik community forum](https://community.containo.us) and didn't find any.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: What did you expect to see?
+      description: |
+        How to write a good issue?
+
+        - Respect the issue template as much as possible.
+        - The title should be short and descriptive.
+        - Explain the conditions which led you to report this issue: the context.
+        - The context should lead to something, an idea or a problem that you’re facing.
+        - Remain clear and concise.
+        - Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+      placeholder: What did you expect to see?
+    validations:
+      required: true
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -3,17 +3,17 @@ PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
 - for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.2
+- for Traefik v2: use branch v2.5

 Bug fixes:
 - for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.2
+- for Traefik v2: use branch v2.5

 Enhancements:
 - for Traefik v1: we only accept bug fixes
 - for Traefik v2: use branch master

-HOW TO WRITE A GOOD PULL REQUEST? https://docs.traefik.io/contributing/submitting-pull-requests/
+HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/

 -->

--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,82 @@
+name: Build Binaries
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.17
+  CGO_ENABLED: 0
+  PRE_TARGET: ""
+
+jobs:
+
+  build-webui:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Build webui
+        run: |
+          make generate-webui
+          tar czvf webui.tar.gz ./static/
+
+      - name: Artifact webui
+        uses: actions/upload-artifact@v2
+        with:
+          name: webui.tar.gz
+          path: webui.tar.gz
+
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ ubuntu-20.04, macos-latest, windows-latest ]
+    needs:
+      - build-webui
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+            ~/Library/Caches/go-build
+            '%LocalAppData%\go-build'
+          key: ${{ runner.os }}-build-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-build-go-
+
+      - name: Installing dependencies
+        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v2
+        with:
+          name: webui.tar.gz
+          path: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+      - name: Untar webui
+        run: tar xvf webui.tar.gz
+
+      - name: Build
+        run: make binary
--- a/.github/workflows/check_doc.yml
+++ b/.github/workflows/check_doc.yml
@@ -0,0 +1,21 @@
+name: Check Documentation
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+
+  docs:
+    name: Check, verify and build documentation
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Check documentation
+        run: make docs-pull-images docs
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -0,0 +1,52 @@
+name: Build and Publish Documentation
+
+on:
+  push:
+    branches:
+      - master
+      - v*
+
+env:
+  STRUCTOR_VERSION: v1.11.2
+  MIXTUS_VERSION: v0.4.1
+
+jobs:
+
+  docs:
+    name: Doc Process
+    runs-on: ubuntu-20.04
+    if: github.repository == 'traefik/traefik'
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Install Structor ${{ env.STRUCTOR_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/structor/master/godownloader.sh | sh -s -- -b $HOME/bin ${STRUCTOR_VERSION}
+
+      - name: Install Seo-doc
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/seo-doc/master/godownloader.sh | sh -s -- -b "${HOME}/bin"
+
+      - name: Install Mixtus ${{ env.MIXTUS_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}
+
+      - name: Build documentation
+        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
+        env:
+          STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}
+
+      - name: Apply seo
+        run: $HOME/bin/seo -path=./site
+
+      - name: Publish documentation
+        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_REPO }}
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -0,0 +1,46 @@
+name: Test Unit
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.17
+  PRE_TARGET: ""
+
+jobs:
+
+  test-unit:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-test-unit-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-test-unit-go-
+
+      - name: Installing dependencies
+        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
+
+      - name: Tests
+        run: make test-unit
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -0,0 +1,100 @@
+name: Validate
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.17
+  GOLANGCI_LINT_VERSION: v1.41.1
+  MISSSPELL_VERSION: v0.3.4
+  PRE_TARGET: ""
+
+jobs:
+
+  validate:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-validate-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-validate-go-
+
+      - name: Installing dependencies
+        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
+
+      - name: Install golangci-lint ${{ env.GOLANGCI_LINT_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
+
+      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
+        run: curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
+
+      - name: Validate
+        run: make validate
+
+  validate-generate:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-validate-generate-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-validate-generate-go-
+
+      - name: Installing dependencies
+        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
+
+      - name: go generate
+        run: |
+          go generate
+          git diff --exit-code
+
+      - name: go mod tidy
+        run: |
+          go mod tidy
+          git diff --exit-code
+
+      - name: make generate-crd
+        run: |
+          make generate-crd
+          git diff --exit-code
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,6 @@
 *.exe
 cover.out
 vendor/
+plugins-storage/
+plugins-local/
+traefik_changelog.md
--- a/.golangci.toml
+++ b/.golangci.toml
@@ -30,30 +30,75 @@
    lines = 230 # default 60
    statements = 120 # default 40

+  [linters-settings.forbidigo]
+    forbid = [
+      '^print(ln)?$',
+      '^spew\.Print(f|ln)?$',
+      '^spew\.Dump$',
+    ]
+
+  [linters-settings.depguard]
+    list-type = "blacklist"
+    include-go-root = false
+    packages = ["github.com/pkg/errors"]
+
+  [linters-settings.godox]
+    keywords = ["FIXME"]
+
+  [linters-settings.importas]
+    corev1 = "k8s.io/api/core/v1"
+    networkingv1beta1 = "k8s.io/api/networking/v1beta1"
+    extensionsv1beta1 = "k8s.io/api/extensions/v1beta1"
+    metav1 = "k8s.io/apimachinery/pkg/apis/meta/v1"
+    kubeerror = "k8s.io/apimachinery/pkg/api/errors"
+
+  [linters-settings.gomoddirectives]
+    replace-allow-list = [
+      "github.com/abbot/go-http-auth",
+      "github.com/go-check/check",
+      "github.com/gorilla/mux",
+      "github.com/mailgun/minheap",
+      "github.com/mailgun/multibuf",
+    ]
+
 [linters]
  enable-all = true
  disable = [
+    "scopelint", # Deprecated
+    "interfacer", # Deprecated
+    "maligned", # Deprecated
+    "golint", # Deprecated
+    "sqlclosecheck", # Not relevant (SQL)
+    "rowserrcheck", # Not relevant (SQL)
+    "lll", # Not relevant
    "gocyclo", # FIXME must be fixed
-    "gosec",
-    "dupl",
-    "maligned",
-    "lll",
-    "unparam",
-    "prealloc",
-    "scopelint",
+    "cyclop", # Duplicate of gocyclo
+    "gocognit", # Too strict
+    "nestif", # Too many false-positive.
+    "prealloc", # Too many false-positive.
+    "makezero", # Not relevant
+    "ifshort", # Not relevant
+    "dupl", # Too strict
+    "gosec", # Too strict
    "gochecknoinits",
    "gochecknoglobals",
-    "godox",
-    "gocognit",
-    "bodyclose", # Too many false-positive and panics.
    "wsl", # Too strict
+    "nlreturn", # Not relevant
    "gomnd", # Too strict
    "stylecheck", # skip because report issues related to some generated files.
    "testpackage", # Too strict
+    "tparallel", # Not relevant
+    "paralleltest", # Not relevant
+    "exhaustive", # Not relevant
+    "exhaustivestruct", # Not relevant
    "goerr113", # Too strict
-    "nestif", # Too many false-positive.
+    "wrapcheck", # Too strict
    "noctx", # Too strict
-    "exhaustive", # Too strict
+    "bodyclose", # Too many false-positive and panics.
+    "unparam", # Too strict
+    "godox", # Too strict
+    "forcetypeassert", # Too strict
+    "tagliatelle", # Not compatible with current tags.
  ]

 [issues]
@@ -61,9 +106,14 @@
  max-per-linter = 0
  max-same-issues = 0
  exclude = [
-    "SA1019: http.CloseNotifier is deprecated: the CloseNotifier interface predates Go's context package. New code should use Request.Context instead.", # FIXME must be fixed
    "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked",
    "should have a package comment, unless it's in another file for this package",
+    "SA1019: http.CloseNotifier has been deprecated",  # FIXME must be fixed
+    "SA1019: cfg.SSLRedirect is deprecated",
+    "SA1019: cfg.SSLTemporaryRedirect is deprecated",
+    "SA1019: cfg.SSLHost is deprecated",
+    "SA1019: cfg.SSLForceHost is deprecated",
+    "SA1019: cfg.FeaturePolicy is deprecated",
  ]
 [[issues.exclude-rules]]
    path = "(.+)_test.go"
@@ -80,18 +130,12 @@
 [[issues.exclude-rules]]
    path = "pkg/h2c/h2c.go"
    text = "Error return value of `rw.Write` is not checked"
- [[issues.exclude-rules]]
-    path = "pkg/middlewares/recovery/recovery.go"
-    text = "`logger` can be `github.com/stretchr/testify/assert.TestingT`"
 [[issues.exclude-rules]]
    path = "pkg/provider/docker/builder_test.go"
    text = "(U1000: func )?`(.+)` is unused"
 [[issues.exclude-rules]]
    path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
    text = "(U1000: func )?`(.+)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/config/parser/.+_test.go"
-    text = "U1000: field `(foo|fuu)` is unused"
 [[issues.exclude-rules]]
    path = "pkg/server/service/bufferpool.go"
    text = "SA6002: argument should be pointer-like to avoid allocations"
@@ -100,10 +144,7 @@
    text = "string `traefik` has (\\d) occurrences, make it a constant"
 [[issues.exclude-rules]]
    path = "pkg/server/middleware/middlewares.go"
-    text = "Function 'buildConstructor' is too long \\(\\d+ > 230\\)"
- [[issues.exclude-rules]] # FIXME must be fixed
-    path = "cmd/context.go"
-    text = "S1000: should use a simple channel send/receive instead of `select` with a single case"
+    text = "Function 'buildConstructor' has too many statements"
 [[issues.exclude-rules]]
    path = "pkg/tracing/haystack/logger.go"
    linters = ["goprintffuncname"]
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -7,11 +7,11 @@ before:
 builds:
  - binary: traefik

-    main: ./cmd/traefik/traefik.go
+    main: ./cmd/traefik/
    env:
      - CGO_ENABLED=0
    ldflags:
-      - -s -w -X github.com/containous/traefik/v2/pkg/version.Version={{.Version}} -X github.com/containous/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/containous/traefik/v2/pkg/version.BuildDate={{.Date}}
+      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}

    goos:
      - linux
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -0,0 +1,100 @@
+version: v1.0
+name: Traefik
+agent:
+  machine:
+    type: e1-standard-4
+    os_image: ubuntu1804
+
+fail_fast:
+  stop:
+    when: "branch != 'master'"
+
+auto_cancel:
+  queued:
+    when: "branch != 'master'"
+  running:
+    when: "branch != 'master'"
+
+global_job_config:
+  prologue:
+    commands:
+      - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
+      - sudo semgo go1.17
+      - export "GOPATH=$(go env GOPATH)"
+      - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
+      - export "PATH=${GOPATH}/bin:${PATH}"
+      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
+      - export GOPROXY=https://proxy.golang.org,direct
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.41.1
+      - curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
+      - go install github.com/containous/go-bindata/go-bindata@v1.0.0
+      - checkout
+      - cache restore traefik-$(checksum go.sum)
+
+blocks:
+  - name: Test Integration Container
+    dependencies: []
+    run:
+      when: "branch =~ '.*' OR pull_request =~'.*'"
+    task:
+      jobs:
+        - name: Test Integration Container
+          commands:
+            - make pull-images
+            - mkdir -p static # Avoid to generate webui
+            - PRE_TARGET="" make binary
+            - make test-integration-container
+            - df -h
+      epilogue:
+        always:
+          commands:
+            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
+
+  - name: Test Integration Host
+    dependencies: []
+    run:
+      when: "branch =~ '.*' OR pull_request =~'.*'"
+    task:
+      env_vars:
+        - name: PRE_TARGET
+          value: ""
+      jobs:
+        - name: Test Integration Host
+          commands:
+            - mkdir -p static # Avoid to generate webui
+            - make test-integration-host
+      epilogue:
+        always:
+          commands:
+            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
+
+  - name: Release
+    dependencies: []
+    run:
+      when: "tag =~ '.*'"
+    task:
+      agent:
+        machine:
+          type: e1-standard-8
+          os_image: ubuntu1804
+      secrets:
+        - name: traefik
+      env_vars:
+        - name: GH_VERSION
+          value: 1.12.1
+        - name: CODENAME
+          value: "livarot"
+        - name: PRE_TARGET
+          value: ""
+      prologue:
+        commands:
+          - export VERSION=${SEMAPHORE_GIT_TAG_NAME}
+          - curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
+          - tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
+          - sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
+      jobs:
+        - name: Release
+          commands:
+            - make release-packages
+            - gh release create ${SEMAPHORE_GIT_TAG_NAME} ./dist/traefik*.* --repo traefik/traefik --title ${SEMAPHORE_GIT_TAG_NAME} --notes ${SEMAPHORE_GIT_TAG_NAME}
+            - ./script/deploy.sh
--- a/.semaphoreci/cleanup.sh
+++ b/.semaphoreci/cleanup.sh
@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-sudo rm -rf static
--- a/.semaphoreci/golang.sh
+++ b/.semaphoreci/golang.sh
@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-curl -O https://dl.google.com/go/go"${GO_VERSION}".linux-amd64.tar.gz
-
-tar -xvf go"${GO_VERSION}".linux-amd64.tar.gz
-rm -rf go"${GO_VERSION}".linux-amd64.tar.gz
-
-sudo mkdir -p /usr/local/golang/"${GO_VERSION}"/go
-sudo mv go /usr/local/golang/"${GO_VERSION}"/
-
-sudo rm /usr/local/bin/go
-sudo chmod +x /usr/local/golang/"${GO_VERSION}"/go/bin/go
-sudo ln -s /usr/local/golang/"${GO_VERSION}"/go/bin/go /usr/local/bin/go
-
-export GOROOT="/usr/local/golang/${GO_VERSION}/go"
-export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"
-
-go version
--- a/.semaphoreci/job1.sh
+++ b/.semaphoreci/job1.sh
@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make pull-images; fi
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-integration; fi
--- a/.semaphoreci/job2.sh
+++ b/.semaphoreci/job2.sh
@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-ci_retry make validate
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-unit; fi
-
-if [ -n "$SHOULD_TEST" ]; then make -j"${N_MAKE_JOBS}" crossbinary-default-parallel; fi
--- a/.semaphoreci/setup.sh
+++ b/.semaphoreci/setup.sh
@@ -1,35 +0,0 @@
-# For personnal CI
-# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/containous/
-# cd /home/runner/workspace/src/github.com/containous/traefik/
-for s in apache2 cassandra elasticsearch memcached mysql mongod postgresql sphinxsearch rethinkdb rabbitmq-server redis-server; do sudo service $s stop; done
-sudo swapoff -a
-sudo dd if=/dev/zero of=/swapfile bs=1M count=3072
-sudo mkswap /swapfile
-sudo swapon /swapfile
-sudo rm -rf /home/runner/.rbenv
-sudo rm -rf /usr/local/golang/{1.4.3,1.5.4,1.6.4,1.7.6,1.8.6,1.9.7,1.10.3,1.11}
-#export DOCKER_VERSION=18.06.3
-source .semaphoreci/vars
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
-echo ${SHOULD_TEST}
-if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
-echo ${TEMP_STORAGE}
-echo ${SHOULD_TEST}
-#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
-#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
-if [ -n "$SHOULD_TEST" ]; then docker version; fi
-export GO_VERSION=1.13
-if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
-#if [ "${GO_VERSION}" == '1.14' ]; then export GO_VERSION=1.14rc2; fi
-echo "Selected Go version: ${GO_VERSION}"
-
-if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi
-if [ -f "./.semaphoreci/golang.sh" ]; then export GOROOT="/usr/local/golang/${GO_VERSION}/go"; fi
-if [ -f "./.semaphoreci/golang.sh" ]; then export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"; fi
-go version
-
-if [ -f "./go.mod" ]; then export GO111MODULE=on; fi
-if [ -f "./go.mod" ]; then export GOPROXY=https://proxy.golang.org; fi
-if [ -f "./go.mod" ]; then go mod download; fi
-
-df
--- a/.semaphoreci/vars
+++ b/.semaphoreci/vars
@@ -1,36 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-export REPO='containous/traefik'
-
-if VERSION=$(git describe --exact-match --abbrev=0 --tags);
-then
-  export VERSION
-else
-  export VERSION=''
-fi
-
-export CODENAME=chevrotin
-
-export N_MAKE_JOBS=2
-
-
-function ci_retry {
-
-    local NRETRY=3
-    local NSLEEP=5
-    local n=0
-
-    until [ $n -ge $NRETRY ]
-    do
-        "$@" && break
-        n=$((n+1))
-        echo "${*} failed, attempt ${n}/${NRETRY}"
-        sleep $NSLEEP
-    done
-
-    [ $n -lt $NRETRY ]
-
-}
-
-export -f ci_retry
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,60 +0,0 @@
-sudo: required
-dist: trusty
-
-git:
-  depth: false
-
-services:
-  - docker
-
-env:
-  global:
-    - REPO=$TRAVIS_REPO_SLUG
-    - VERSION=$TRAVIS_TAG
-    - CODENAME=chevrotin
-    - GO111MODULE=on
-
-script:
- echo "Skipping tests... (Tests are executed on SemaphoreCI)"
- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs; fi
-
-before_deploy:
-  - >
-    if ! [ "$BEFORE_DEPLOY_RUN" ]; then
-      export BEFORE_DEPLOY_RUN=1;
-      sudo -E apt-get -yq update;
-      sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
-      docker version;
-      make build-image;
-      if [ "$TRAVIS_TAG" ]; then
-        make release-packages;
-      fi;
-      curl -sfL https://raw.githubusercontent.com/containous/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
-      curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b "${GOPATH}/bin" ${MIXTUS_VERSION}
-      structor -o containous -r traefik --dockerfile-url="https://raw.githubusercontent.com/containous/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/containous/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/containous/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug;
-      mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik;
-    fi
-
-deploy:
-  - provider: releases
-    api_key: ${GITHUB_TOKEN}
-    file: dist/traefik*
-    skip_cleanup: true
-    file_glob: true
-    on:
-      repo: containous/traefik
-      tags: true
-  - provider: script
-    script: sh script/deploy.sh
-    skip_cleanup: true
-    on:
-      repo: containous/traefik
-      tags: true
-  - provider: pages
-    edge: false
-    github_token: ${GITHUB_TOKEN}
-    local_dir: site
-    skip_cleanup: true
-    on:
-      repo: containous/traefik
-      all_branches: true
--- a/.travis/traefiker_rsa.enc
+++ b/.travis/traefiker_rsa.enc
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -36,7 +36,7 @@ Representation of a project may be further defined and clarified by project main

 ## Enforcement

-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@containo.us
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@traefik.io
 All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 
 The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 
 Further details of specific enforcement policies may be posted separately.
@@ -48,4 +48,4 @@ Project maintainers who do not follow or enforce the Code of Conduct in good fai
 This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]

 [homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[version]: http://contributor-covenant.org/version/1/4/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,4 +1,9 @@
 # Contributing

- https://docs.traefik.io/contributing/submitting-pull-requests/
- https://docs.traefik.io/contributing/submitting-issues/
+Here are some guidelines that should help to start contributing to the project.
+
+- [Submitting pull Requests](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md)
+- [Submitting issues](https://doc.traefik.io/traefik/contributing/submitting-issues/)
+- [Submitting security issues](docs/content/contributing/submitting-security-issues.md)
+
+If you are willing to become a maintainer of the project, please take a look at the [maintainers guidelines](docs/content/contributing/maintainers-guidelines.md).
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS
+Copyright (c) 2016-2020 Containous SAS; 2020-2021 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/51
+++ b/51
@@ -7,13 +7,13 @@ SHA := $(shell git rev-parse HEAD)
 VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
 VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))

-BIND_DIR := "dist"
+BIND_DIR := dist

 GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))

 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
-TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
+TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")

 INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
@@ -29,7 +29,7 @@ TRAEFIK_ENVS := \
 	-e CI \
 	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.

-TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/containous/traefik/$(BIND_DIR)"
+TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/traefik/traefik/$(BIND_DIR)"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
 DOCKER_NON_INTERACTIVE ?= false
 DOCKER_RUN_TRAEFIK := docker run --add-host=host.docker.internal:127.0.0.1 $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
@@ -37,6 +37,8 @@ DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INT

 PRE_TARGET ?= build-dev-image

+PLATFORM_URL := $(if $(PLATFORM_URL),$(PLATFORM_URL),"https://pilot.traefik.io")
+
 default: binary

 ## Build Dev Docker image
@@ -53,26 +55,27 @@ dist:

 ## Build WebUI Docker image
 build-webui-image:
-	docker build -t traefik-webui -f webui/Dockerfile webui
+	docker build -t traefik-webui --build-arg ARG_PLATFORM_URL=$(PLATFORM_URL) -f webui/Dockerfile webui

 ## Generate WebUI
-generate-webui: build-webui-image
+generate-webui:
 	if [ ! -d "static" ]; then \
+		$(MAKE) build-webui-image; \
 		mkdir -p static; \
 		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build:nc; \
 		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ../static; \
-		echo 'For more informations show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
+		echo 'For more information show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
 	fi

 ## Build the linux binary
 binary: generate-webui $(PRE_TARGET)
 	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary

-## Build the binary for the standard plaforms (linux, darwin, windows)
+## Build the binary for the standard platforms (linux, darwin, windows)
 crossbinary-default: generate-webui build-dev-image
 	$(DOCKER_RUN_TRAEFIK_NOTTY) ./script/make.sh generate crossbinary-default

-## Build the binary for the standard plaforms (linux, darwin, windows) in parallel
+## Build the binary for the standard platforms (linux, darwin, windows) in parallel
 crossbinary-default-parallel:
 	$(MAKE) generate-webui
 	$(MAKE) build-dev-image crossbinary-default
@@ -90,8 +93,16 @@ pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull

 ## Run the integration tests
-test-integration: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
+test-integration: $(PRE_TARGET) binary
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
+	TEST_HOST=1 ./script/make.sh test-integration
+
+## Run the container integration tests
+test-integration-container: $(PRE_TARGET) binary
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
+
+## Run the host integration tests
+test-integration-host: $(PRE_TARGET) binary
 	TEST_HOST=1 ./script/make.sh test-integration

 ## Validate code and docs
@@ -121,26 +132,34 @@ shell: build-dev-image
 docs:
 	make -C ./docs docs

-## Serve the documentation site localy
+## Serve the documentation site locally
 docs-serve:
 	make -C ./docs docs-serve

+## Pull image for doc building
+docs-pull-images:
+	make -C ./docs docs-pull-images
+
 ## Generate CRD clientset
 generate-crd:
-	./script/update-generated-crd-code.sh
+	@$(CURDIR)/script/code-gen.sh
+
+## Generate code from dynamic configuration https://github.com/traefik/genconf
+generate-genconf:
+	go run ./cmd/internal/gen/

 ## Create packages for the release
-release-packages: generate-webui build-dev-image
+release-packages: generate-webui $(PRE_TARGET)
 	rm -rf dist
-	$(DOCKER_RUN_TRAEFIK_NOTTY) goreleaser release --skip-publish --timeout="60m"
-	$(DOCKER_RUN_TRAEFIK_NOTTY) tar cfz dist/traefik-${VERSION}.src.tar.gz \
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \
 		--exclude .travis \
 		--exclude .semaphoreci \
 		--exclude .github \
 		--exclude dist .
-	$(DOCKER_RUN_TRAEFIK_NOTTY) chown -R $(shell id -u):$(shell id -g) dist/
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/

 ## Format the Code
 fmt:
--- a/README.md
+++ b/README.md
@@ -4,11 +4,10 @@
 </p>

 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
-[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
-[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](https://goreportcard.com/report/containous/traefik)
-[![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
-[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
-[![Join the community support forum at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
+[![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
+[![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)


@@ -33,7 +32,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo

 ---

-:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/).
+:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://doc.traefik.io/traefik/).

 ## Overview

@@ -69,15 +68,15 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t

 ## Supported Backends

- [Docker](https://docs.traefik.io/providers/docker/) / [Swarm mode](https://docs.traefik.io/providers/docker/)
- [Kubernetes](https://docs.traefik.io/providers/kubernetes-crd/)
- [Marathon](https://docs.traefik.io/providers/marathon/)
- [Rancher](https://docs.traefik.io/providers/rancher/) (Metadata)
- [File](https://docs.traefik.io/providers/file/)
+- [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
+- [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
+- [Marathon](https://doc.traefik.io/traefik/providers/marathon/)
+- [Rancher](https://doc.traefik.io/traefik/providers/rancher/) (Metadata)
+- [File](https://doc.traefik.io/traefik/providers/file/)

 ## Quickstart

-To get your hands on Traefik, you can use the [5-Minute Quickstart](https://docs.traefik.io/getting-started/quick-start/) in our documentation (you will need Docker).
+To get your hands on Traefik, you can use the [5-Minute Quickstart](https://doc.traefik.io/traefik/getting-started/quick-start/) in our documentation (you will need Docker).

 ## Web UI

@@ -87,28 +86,28 @@ You can access the simple HTML frontend of Traefik.

 ## Documentation

-You can find the complete documentation of Traefik v2 at [https://docs.traefik.io](https://docs.traefik.io).
+You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).

-If you are using Traefik v1, you can find the complete documentation at [https://docs.traefik.io/v1.7/](https://docs.traefik.io/v1.7/).
+If you are using Traefik v1, you can find the complete documentation at [https://doc.traefik.io/traefik/v1.7/](https://doc.traefik.io/traefik/v1.7/).

 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).

 ## Support

 To get community support, you can:
- join the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+- join the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)

-If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
+If you need commercial support, please contact [Traefik.io](https://traefik.io) by mail: <mailto:support@traefik.io>.

 ## Download

- Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/master/traefik.sample.toml):

 ```shell
 ./traefik --configFile=traefik.toml
 ```

- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/master/traefik.sample.toml):

 ```shell
 docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
@@ -117,16 +116,19 @@ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.to
 - Or get the sources:

 ```shell
-git clone https://github.com/containous/traefik
+git clone https://github.com/traefik/traefik
 ```

 ## Introductory Videos

-You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us).
+You can find high level and deep dive videos on [videos.traefik.io](https://videos.traefik.io).

 ## Maintainers

-[Information about process and maintainers](docs/content/contributing/maintainers.md)
+We are strongly promoting a philosophy of openness and sharing, and firmly standing against the elitist closed approach. Being part of the core team should be accessible to anyone who is motivated and want to be part of that journey!
+This [document](docs/content/contributing/maintainers-guidelines.md) describes how to be part of the core team as well as various responsibilities and guidelines for Traefik maintainers.
+You can also find more information on our process to review pull requests and manage issues [in this document](docs/content/contributing/maintainers.md).
+

 ## Contributing

@@ -137,7 +139,7 @@ By participating in this project, you agree to abide by its terms.

 ## Release Cycle

- We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
+- We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
 - Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
 - Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).

@@ -152,9 +154,9 @@ We use [Semantic Versioning](https://semver.org/).

 ## Credits

-Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the logo ![logo](docs/content/assets/img/traefik.icon.png).
+Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the gopher's logo!.

-Traefik's logo is licensed under the Creative Commons 3.0 Attributions license.
+The gopher's logo of Traefik is licensed under the Creative Commons 3.0 Attributions license.

-Traefik's logo was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
+The gopher's logo of Traefik was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
 The original Go gopher was designed by [Renee French](https://reneefrench.blogspot.com/).
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+We strongly advise you to register your Traefik instances to [Pilot](http://pilot.traefik.io) to be notified of security advisories that apply to your Traefik version.
+You can also join our security mailing list to be aware of the latest announcements from our security team.
+You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+
+Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
+
+## Supported Versions
+
+- We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
+
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).
+
+We use [Semantic Versioning](https://semver.org/).
+
+| Version   | Supported          |
+| --------- | ------------------ |
+| `2.2.x`   | :white_check_mark: |
+| `< 2.2.x` | :x:                |
+| `1.7.x`   | :white_check_mark: |
+| `< 1.7.x` | :x:                |
+
+## Reporting a Vulnerability
+
+We want to keep Traefik safe for everyone.
+If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.14-alpine
+FROM golang:1.17-alpine

 RUN apk --update upgrade \
    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
    && chmod +x /usr/local/bin/go-bindata

 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.28.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.41.1

 # Download misspell binary to bin folder in $GOPATH
 RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
@@ -27,11 +27,11 @@ RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install
 # Download goreleaser binary to bin folder in $GOPATH
 RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh

-WORKDIR /go/src/github.com/containous/traefik
+WORKDIR /go/src/github.com/traefik/traefik

 # Download go modules
 COPY go.mod .
 COPY go.sum .
 RUN GO111MODULE=on GOPROXY=https://proxy.golang.org go mod download

-COPY . /go/src/github.com/containous/traefik
+COPY . /go/src/github.com/traefik/traefik
--- a/cmd/configuration.go
+++ b/cmd/configuration.go
@@ -3,8 +3,8 @@ package cmd
 import (
 	"time"

-	"github.com/containous/traefik/v2/pkg/config/static"
-	"github.com/containous/traefik/v2/pkg/types"
+	ptypes "github.com/traefik/paerser/types"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )

 // TraefikCmdConfiguration wraps the static configuration and extra parameters.
@@ -23,7 +23,7 @@ func NewTraefikConfiguration() *TraefikCmdConfiguration {
 			},
 			EntryPoints: make(static.EntryPoints),
 			Providers: &static.Providers{
-				ProvidersThrottleDuration: types.Duration(2 * time.Second),
+				ProvidersThrottleDuration: ptypes.Duration(2 * time.Second),
 			},
 			ServersTransport: &static.ServersTransport{
 				MaxIdleConnsPerHost: 200,
--- a/cmd/context.go
+++ b/cmd/context.go
@@ -1,22 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"syscall"
-)
-
-// ContextWithSignal creates a context canceled when SIGINT or SIGTERM are notified.
-func ContextWithSignal(ctx context.Context) context.Context {
-	newCtx, cancel := context.WithCancel(ctx)
-	signals := make(chan os.Signal)
-	signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		select {
-		case <-signals:
-			cancel()
-		}
-	}()
-	return newCtx
-}
--- a/cmd/healthcheck/healthcheck.go
+++ b/cmd/healthcheck/healthcheck.go
@@ -7,8 +7,8 @@ import (
 	"os"
 	"time"

-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/config/static"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )

 // NewCmd builds a new HealthCheck command.
--- a/cmd/internal/gen/centrifuge.go
+++ b/cmd/internal/gen/centrifuge.go
@@ -0,0 +1,347 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"go/format"
+	"go/importer"
+	"go/token"
+	"go/types"
+	"io"
+	"log"
+	"os"
+	"path"
+	"path/filepath"
+	"reflect"
+	"sort"
+	"strings"
+
+	"golang.org/x/tools/imports"
+)
+
+// File a kind of AST element that represents a file.
+type File struct {
+	Package  string
+	Imports  []string
+	Elements []Element
+}
+
+// Element is a simplified version of a symbol.
+type Element struct {
+	Name  string
+	Value string
+}
+
+// Centrifuge a centrifuge.
+// Generate Go Structures from Go structures.
+type Centrifuge struct {
+	IncludedImports []string
+	ExcludedTypes   []string
+	ExcludedFiles   []string
+
+	TypeCleaner    func(types.Type, string) string
+	PackageCleaner func(string) string
+
+	rootPkg string
+	fileSet *token.FileSet
+	pkg     *types.Package
+}
+
+// NewCentrifuge creates a new Centrifuge.
+func NewCentrifuge(rootPkg string) (*Centrifuge, error) {
+	fileSet := token.NewFileSet()
+
+	pkg, err := importer.ForCompiler(fileSet, "source", nil).Import(rootPkg)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Centrifuge{
+		fileSet: fileSet,
+		pkg:     pkg,
+		rootPkg: rootPkg,
+
+		TypeCleaner: func(typ types.Type, _ string) string {
+			return typ.String()
+		},
+		PackageCleaner: func(s string) string {
+			return s
+		},
+	}, nil
+}
+
+// Run runs the code extraction and the code generation.
+func (c Centrifuge) Run(dest string, pkgName string) error {
+	files, err := c.run(c.pkg.Scope(), c.rootPkg, pkgName)
+	if err != nil {
+		return err
+	}
+
+	err = fileWriter{baseDir: dest}.Write(files)
+	if err != nil {
+		return err
+	}
+
+	for _, p := range c.pkg.Imports() {
+		if contains(c.IncludedImports, p.Path()) {
+			fls, err := c.run(p.Scope(), p.Path(), p.Name())
+			if err != nil {
+				return err
+			}
+
+			err = fileWriter{baseDir: filepath.Join(dest, p.Name())}.Write(fls)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return err
+}
+
+func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) (map[string]*File, error) {
+	files := map[string]*File{}
+
+	for _, name := range sc.Names() {
+		if contains(c.ExcludedTypes, name) {
+			continue
+		}
+
+		o := sc.Lookup(name)
+		if !o.Exported() {
+			continue
+		}
+
+		filename := filepath.Base(c.fileSet.File(o.Pos()).Name())
+		if contains(c.ExcludedFiles, path.Join(rootPkg, filename)) {
+			continue
+		}
+
+		fl, ok := files[filename]
+		if !ok {
+			files[filename] = &File{Package: pkgName}
+			fl = files[filename]
+		}
+
+		elt := Element{
+			Name: name,
+		}
+
+		switch ob := o.(type) {
+		case *types.TypeName:
+
+			switch obj := ob.Type().(*types.Named).Underlying().(type) {
+			case *types.Struct:
+				elt.Value = c.writeStruct(name, obj, rootPkg, fl)
+
+			case *types.Map:
+				elt.Value = fmt.Sprintf("type %s map[%s]%s\n", name, obj.Key().String(), c.TypeCleaner(obj.Elem(), rootPkg))
+
+			case *types.Slice:
+				elt.Value = fmt.Sprintf("type %s []%v\n", name, c.TypeCleaner(obj.Elem(), rootPkg))
+
+			case *types.Basic:
+				elt.Value = fmt.Sprintf("type %s %v\n", name, obj.Name())
+
+			default:
+				log.Printf("OTHER TYPE::: %s %T\n", name, o.Type().(*types.Named).Underlying())
+				continue
+			}
+
+		default:
+			log.Printf("OTHER::: %s %T\n", name, o)
+			continue
+		}
+
+		if len(elt.Value) > 0 {
+			fl.Elements = append(fl.Elements, elt)
+		}
+	}
+
+	return files, nil
+}
+
+func (c Centrifuge) writeStruct(name string, obj *types.Struct, rootPkg string, elt *File) string {
+	b := strings.Builder{}
+	b.WriteString(fmt.Sprintf("type %s struct {\n", name))
+
+	for i := 0; i < obj.NumFields(); i++ {
+		field := obj.Field(i)
+
+		if !field.Exported() {
+			continue
+		}
+
+		fPkg := c.PackageCleaner(extractPackage(field.Type()))
+		if fPkg != "" && fPkg != rootPkg {
+			elt.Imports = append(elt.Imports, fPkg)
+		}
+
+		fType := c.TypeCleaner(field.Type(), rootPkg)
+
+		if field.Embedded() {
+			b.WriteString(fmt.Sprintf("\t%s\n", fType))
+			continue
+		}
+
+		values, ok := lookupTagValue(obj.Tag(i), "json")
+		if len(values) > 0 && values[0] == "-" {
+			continue
+		}
+
+		b.WriteString(fmt.Sprintf("\t%s %s", field.Name(), fType))
+
+		if ok {
+			b.WriteString(fmt.Sprintf(" `json:\"%s\"`", strings.Join(values, ",")))
+		}
+
+		b.WriteString("\n")
+	}
+
+	b.WriteString("}\n")
+
+	return b.String()
+}
+
+func lookupTagValue(raw, key string) ([]string, bool) {
+	value, ok := reflect.StructTag(raw).Lookup(key)
+	if !ok {
+		return nil, ok
+	}
+
+	values := strings.Split(value, ",")
+
+	if len(values) < 1 {
+		return nil, true
+	}
+
+	return values, true
+}
+
+func extractPackage(t types.Type) string {
+	switch tu := t.(type) {
+	case *types.Named:
+		return tu.Obj().Pkg().Path()
+
+	case *types.Slice:
+		if v, ok := tu.Elem().(*types.Named); ok {
+			return v.Obj().Pkg().Path()
+		}
+		return ""
+
+	case *types.Map:
+		if v, ok := tu.Elem().(*types.Named); ok {
+			return v.Obj().Pkg().Path()
+		}
+		return ""
+
+	case *types.Pointer:
+		return extractPackage(tu.Elem())
+
+	default:
+		return ""
+	}
+}
+
+func contains(values []string, value string) bool {
+	for _, val := range values {
+		if val == value {
+			return true
+		}
+	}
+
+	return false
+}
+
+type fileWriter struct {
+	baseDir string
+}
+
+func (f fileWriter) Write(files map[string]*File) error {
+	err := os.MkdirAll(f.baseDir, 0755)
+	if err != nil {
+		return err
+	}
+
+	for name, file := range files {
+		err = f.writeFile(name, file)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (f fileWriter) writeFile(name string, desc *File) error {
+	if len(desc.Elements) == 0 {
+		return nil
+	}
+
+	filename := filepath.Join(f.baseDir, name)
+
+	file, err := os.Create(filename)
+	if err != nil {
+		return fmt.Errorf("failed to create file: %w", err)
+	}
+
+	defer func() { _ = file.Close() }()
+
+	b := bytes.NewBufferString("package ")
+	b.WriteString(desc.Package)
+	b.WriteString("\n")
+	b.WriteString("// Code generated by centrifuge. DO NOT EDIT.\n")
+
+	b.WriteString("\n")
+	f.writeImports(b, desc.Imports)
+	b.WriteString("\n")
+
+	for _, elt := range desc.Elements {
+		b.WriteString(elt.Value)
+		b.WriteString("\n")
+	}
+
+	// gofmt
+	source, err := format.Source(b.Bytes())
+	if err != nil {
+		log.Println(b.String())
+		return fmt.Errorf("failed to format sources: %w", err)
+	}
+
+	// goimports
+	process, err := imports.Process(filename, source, nil)
+	if err != nil {
+		log.Println(string(source))
+		return fmt.Errorf("failed to format imports: %w", err)
+	}
+
+	_, err = file.Write(process)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (f fileWriter) writeImports(b io.StringWriter, imports []string) {
+	if len(imports) == 0 {
+		return
+	}
+
+	uniq := map[string]struct{}{}
+
+	sort.Strings(imports)
+
+	_, _ = b.WriteString("import (\n")
+	for _, s := range imports {
+		if _, exist := uniq[s]; exist {
+			continue
+		}
+
+		uniq[s] = struct{}{}
+
+		_, _ = b.WriteString(fmt.Sprintf(`	"%s"`+"\n", s))
+	}
+
+	_, _ = b.WriteString(")\n")
+}
--- a/cmd/internal/gen/main.go
+++ b/cmd/internal/gen/main.go
@@ -0,0 +1,124 @@
+package main
+
+import (
+	"fmt"
+	"go/build"
+	"go/types"
+	"io/ioutil"
+	"log"
+	"path"
+	"path/filepath"
+	"strings"
+)
+
+const rootPkg = "github.com/traefik/traefik/v2/pkg/config/dynamic"
+
+const (
+	destModuleName = "github.com/traefik/genconf"
+	destPkg        = "dynamic"
+)
+
+const marsh = `package %s
+
+import "encoding/json"
+
+type JSONPayload struct {
+	*Configuration
+}
+
+func (c JSONPayload) MarshalJSON() ([]byte, error) {
+	if c.Configuration == nil {
+		return nil, nil
+	}
+
+	return json.Marshal(c.Configuration)
+}
+`
+
+// main generate Go Structures from Go structures.
+// Allows to create an external module (destModuleName) used by the plugin's providers
+// that contains Go structs of the dynamic configuration and nothing else.
+// These Go structs do not have any non-exported fields and do not rely on any external dependencies.
+func main() {
+	dest := filepath.Join(path.Join(build.Default.GOPATH, "src"), destModuleName, destPkg)
+
+	log.Println("Output:", dest)
+
+	err := run(dest)
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+func run(dest string) error {
+	centrifuge, err := NewCentrifuge(rootPkg)
+	if err != nil {
+		return err
+	}
+
+	centrifuge.IncludedImports = []string{
+		"github.com/traefik/traefik/v2/pkg/tls",
+		"github.com/traefik/traefik/v2/pkg/types",
+	}
+
+	centrifuge.ExcludedTypes = []string{
+		// tls
+		"CertificateStore", "Manager",
+		// dynamic
+		"Message", "Configurations",
+		// types
+		"HTTPCodeRanges", "HostResolverConfig",
+	}
+
+	centrifuge.ExcludedFiles = []string{
+		"github.com/traefik/traefik/v2/pkg/types/logs.go",
+		"github.com/traefik/traefik/v2/pkg/types/metrics.go",
+	}
+
+	centrifuge.TypeCleaner = cleanType
+	centrifuge.PackageCleaner = cleanPackage
+
+	err = centrifuge.Run(dest, destPkg)
+	if err != nil {
+		return err
+	}
+
+	return ioutil.WriteFile(filepath.Join(dest, "marshaler.go"), []byte(fmt.Sprintf(marsh, destPkg)), 0666)
+}
+
+func cleanType(typ types.Type, base string) string {
+	if typ.String() == "github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
+		return "string"
+	}
+
+	if typ.String() == "[]github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
+		return "[]string"
+	}
+
+	if typ.String() == "github.com/traefik/paerser/types.Duration" {
+		return "string"
+	}
+
+	if strings.Contains(typ.String(), base) {
+		return strings.ReplaceAll(typ.String(), base+".", "")
+	}
+
+	if strings.Contains(typ.String(), "github.com/traefik/traefik/v2/pkg/") {
+		return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v2/pkg/", "")
+	}
+
+	return typ.String()
+}
+
+func cleanPackage(src string) string {
+	switch src {
+	case "github.com/traefik/paerser/types":
+		return ""
+	case "github.com/traefik/traefik/v2/pkg/tls":
+		return path.Join(destModuleName, destPkg, "tls")
+	case "github.com/traefik/traefik/v2/pkg/types":
+		return path.Join(destModuleName, destPkg, "types")
+	default:
+		return src
+	}
+}
--- a/cmd/traefik/plugins.go
+++ b/cmd/traefik/plugins.go
@@ -0,0 +1,88 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/plugins"
+)
+
+const outputDir = "./plugins-storage/"
+
+func createPluginBuilder(staticConfiguration *static.Configuration) (*plugins.Builder, error) {
+	client, plgs, localPlgs, err := initPlugins(staticConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	return plugins.NewBuilder(client, plgs, localPlgs)
+}
+
+func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, map[string]plugins.LocalDescriptor, error) {
+	err := checkUniquePluginNames(staticCfg.Experimental)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	var client *plugins.Client
+	plgs := map[string]plugins.Descriptor{}
+
+	if isPilotEnabled(staticCfg) && hasPlugins(staticCfg) {
+		opts := plugins.ClientOptions{
+			Output: outputDir,
+			Token:  staticCfg.Pilot.Token,
+		}
+
+		var err error
+		client, err = plugins.NewClient(opts)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		err = plugins.SetupRemotePlugins(client, staticCfg.Experimental.Plugins)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		plgs = staticCfg.Experimental.Plugins
+	}
+
+	localPlgs := map[string]plugins.LocalDescriptor{}
+
+	if hasLocalPlugins(staticCfg) {
+		err := plugins.SetupLocalPlugins(staticCfg.Experimental.LocalPlugins)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		localPlgs = staticCfg.Experimental.LocalPlugins
+	}
+
+	return client, plgs, localPlgs, nil
+}
+
+func checkUniquePluginNames(e *static.Experimental) error {
+	if e == nil {
+		return nil
+	}
+
+	for s := range e.LocalPlugins {
+		if _, ok := e.Plugins[s]; ok {
+			return fmt.Errorf("the plugin's name %q must be unique", s)
+		}
+	}
+
+	return nil
+}
+
+func isPilotEnabled(staticCfg *static.Configuration) bool {
+	return staticCfg.Pilot != nil && staticCfg.Pilot.Token != ""
+}
+
+func hasPlugins(staticCfg *static.Configuration) bool {
+	return staticCfg.Experimental != nil && len(staticCfg.Experimental.Plugins) > 0
+}
+
+func hasLocalPlugins(staticCfg *static.Configuration) bool {
+	return staticCfg.Experimental != nil && len(staticCfg.Experimental.LocalPlugins) > 0
+}
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -2,39 +2,48 @@ package main

 import (
 	"context"
+	"crypto/x509"
 	"encoding/json"
+	"fmt"
 	stdlog "log"
 	"net/http"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"sort"
 	"strings"
+	"syscall"
 	"time"

-	"github.com/containous/traefik/v2/autogen/genstatic"
-	"github.com/containous/traefik/v2/cmd"
-	"github.com/containous/traefik/v2/cmd/healthcheck"
-	cmdVersion "github.com/containous/traefik/v2/cmd/version"
-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/collector"
-	"github.com/containous/traefik/v2/pkg/config/dynamic"
-	"github.com/containous/traefik/v2/pkg/config/static"
-	"github.com/containous/traefik/v2/pkg/log"
-	"github.com/containous/traefik/v2/pkg/metrics"
-	"github.com/containous/traefik/v2/pkg/middlewares/accesslog"
-	"github.com/containous/traefik/v2/pkg/provider/acme"
-	"github.com/containous/traefik/v2/pkg/provider/aggregator"
-	"github.com/containous/traefik/v2/pkg/provider/traefik"
-	"github.com/containous/traefik/v2/pkg/safe"
-	"github.com/containous/traefik/v2/pkg/server"
-	"github.com/containous/traefik/v2/pkg/server/middleware"
-	"github.com/containous/traefik/v2/pkg/server/service"
-	traefiktls "github.com/containous/traefik/v2/pkg/tls"
-	"github.com/containous/traefik/v2/pkg/types"
-	"github.com/containous/traefik/v2/pkg/version"
 	"github.com/coreos/go-systemd/daemon"
 	assetfs "github.com/elazarl/go-bindata-assetfs"
+	"github.com/go-acme/lego/v4/challenge"
+	gokitmetrics "github.com/go-kit/kit/metrics"
 	"github.com/sirupsen/logrus"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/autogen/genstatic"
+	"github.com/traefik/traefik/v2/cmd"
+	"github.com/traefik/traefik/v2/cmd/healthcheck"
+	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
+	tcli "github.com/traefik/traefik/v2/pkg/cli"
+	"github.com/traefik/traefik/v2/pkg/collector"
+	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	"github.com/traefik/traefik/v2/pkg/config/runtime"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/metrics"
+	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
+	"github.com/traefik/traefik/v2/pkg/pilot"
+	"github.com/traefik/traefik/v2/pkg/provider/acme"
+	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
+	"github.com/traefik/traefik/v2/pkg/provider/traefik"
+	"github.com/traefik/traefik/v2/pkg/safe"
+	"github.com/traefik/traefik/v2/pkg/server"
+	"github.com/traefik/traefik/v2/pkg/server/middleware"
+	"github.com/traefik/traefik/v2/pkg/server/service"
+	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/types"
+	"github.com/traefik/traefik/v2/pkg/version"
 	"github.com/vulcand/oxy/roundrobin"
 )

@@ -42,7 +51,7 @@ func main() {
 	// traefik config inits
 	tConfig := cmd.NewTraefikConfiguration()

-	loaders := []cli.ResourceLoader{&cli.FileLoader{}, &cli.FlagLoader{}, &cli.EnvLoader{}}
+	loaders := []cli.ResourceLoader{&tcli.FileLoader{}, &tcli.FlagLoader{}, &tcli.EnvLoader{}}

 	cmdTraefik := &cli.Command{
 		Name: "traefik",
@@ -115,7 +124,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		return err
 	}

-	ctx := cmd.ContextWithSignal(context.Background())
+	ctx, _ := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)

 	if staticConfiguration.Ping != nil {
 		staticConfiguration.Ping.WithContext(ctx)
@@ -163,15 +172,30 @@ func runCmd(staticConfiguration *static.Configuration) error {
 func setupServer(staticConfiguration *static.Configuration) (*server.Server, error) {
 	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)

+	ctx := context.Background()
+	routinesPool := safe.NewPool(ctx)
+
 	// adds internal provider
 	err := providerAggregator.AddProvider(traefik.New(*staticConfiguration))
 	if err != nil {
 		return nil, err
 	}

-	tlsManager := traefiktls.NewManager()
+	// ACME

-	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
+	tlsManager := traefiktls.NewManager()
+	httpChallengeProvider := acme.NewChallengeHTTP()
+
+	// we need to wait at least 2 times the ProvidersThrottleDuration to be sure to handle the challenge.
+	tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration) * 2)
+	err = providerAggregator.AddProvider(tlsChallengeProvider)
+	if err != nil {
+		return nil, err
+	}
+
+	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)
+
+	// Entrypoints

 	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
 	if err != nil {
@@ -183,66 +207,122 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}

-	ctx := context.Background()
-	routinesPool := safe.NewPool(ctx)
+	// Pilot

-	metricsRegistry := registerMetricClients(staticConfiguration.Metrics)
-	accessLog := setupAccessLog(staticConfiguration.AccessLog)
-	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
-	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry)
-	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder)
+	var aviator *pilot.Pilot
+	var pilotRegistry *metrics.PilotRegistry
+	if isPilotEnabled(staticConfiguration) {
+		pilotRegistry = metrics.RegisterPilot()

-	var defaultEntryPoints []string
-	for name, cfg := range staticConfiguration.EntryPoints {
-		protocol, err := cfg.GetProtocol()
+		aviator = pilot.New(staticConfiguration.Pilot.Token, pilotRegistry, routinesPool)
+
+		routinesPool.GoCtx(func(ctx context.Context) {
+			aviator.Tick(ctx)
+		})
+	}
+
+	if staticConfiguration.Pilot != nil {
+		version.PilotEnabled = staticConfiguration.Pilot.Dashboard
+	}
+
+	// Plugins
+
+	pluginBuilder, err := createPluginBuilder(staticConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	// Providers plugins
+
+	for name, conf := range staticConfiguration.Providers.Plugin {
+		p, err := pluginBuilder.BuildProvider(name, conf)
 		if err != nil {
-			// Should never happen because Traefik should not start if protocol is invalid.
-			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+			return nil, fmt.Errorf("plugin: failed to build provider: %w", err)
 		}

-		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
-			defaultEntryPoints = append(defaultEntryPoints, name)
+		err = providerAggregator.AddProvider(p)
+		if err != nil {
+			return nil, fmt.Errorf("plugin: failed to add provider: %w", err)
 		}
 	}

-	sort.Strings(defaultEntryPoints)
+	// Metrics
+
+	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
+	if pilotRegistry != nil {
+		metricRegistries = append(metricRegistries, pilotRegistry)
+	}
+	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
+
+	// Service manager factory
+
+	roundTripperManager := service.NewRoundTripperManager()
+	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)
+
+	// Router factory
+
+	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry)
+
+	// Watcher

 	watcher := server.NewConfigurationWatcher(
 		routinesPool,
 		providerAggregator,
 		time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration),
-		defaultEntryPoints,
+		getDefaultsEntrypoints(staticConfiguration),
+		"internal",
 	)

+	// TLS
 	watcher.AddListener(func(conf dynamic.Configuration) {
 		ctx := context.Background()
 		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
+
+		gauge := metricsRegistry.TLSCertsNotAfterTimestampGauge()
+		for _, certificate := range tlsManager.GetCertificates() {
+			appendCertMetric(gauge, certificate)
+		}
 	})

+	// Metrics
 	watcher.AddListener(func(_ dynamic.Configuration) {
 		metricsRegistry.ConfigReloadsCounter().Add(1)
 		metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
 	})

-	watcher.AddListener(switchRouter(routerFactory, acmeProviders, serverEntryPointsTCP, serverEntryPointsUDP))
-
+	// Server Transports
 	watcher.AddListener(func(conf dynamic.Configuration) {
-		if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
-			var eps []string
-			for key := range serverEntryPointsTCP {
-				eps = append(eps, key)
-			}
-
-			metrics.OnConfigurationUpdate(conf, eps)
-		}
+		roundTripperManager.Update(conf.HTTP.ServersTransports)
 	})

+	// Switch router
+	watcher.AddListener(switchRouter(routerFactory, serverEntryPointsTCP, serverEntryPointsUDP, aviator))
+
+	// Metrics
+	if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
+		var eps []string
+		for key := range serverEntryPointsTCP {
+			eps = append(eps, key)
+		}
+		watcher.AddListener(func(conf dynamic.Configuration) {
+			metrics.OnConfigurationUpdate(conf, eps)
+		})
+	}
+
+	// TLS challenge
+	watcher.AddListener(tlsChallengeProvider.ListenConfiguration)
+
+	// ACME
 	resolverNames := map[string]struct{}{}
 	for _, p := range acmeProviders {
 		resolverNames[p.ResolverName] = struct{}{}
 		watcher.AddListener(p.ListenConfiguration)
 	}

+	// Certificate resolver logs
 	watcher.AddListener(func(config dynamic.Configuration) {
 		for rtName, rt := range config.HTTP.Routers {
 			if rt.TLS == nil || rt.TLS.CertResolver == "" {
@@ -258,63 +338,90 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog), nil
 }

-func switchRouter(routerFactory *server.RouterFactory, acmeProviders []*acme.Provider, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints) func(conf dynamic.Configuration) {
-	return func(conf dynamic.Configuration) {
-		routers, udpRouters := routerFactory.CreateRouters(conf)
-		for entryPointName, rt := range routers {
-			for _, p := range acmeProviders {
-				if p != nil && p.HTTPChallenge != nil && p.HTTPChallenge.EntryPoint == entryPointName {
-					rt.HTTPHandler(p.CreateHandler(rt.GetHTTPHandler()))
-					break
-				}
-			}
+func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvider http.Handler) http.Handler {
+	var acmeHTTPHandler http.Handler
+	for _, p := range acmeProviders {
+		if p != nil && p.HTTPChallenge != nil {
+			acmeHTTPHandler = httpChallengeProvider
+			break
 		}
+	}
+	return acmeHTTPHandler
+}
+
+func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
+	var defaultEntryPoints []string
+	for name, cfg := range staticConfiguration.EntryPoints {
+		protocol, err := cfg.GetProtocol()
+		if err != nil {
+			// Should never happen because Traefik should not start if protocol is invalid.
+			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+		}
+
+		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
+			defaultEntryPoints = append(defaultEntryPoints, name)
+		}
+	}
+
+	sort.Strings(defaultEntryPoints)
+	return defaultEntryPoints
+}
+
+func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints, aviator *pilot.Pilot) func(conf dynamic.Configuration) {
+	return func(conf dynamic.Configuration) {
+		rtConf := runtime.NewConfig(conf)
+
+		routers, udpRouters := routerFactory.CreateRouters(rtConf)
+
+		if aviator != nil {
+			aviator.SetDynamicConfiguration(conf)
+		}
+
 		serverEntryPointsTCP.Switch(routers)
 		serverEntryPointsUDP.Switch(udpRouters)
 	}
 }

 // initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
-func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
-	challengeStore := acme.NewLocalChallengeStore()
+func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}

 	var resolvers []*acme.Provider
 	for name, resolver := range c.CertificatesResolvers {
-		if resolver.ACME != nil {
-			if localStores[resolver.ACME.Storage] == nil {
-				localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
-			}
-
-			p := &acme.Provider{
-				Configuration:  resolver.ACME,
-				Store:          localStores[resolver.ACME.Storage],
-				ChallengeStore: challengeStore,
-				ResolverName:   name,
-			}
-
-			if err := providerAggregator.AddProvider(p); err != nil {
-				log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
-				continue
-			}
-
-			p.SetTLSManager(tlsManager)
-
-			if p.TLSChallenge != nil {
-				tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
-			}
-
-			p.SetConfigListenerChan(make(chan dynamic.Configuration))
-
-			resolvers = append(resolvers, p)
+		if resolver.ACME == nil {
+			continue
 		}
+
+		if localStores[resolver.ACME.Storage] == nil {
+			localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
+		}
+
+		p := &acme.Provider{
+			Configuration:         resolver.ACME,
+			Store:                 localStores[resolver.ACME.Storage],
+			ResolverName:          name,
+			HTTPChallengeProvider: httpChallengeProvider,
+			TLSChallengeProvider:  tlsChallengeProvider,
+		}
+
+		if err := providerAggregator.AddProvider(p); err != nil {
+			log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
+			continue
+		}
+
+		p.SetTLSManager(tlsManager)
+
+		p.SetConfigListenerChan(make(chan dynamic.Configuration))
+
+		resolvers = append(resolvers, p)
 	}
+
 	return resolvers
 }

-func registerMetricClients(metricsConfig *types.Metrics) metrics.Registry {
+func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
-		return metrics.NewVoidRegistry()
+		return nil
 	}

 	var registries []metrics.Registry
@@ -349,7 +456,21 @@ func registerMetricClients(metricsConfig *types.Metrics) metrics.Registry {
 			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
 	}

-	return metrics.NewMultiRegistry(registries)
+	return registries
+}
+
+func appendCertMetric(gauge gokitmetrics.Gauge, certificate *x509.Certificate) {
+	sort.Strings(certificate.DNSNames)
+
+	labels := []string{
+		"cn", certificate.Subject.CommonName,
+		"serial", certificate.SerialNumber.String(),
+		"sans", strings.Join(certificate.DNSNames, ","),
+	}
+
+	notAfter := float64(certificate.NotAfter.Unix())
+
+	gauge.With(labels...).Set(notAfter)
 }

 func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
@@ -435,13 +556,13 @@ func stats(staticConfiguration *static.Configuration) {
 		logger.Info(`Stats collection is enabled.`)
 		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
 		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://docs.traefik.io/contributing/data-collection/`)
+		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
 		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://docs.traefik.io/contributing/data-collection/
+More details on: https://doc.traefik.io/traefik/contributing/data-collection/
 `)
 	}
 }
--- a/cmd/traefik/traefik_test.go
+++ b/cmd/traefik/traefik_test.go
@@ -0,0 +1,116 @@
+package main
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"strings"
+	"testing"
+
+	"github.com/go-kit/kit/metrics"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// FooCert is a PEM-encoded TLS cert.
+// generated from src/crypto/tls:
+// go run generate_cert.go  --rsa-bits 1024 --host foo.org,foo.com  --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
+const fooCert = `-----BEGIN CERTIFICATE-----
+MIICHzCCAYigAwIBAgIQXQFLeYRwc5X21t457t2xADANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQDCjn67GSs/khuGC4GNN+tVo1S+/eSHwr/hWzhfMqO7nYiXkFzmxi+u14CU
+Pda6WOeps7T2/oQEFMxKKg7zYOqkLSbjbE0ZfosopaTvEsZm/AZHAAvoOrAsIJOn
+SEiwy8h0tLA4z1SNR6rmIVQWyqBZEPAhBTQM1z7tFp48FakCFwIDAQABo3QwcjAO
+BgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUw
+AwEB/zAdBgNVHQ4EFgQUDHG3ASzeUezElup9zbPpBn/vjogwGwYDVR0RBBQwEoIH
+Zm9vLm9yZ4IHZm9vLmNvbTANBgkqhkiG9w0BAQsFAAOBgQBT+VLMbB9u27tBX8Aw
+ZrGY3rbNdBGhXVTksrjiF+6ZtDpD3iI56GH9zLxnqvXkgn3u0+Ard5TqF/xmdwVw
+NY0V/aWYfcL2G2auBCQrPvM03ozRnVUwVfP23eUzX2ORNHCYhd2ObQx4krrhs7cJ
+SWxtKwFlstoXY3K2g9oRD9UxdQ==
+-----END CERTIFICATE-----`
+
+// BarCert is a PEM-encoded TLS cert.
+// generated from src/crypto/tls:
+// go run generate_cert.go  --rsa-bits 1024 --host bar.org,bar.com  --ca --start-date "Jan 1 00:00:00 1970" --duration=10000h
+const barCert = `-----BEGIN CERTIFICATE-----
+MIICHTCCAYagAwIBAgIQcuIcNEXzBHPoxna5S6wG4jANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMB4XDTcwMDEwMTAwMDAwMFoXDTcxMDIyMTE2MDAw
+MFowEjEQMA4GA1UEChMHQWNtZSBDbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAqtcrP+KA7D6NjyztGNIPMup9KiBMJ8QL+preog/YHR7SQLO3kGFhpS3WKMab
+SzMypC3ZX1PZjBP5ZzwaV3PFbuwlCkPlyxR2lOWmullgI7mjY0TBeYLDIclIzGRp
+mpSDDSpkW1ay2iJDSpXjlhmwZr84hrCU7BRTQJo91fdsRTsCAwEAAaN0MHIwDgYD
+VR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFK8jnzFQvBAgWtfzOyXY4VSkwrTXMBsGA1UdEQQUMBKCB2Jh
+ci5vcmeCB2Jhci5jb20wDQYJKoZIhvcNAQELBQADgYEAJz0ifAExisC/ZSRhWuHz
+7qs1i6Nd4+YgEVR8dR71MChP+AMxucY1/ajVjb9xlLys3GPE90TWSdVppabEVjZY
+Oq11nPKc50ItTt8dMku6t0JHBmzoGdkN0V4zJCBqdQJxhop8JpYJ0S9CW0eT93h3
+ipYQSsmIINGtMXJ8VkP/MlM=
+-----END CERTIFICATE-----`
+
+type gaugeMock struct {
+	metrics map[string]float64
+	labels  string
+}
+
+func (g gaugeMock) With(labelValues ...string) metrics.Gauge {
+	g.labels = strings.Join(labelValues, ",")
+	return g
+}
+
+func (g gaugeMock) Set(value float64) {
+	g.metrics[g.labels] = value
+}
+
+func (g gaugeMock) Add(delta float64) {
+	panic("implement me")
+}
+
+func TestAppendCertMetric(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		certs    []string
+		expected map[string]float64
+	}{
+		{
+			desc:     "No certs",
+			certs:    []string{},
+			expected: map[string]float64{},
+		},
+		{
+			desc:  "One cert",
+			certs: []string{fooCert},
+			expected: map[string]float64{
+				"cn,,serial,123624926713171615935660664614975025408,sans,foo.com,foo.org": 3.6e+09,
+			},
+		},
+		{
+			desc:  "Two certs",
+			certs: []string{fooCert, barCert},
+			expected: map[string]float64{
+				"cn,,serial,123624926713171615935660664614975025408,sans,foo.com,foo.org": 3.6e+09,
+				"cn,,serial,152706022658490889223053211416725817058,sans,bar.com,bar.org": 3.6e+07,
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			gauge := &gaugeMock{
+				metrics: map[string]float64{},
+			}
+
+			for _, cert := range test.certs {
+				block, _ := pem.Decode([]byte(cert))
+				parsedCert, err := x509.ParseCertificate(block.Bytes)
+				require.NoError(t, err)
+
+				appendCertMetric(gauge, parsedCert)
+			}
+
+			assert.Equal(t, test.expected, gauge.metrics)
+		})
+	}
+}
--- a/cmd/version/version.go
+++ b/cmd/version/version.go
@@ -7,8 +7,8 @@ import (
 	"runtime"
 	"text/template"

-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/version"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/pkg/version"
 )

 var versionTemplate = `Version:      {{.Version}}
--- a/contrib/grafana/traefik-kubernetes.json
+++ b/contrib/grafana/traefik-kubernetes.json
@@ -130,7 +130,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "count(kube_pod_status_ready{namespace=\"$namespace\",condition=\"true\",pod=~\"traefik.*\"})",
+          "expr": "count(kube_pod_status_ready{condition=\"true\",pod=~\"traefik.*\"})",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -150,10 +150,7 @@
      "valueName": "current"
    },
    {
-      "aliasColors": {
-        "Latency over 1 min": "rgb(9, 116, 190)",
-        "Latency over 5 min": "#bf1b00"
-      },
+      "aliasColors": {},
      "bars": false,
      "dashLength": 10,
      "dashes": false,
@@ -183,22 +180,17 @@
      "pointradius": 5,
      "points": false,
      "renderer": "flot",
-      "seriesOverrides": [
-        {
-          "alias": "Latency over 5 min",
-          "yaxis": 1
-        }
-      ],
+      "seriesOverrides": [],
      "spaceLength": 10,
      "stack": false,
      "steppedLine": false,
      "targets": [
        {
-          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\", code=\"200\",method=\"GET\"}[5m])) by (le))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (le))",
          "format": "time_series",
          "hide": false,
          "intervalFactor": 1,
-          "legendFormat": "Latency over 1 min",
+          "legendFormat": "Latency over 5 min",
          "refId": "A"
        }
      ],
@@ -281,7 +273,7 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "histogram_quantile(0.$percentiles, rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\",code=\"200\",method=\"GET\"}[5m]))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (instance, le))",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "{{ instance }}",
@@ -343,7 +335,7 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 7,
          "gridPos": {
            "h": 7,
@@ -379,7 +371,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(traefik_entrypoint_open_connections{namespace=\"$namespace\"}) by (method)",
+              "expr": "sum(traefik_entrypoint_open_connections) by (method)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "{{ method }}",
@@ -431,7 +423,7 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 7,
@@ -465,7 +457,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\",le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_entrypoint_request_duration_seconds_count{namespace=\"$namespace\",code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Code 200",
@@ -511,9 +503,97 @@
            "align": false,
            "alignLevel": null
          }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 23
+          },
+          "id": 3,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_entrypoint_requests_total[1m])) by (entrypoint)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ entrypoint }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per entrypoint",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
        }
      ],
-      "title": "Frontends (entrypoints)",
+      "title": "Entrypoints",
      "type": "row"
    },
    {
@@ -522,7 +602,7 @@
        "h": 1,
        "w": 24,
        "x": 0,
-        "y": 16
+        "y": 33
      },
      "id": 24,
      "panels": [
@@ -531,13 +611,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 7,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 0,
-            "y": 17
+            "y": 34
          },
          "id": 25,
          "legend": {
@@ -567,7 +647,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(traefik_backend_open_connections{namespace=\"$namespace\"}) by (method)",
+              "expr": "sum(traefik_service_open_connections) by (method)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "{{ method }}",
@@ -619,13 +699,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 12,
-            "y": 17
+            "y": 34
          },
          "id": 26,
          "legend": {
@@ -653,7 +733,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_request_duration_seconds_bucket{namespace=\"$namespace\",le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_backend_request_duration_seconds_count{namespace=\"$namespace\",code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_service_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Code 200",
@@ -699,9 +779,97 @@
            "align": false,
            "alignLevel": null
          }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 41
+          },
+          "id": 4,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_service_requests_total[1m])) by (service)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ service }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per service",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
        }
      ],
-      "title": "Backends",
+      "title": "Services",
      "type": "row"
    },
    {
@@ -710,7 +878,7 @@
        "h": 1,
        "w": 24,
        "x": 0,
-        "y": 17
+        "y": 51
      },
      "id": 15,
      "panels": [
@@ -725,7 +893,7 @@
            "h": 9,
            "w": 12,
            "x": 0,
-            "y": 18
+            "y": 52
          },
          "id": 5,
          "legend": {
@@ -755,7 +923,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code=~\"2..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"2..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{method}} : {{code}}",
@@ -813,7 +981,7 @@
            "h": 9,
            "w": 12,
            "x": 12,
-            "y": 18
+            "y": 52
          },
          "id": 27,
          "legend": {
@@ -841,7 +1009,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code=~\"5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"5..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{method}} : {{code}}",
@@ -899,95 +1067,7 @@
            "h": 9,
            "w": 12,
            "x": 0,
-            "y": 27
-          },
-          "id": 3,
-          "legend": {
-            "alignAsTable": true,
-            "avg": true,
-            "current": true,
-            "max": true,
-            "min": false,
-            "rightSide": true,
-            "show": true,
-            "sort": "avg",
-            "sortDesc": true,
-            "total": false,
-            "values": true
-          },
-          "lines": false,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\"}[1m])) by (backend)",
-              "format": "time_series",
-              "intervalFactor": 2,
-              "legendFormat": "{{ backend }}",
-              "refId": "A"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeShift": null,
-          "title": "Backend total requests over 1min per backend",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
-        },
-        {
-          "aliasColors": {},
-          "bars": true,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "${DS_PROMETHEUS}",
-          "fill": 1,
-          "gridPos": {
-            "h": 9,
-            "w": 12,
-            "x": 12,
-            "y": 27
+            "y": 61
          },
          "id": 6,
          "legend": {
@@ -1016,7 +1096,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code!~\"2..|5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{ method }} : {{code}}",
@@ -1026,7 +1106,7 @@
          "thresholds": [],
          "timeFrom": null,
          "timeShift": null,
-          "title": "Others status code over 5min",
+          "title": "Others statuses code over 5min",
          "tooltip": {
            "shared": true,
            "sort": 0,
@@ -1064,7 +1144,7 @@
          }
        }
      ],
-      "title": "HTTP Codes  stats",
+      "title": "HTTP Codes stats",
      "type": "row"
    },
    {
@@ -1073,7 +1153,7 @@
        "h": 1,
        "w": 24,
        "x": 0,
-        "y": 18
+        "y": 70
      },
      "id": 35,
      "panels": [
@@ -1082,13 +1162,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 9,
            "w": 12,
            "x": 0,
-            "y": 19
+            "y": 71
          },
          "id": 31,
          "legend": {
@@ -1116,21 +1196,21 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "max(container_memory_usage_bytes{namespace=\"$namespace\", container_name=\"traefik\"})",
+              "expr": "sum(container_memory_usage_bytes{container=\"traefik\"})",
              "format": "time_series",
              "intervalFactor": 1,
-              "legendFormat": "Max memory used",
+              "legendFormat": "Memory used",
              "refId": "A"
            },
            {
-              "expr": "avg(kube_pod_container_resource_requests_memory_bytes{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_requests_memory_bytes{container=\"traefik\"})",
              "format": "time_series",
              "intervalFactor": 1,
-              "legendFormat": "Requested memory usage",
+              "legendFormat": "Requested memory",
              "refId": "B"
            },
            {
-              "expr": "avg(kube_pod_container_resource_limits_memory_bytes{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_limits_memory_bytes{container=\"traefik\"})",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Limit memory usage",
@@ -1140,7 +1220,7 @@
          "thresholds": [],
          "timeFrom": null,
          "timeShift": null,
-          "title": "Traefik max memory usage",
+          "title": "Traefik memory usage",
          "tooltip": {
            "shared": true,
            "sort": 0,
@@ -1182,13 +1262,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 9,
            "w": 12,
            "x": 12,
-            "y": 19
+            "y": 71
          },
          "id": 33,
          "legend": {
@@ -1215,21 +1295,21 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "max(rate(container_cpu_usage_seconds_total{namespace=\"$namespace\", container_name=\"traefik\"}[1m]))",
+              "expr": "sum(rate(container_cpu_usage_seconds_total{container=\"traefik\"}[2m]))",
              "format": "time_series",
              "intervalFactor": 1,
-              "legendFormat": "Max cpu used",
+              "legendFormat": "Cpu used",
              "refId": "A"
            },
            {
-              "expr": "avg(kube_pod_container_resource_requests_cpu_cores{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_requests_cpu_cores{container=\"traefik\"})",
              "format": "time_series",
              "intervalFactor": 1,
-              "legendFormat": "Requested cpu usage",
+              "legendFormat": "Requested cpu",
              "refId": "B"
            },
            {
-              "expr": "avg(kube_pod_container_resource_limits_cpu_cores{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_limits_cpu_cores{container=\"traefik\"})",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Limit cpu usage",
@@ -1239,7 +1319,7 @@
          "thresholds": [],
          "timeFrom": null,
          "timeShift": null,
-          "title": "Traefik max CPU usage",
+          "title": "Traefik CPU usage",
          "tooltip": {
            "shared": true,
            "sort": 0,
@@ -1277,7 +1357,7 @@
          }
        }
      ],
-      "title": "Pods ressources",
+      "title": "Pods resources",
      "type": "row"
    }
  ],
@@ -1288,26 +1368,6 @@
  ],
  "templating": {
    "list": [
-      {
-        "allValue": null,
-        "current": {},
-        "datasource": "${DS_PROMETHEUS}",
-        "hide": 0,
-        "includeAll": false,
-        "label": null,
-        "multi": false,
-        "name": "namespace",
-        "options": [],
-        "query": "label_values(traefik_config_reloads_total, namespace)",
-        "refresh": 1,
-        "regex": "",
-        "sort": 0,
-        "tagValuesQuery": "",
-        "tags": [],
-        "tagsQuery": "",
-        "type": "query",
-        "useTags": false
-      },
      {
        "allValue": null,
        "current": {
@@ -1370,5 +1430,5 @@
  "timezone": "",
  "title": "Traefik",
  "uid": "traefik-kubernetes",
-  "version": 1
+  "version": 2
 }
--- a/contrib/grafana/traefik.json
+++ b/contrib/grafana/traefik.json
@@ -64,10 +64,7 @@
      "type": "row"
    },
    {
-      "aliasColors": {
-        "Latency over 1 min": "rgb(9, 116, 190)",
-        "Latency over 5 min": "#bf1b00"
-      },
+      "aliasColors": {},
      "bars": false,
      "dashLength": 10,
      "dashes": false,
@@ -97,22 +94,17 @@
      "pointradius": 5,
      "points": false,
      "renderer": "flot",
-      "seriesOverrides": [
-        {
-          "alias": "Latency over 5 min",
-          "yaxis": 1
-        }
-      ],
+      "seriesOverrides": [],
      "spaceLength": 10,
      "stack": false,
      "steppedLine": false,
      "targets": [
        {
-          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=\"200\",method=\"GET\"}[5m])) by (le))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (le))",
          "format": "time_series",
          "hide": false,
          "intervalFactor": 1,
-          "legendFormat": "Latency over 1 min",
+          "legendFormat": "Latency over 5 min",
          "refId": "A"
        }
      ],
@@ -195,7 +187,7 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "histogram_quantile(0.$percentiles, rate(traefik_entrypoint_request_duration_seconds_bucket{code=\"200\",method=\"GET\"}[5m]))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (instance, le))",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "{{ instance }}",
@@ -257,13 +249,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 7,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 0,
-            "y": 2
+            "y": 16
          },
          "id": 19,
          "legend": {
@@ -345,13 +337,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 12,
-            "y": 2
+            "y": 16
          },
          "id": 22,
          "legend": {
@@ -379,7 +371,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Code 200",
@@ -425,9 +417,97 @@
            "align": false,
            "alignLevel": null
          }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 23
+          },
+          "id": 3,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_entrypoint_requests_total[1m])) by (entrypoint)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ entrypoint }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per entrypoint",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
        }
      ],
-      "title": "Frontends (entrypoints)",
+      "title": "Entrypoints",
      "type": "row"
    },
    {
@@ -436,7 +516,7 @@
        "h": 1,
        "w": 24,
        "x": 0,
-        "y": 16
+        "y": 33
      },
      "id": 24,
      "panels": [
@@ -445,13 +525,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 7,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 0,
-            "y": 3
+            "y": 34
          },
          "id": 25,
          "legend": {
@@ -481,7 +561,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(traefik_backend_open_connections) by (method)",
+              "expr": "sum(traefik_service_open_connections) by (method)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "{{ method }}",
@@ -533,13 +613,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 12,
-            "y": 3
+            "y": 34
          },
          "id": 26,
          "legend": {
@@ -567,7 +647,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_backend_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_service_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Code 200",
@@ -613,9 +693,97 @@
            "align": false,
            "alignLevel": null
          }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 41
+          },
+          "id": 4,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_service_requests_total[1m])) by (service)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ service }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per service",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
        }
      ],
-      "title": "Backends",
+      "title": "Services",
      "type": "row"
    },
    {
@@ -624,7 +792,7 @@
        "h": 1,
        "w": 24,
        "x": 0,
-        "y": 17
+        "y": 51
      },
      "id": 15,
      "panels": [
@@ -639,7 +807,7 @@
            "h": 9,
            "w": 12,
            "x": 0,
-            "y": 4
+            "y": 52
          },
          "id": 5,
          "legend": {
@@ -669,7 +837,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{code=~\"2..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"2..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{method}} : {{code}}",
@@ -727,7 +895,7 @@
            "h": 9,
            "w": 12,
            "x": 12,
-            "y": 4
+            "y": 52
          },
          "id": 27,
          "legend": {
@@ -755,7 +923,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{code=~\"5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"5..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{method}} : {{code}}",
@@ -813,95 +981,7 @@
            "h": 9,
            "w": 12,
            "x": 0,
-            "y": 13
-          },
-          "id": 3,
-          "legend": {
-            "alignAsTable": true,
-            "avg": true,
-            "current": true,
-            "max": true,
-            "min": false,
-            "rightSide": true,
-            "show": true,
-            "sort": "avg",
-            "sortDesc": true,
-            "total": false,
-            "values": true
-          },
-          "lines": false,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "sum(rate(traefik_backend_requests_total[1m])) by (backend)",
-              "format": "time_series",
-              "intervalFactor": 2,
-              "legendFormat": "{{ backend }}",
-              "refId": "A"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeShift": null,
-          "title": "Backend total requests over 1min per backend",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
-        },
-        {
-          "aliasColors": {},
-          "bars": true,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "${DS_PROMETHEUS}",
-          "fill": 1,
-          "gridPos": {
-            "h": 9,
-            "w": 12,
-            "x": 12,
-            "y": 13
+            "y": 61
          },
          "id": 6,
          "legend": {
@@ -930,7 +1010,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{ method }} : {{code}}",
@@ -940,7 +1020,7 @@
          "thresholds": [],
          "timeFrom": null,
          "timeShift": null,
-          "title": "Others status code over 5min",
+          "title": "Others statuses code over 5min",
          "tooltip": {
            "shared": true,
            "sort": 0,
@@ -978,7 +1058,7 @@
          }
        }
      ],
-      "title": "HTTP Codes  stats",
+      "title": "HTTP Codes stats",
      "type": "row"
    }
  ],
@@ -1051,5 +1131,5 @@
  "timezone": "",
  "title": "Traefik",
  "uid": "traefik",
-  "version": 1
+  "version": 2
 }
--- a/contrib/systemd/traefik.service
+++ b/contrib/systemd/traefik.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Traefik
-Documentation=https://docs.traefik.io
+Documentation=https://doc.traefik.io/traefik/
 #After=network-online.target
 #AssertFileIsExecutable=/usr/bin/traefik
 #AssertPathExists=/etc/traefik/traefik.toml
--- a/docs/Makefile
+++ b/docs/Makefile
@@ -12,7 +12,7 @@ TRAEFIK_DOCS_CHECK_IMAGE ?= $(TRAEFIK_DOCS_BUILD_IMAGE)-check
 SITE_DIR := $(CURDIR)/site

 DOCKER_RUN_DOC_PORT := 8000
-DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs 
+DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs
 DOCKER_RUN_DOC_OPTS := --rm $(DOCKER_RUN_DOC_MOUNTS) -p $(DOCKER_RUN_DOC_PORT):8000

 # Default: generates the documentation into $(SITE_DIR)
@@ -22,6 +22,10 @@ docs: docs-clean docs-image docs-lint docs-build docs-verify
 docs-serve: docs-image
 	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) mkdocs serve

+## Pull image for doc building
+docs-pull-images:
+	grep --no-filename -E '^FROM' ./*.Dockerfile | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
+
 # Utilities Targets for each step
 docs-image:
 	docker build -t $(TRAEFIK_DOCS_BUILD_IMAGE) -f docs.Dockerfile ./
--- a/docs/check.Dockerfile
+++ b/docs/check.Dockerfile
@@ -1,5 +1,5 @@

-FROM alpine:3.10 as alpine
+FROM alpine:3.13 as alpine

 RUN apk --no-cache --no-progress add \
    libcurl \
@@ -8,8 +8,11 @@ RUN apk --no-cache --no-progress add \
    ruby-etc \
    ruby-ffi \
    ruby-json \
-    ruby-nokogiri
-RUN gem install html-proofer --version 3.13.0 --no-document -- --use-system-libraries
+    ruby-nokogiri \
+    ruby-dev \
+    build-base
+
+RUN gem install html-proofer --version 3.19.0 --no-document -- --use-system-libraries

 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \
@@ -21,8 +24,8 @@ RUN apk --no-cache --no-progress add \
 RUN npm config set unsafe-perm true

 RUN npm install --global \
-    markdownlint@0.17.2 \
-    markdownlint-cli@0.19.0
+    markdownlint@0.22.0 \
+    markdownlint-cli@0.26.0

 # Finally the shell tools we need for later
 # tini helps to terminate properly all the parallelized tasks when sending CTRL-C
--- a/docs/content/CNAME
+++ b/docs/content/CNAME
@@ -1 +0,0 @@
-docs.traefik.io
--- a/docs/content/assets/img/maintainers-guidelines.png
+++ b/docs/content/assets/img/maintainers-guidelines.png
--- a/docs/content/assets/img/traefik.icon.png
+++ b/docs/content/assets/img/traefik.icon.png
--- a/docs/content/assets/img/traefik.logo.horizontal.png
+++ b/docs/content/assets/img/traefik.logo.horizontal.png
--- a/docs/content/assets/img/traefikproxy-icon-color.png
+++ b/docs/content/assets/img/traefikproxy-icon-color.png
--- a/docs/content/assets/img/traefikproxy-vertical-logo-color.svg
+++ b/docs/content/assets/img/traefikproxy-vertical-logo-color.svg
--- a/docs/content/assets/styles/atom-one-light.css
+++ b/docs/content/assets/styles/atom-one-light.css
@@ -1,96 +0,0 @@
-/*
-
-Atom One Light by Daniel Gamage
-Original One Light Syntax theme from https://github.com/atom/one-light-syntax
-
-base:    #fafafa
-mono-1:  #383a42
-mono-2:  #686b77
-mono-3:  #a0a1a7
-hue-1:   #0184bb
-hue-2:   #4078f2
-hue-3:   #a626a4
-hue-4:   #50a14f
-hue-5:   #e45649
-hue-5-2: #c91243
-hue-6:   #986801
-hue-6-2: #c18401
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  color: #383a42;
-  background: #fafafa;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #a0a1a7;
-  font-style: italic;
-}
-
-.hljs-doctag,
-.hljs-keyword,
-.hljs-formula {
-  color: #a626a4;
-}
-
-.hljs-section,
-.hljs-name,
-.hljs-selector-tag,
-.hljs-deletion,
-.hljs-subst {
-  color: #e45649;
-}
-
-.hljs-literal {
-  color: #0184bb;
-}
-
-.hljs-string,
-.hljs-regexp,
-.hljs-addition,
-.hljs-attribute,
-.hljs-meta-string {
-  color: #50a14f;
-}
-
-.hljs-built_in,
-.hljs-class .hljs-title {
-  color: #c18401;
-}
-
-.hljs-attr,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-type,
-.hljs-selector-class,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-number {
-  color: #986801;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-link,
-.hljs-meta,
-.hljs-selector-id,
-.hljs-title {
-  color: #4078f2;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-link {
-  text-decoration: underline;
-}
--- a/docs/content/assets/styles/content.css
+++ b/docs/content/assets/styles/content.css
@@ -1,70 +0,0 @@
-.md-container {
-  padding-top: 0;
-}
-
-.md-content h1 {
-  color: var(--dark) !important;
-  font-weight: bold !important;
-}
-
-.md-content a {
-  color: var(--blue) !important;
-}
-
-.md-content a:hover {
-  font-weight: bold !important;
-}
-
-.md-typeset p code,
-.md-typeset .codehilite,
-.md-typeset .highlight {
-  background-color: var(--light-blue) !important;
-}
-
-.md-typeset table:not([class]) th {
-  background: var(--dark) !important;
-  color: white !important;
-}
-
-/* Front page image size */
-img[src$='#small'] {
-  width: 150px;
-}
-img[src$='#medium'] {
-  width: 300px;
-}
-
-/* Center table and objects */
-.center,
-img,
-.md-typeset__table {
-  display: block !important;
-  margin: 0 auto;
-}
-
-.md-typeset table:not([class]) tr td:first-child {
-  text-align: left;
-}
-.md-typeset table:not([class]) th:not([align]),
-.md-typeset table:not([class]) td:not([align]) {
-  text-align: center;
-}
-article p:not([class]),
-article ul:not([class]),
-article ol:not([class]) {
-  padding-left: 0.8em !important;
-}
-
-/* Fix for Chrome */
-.md-typeset__table td code {
-  word-break: unset;
-}
-
-.md-typeset__table tr :nth-child(1) {
-  word-wrap: break-word;
-  max-width: 30em;
-}
-
-p {
-  text-align: justify;
-}
--- a/docs/content/assets/styles/footer.css
+++ b/docs/content/assets/styles/footer.css
@@ -1,10 +0,0 @@
-.md-footer-meta {
-  background-color: var(--dark);
-}
-
-.md-footer-privacy-policy {
-  margin: 0 .6rem;
-  padding: .4rem 0;
-  color: hsla(0,0%,100%,.3);
-  font-size: .64rem;
-}
--- a/docs/content/assets/styles/header.css
+++ b/docs/content/assets/styles/header.css
@@ -1,462 +0,0 @@
-@import url('https://fonts.googleapis.com/css?family=Rubik:300i,400,400i,500,500i,700&amp;display=swap');
-
-.wrapper-1200 {
-  width: 100%;
-  max-width: 61rem;
-  margin: 0 auto;
-  padding: 0 .6rem;
-}
-
-@media (max-width: 700px) {
-  .wrapper-1200 {
-    padding: 0 20px;
-  }
-}
-
-.btn-type-1 {
-  outline: none;
-  border: none;
-  background-color: #1e54d5;
-  line-height: 1em;
-  border-radius: 8px;
-  padding: 12px 15px;
-  text-transform: uppercase;
-  letter-spacing: 0.05em;
-  font-size: 1.25rem;
-  background-image: linear-gradient(to top, rgba(0, 0, 0, 0.28) 1%, #1e54d5 99%);
-  font-weight: 500;
-  text-align: center;
-  color: white;
-  transition: all 0.2s;
-}
-
-.button--secondary {
-  outline: none;
-  border: 2px solid #1e54d5 !important;
-  background: transparent;
-  line-height: 1em;
-  border-radius: 8px;
-  padding: 9px 13px;
-  letter-spacing: 0;
-  font-size: 1.3rem;
-  font-weight: 500;
-  text-align: center;
-  color: #1e54d5;
-  transition: all 0.2s;
-  display: inline-block;
-}
-.button--secondary:hover {
-  color: white !important;
-  background: #1e54d5;
-}
-.button--secondary:focus {
-  color: white !important;
-  background: #1e54d5;
-}
-
-.site-header-and-placeholder-wrapper {
-  position: relative;
-  height: 64px;
-}
-
-.site-header {
-  position: fixed;
-  width: 100%;
-  top: 0;
-  left: 0;
-  transition: height 0.1s;
-  z-index: 100;
-  background: white;
-  box-shadow: 0 0 7px 0 #00000021;
-  border-bottom: 1px solid #e2e2e2;
-  height: 64px;
-  display: flex;
-  align-items: center;
-  font-size: 10px;
-  font-family: 'Rubik', -apple-system, 'BlinkMacSystemFont', 'Segoe UI',
-    'Helvetica Neue', sans-serif;
-  color: #06102a;
-  -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
-}
-
-.site-header.scrolled {
-  box-shadow: 0 0 5px 0 #00000028;
-  position: fixed;
-  top: 0;
-  height: 52px;
-}
-.site-header.scrolled .site-header__title a {
-  font-size: 2.2em;
-}
-
-.header-placeholder {
-  background: none;
-  width: 100%;
-  height: 64px;
-  position: absolute;
-}
-.header-placeholder.active {
-  display: block;
-}
-
-.site-header .wrapper-1200 {
-  display: flex;
-  justify-content: space-between;
-  align-items: center;
-}
-.site-header .wrapper-1200 .left {
-  display: flex;
-  align-items: center;
-  justify-content: flex-start;
-}
-
-.site-header__logo {
-  max-width: 145px;
-}
-
-.site-header__title a {
-  color: #06102a;
-  font-size: 2.2em;
-  font-weight: 500;
-  transition: all 0.2s;
-  text-transform: uppercase;
-  letter-spacing: 0.02em;
-}
-
-/* Navigation */
-.site-header__nav .menu-item-wrapper {
-  display: inline-block;
-  padding-left: 30px;
-}
-.site-header__nav .menu-item {
-  color: #06102a;
-  transition: all 0.05s;
-  font-size: 1.45em;
-  line-height: 1em;
-  font-weight: 500;
-}
-.site-header__nav .menu-item:hover {
-  color: #8a959e;
-}
-.site-header__nav .menu-item--with-icon {
-  display: flex;
-  align-items: center;
-  justify-content: flex-start;
-}
-.site-header__nav .menu-item--with-icon .title {
-  margin-right: 3px;
-}
-.site-header__nav .menu-item--with-icon .icon {
-  width: 20px;
-  height: 20px;
-  transition: all 0.1s;
-}
-.site-header__nav .menu-item--with-icon .icon svg {
-  stroke-width: 2.5 !important;
-  width: 100%;
-  height: 100%;
-}
-.site-header__nav .menu-item-wrapper--dropdown {
-  position: relative;
-}
-.site-header__nav .menu-item-wrapper--dropdown:hover .nav-dropdown-menu {
-  display: block;
-}
-.site-header__nav .nav-dropdown-menu {
-  display: none;
-}
-
-.nav-dropdown-menu {
-  position: absolute;
-  z-index: 500;
-  background: transparent;
-}
-
-.nav-dropdown-menu-wrapper {
-  border-radius: 8px;
-  box-shadow: 0 12px 40px 0 rgba(1, 10, 32, 0.24);
-  background: white;
-  margin: 8px 0;
-  overflow: hidden;
-}
-
-/* Products, Solutions dropdown menu */
-.nav-dropdown-menu--products,
-.nav-dropdown-menu--solutions {
-  width: 500px;
-}
-.nav-dropdown-menu--products .nav-dropdown-menu-wrapper,
-.nav-dropdown-menu--solutions .nav-dropdown-menu-wrapper {
-  padding: 20px;
-}
-.nav-dropdown-menu--products .dm-header,
-.nav-dropdown-menu--solutions .dm-header {
-  font-size: 1.1em;
-  font-weight: 500;
-  font-stretch: normal;
-  font-style: normal;
-  line-height: normal;
-  letter-spacing: 3.67px;
-  color: #505769;
-  margin-bottom: 20px;
-  text-transform: uppercase;
-}
-.nav-dropdown-menu--products .dm-item,
-.nav-dropdown-menu--solutions .dm-item {
-  border: none;
-  margin: 0 0 20px;
-  color: #06102a;
-  transition: all 0.1s;
-  position: relative;
-  width: 100%;
-}
-.nav-dropdown-menu--products .dm-item:last-child,
-.nav-dropdown-menu--solutions .dm-item:last-child {
-  margin-bottom: 0;
-}
-.nav-dropdown-menu--products .dm-item .dmi-image,
-.nav-dropdown-menu--solutions .dm-item .dmi-image {
-  width: 118px;
-  height: 92px;
-  position: absolute;
-  background: #f4f4f4;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  padding: 20px;
-  border-radius: 4px;
-  z-index: 0;
-}
-.nav-dropdown-menu--products .dm-item .dmi-image img,
-.nav-dropdown-menu--solutions .dm-item .dmi-image img {
-  width: 100%;
-}
-.nav-dropdown-menu--products .dm-item .dmi-details,
-.nav-dropdown-menu--solutions .dm-item .dmi-details {
-  padding: 8px 0 10px 135px;
-  width: 100%;
-  background: transparent;
-  display: block;
-  color: #06102a;
-  position: relative;
-  z-index: 1;
-}
-.nav-dropdown-menu--products .dm-item .dmi-details:hover,
-.nav-dropdown-menu--solutions .dm-item .dmi-details:hover {
-  color: #1e54d5;
-}
-.nav-dropdown-menu--products .dm-item .dmi-title,
-.nav-dropdown-menu--solutions .dm-item .dmi-title {
-  font-size: 1.6em;
-  font-weight: 500;
-  margin: 0 0 2px;
-}
-.nav-dropdown-menu--products .dm-item .dmi-description,
-.nav-dropdown-menu--solutions .dm-item .dmi-description {
-  font-size: 1.4em;
-  opacity: 0.7;
-  line-height: 1.6em;
-}
-.nav-dropdown-menu--products .dm-item--traefikee .dmi-image img,
-.nav-dropdown-menu--solutions .dm-item--traefikee .dmi-image img {
-  transform: scale(1.1);
-}
-
-.nav-dropdown-menu--solutions .dm-item .dmi-image {
-  width: 65px;
-  padding: 10px;
-  background: white;
-  height: auto;
-}
-.nav-dropdown-menu--solutions .dm-item .dmi-details {
-  padding: 5px 0 0 80px;
-}
-.nav-dropdown-menu--solutions .dm-item:last-child {
-  margin-bottom: 10px;
-}
-
-/* Dropdown menu: Learn */
-.nav-dropdown-menu--learn {
-  width: 250px;
-}
-.nav-dropdown-menu--company {
-  width: 500px;
-}
-.nav-dropdown-menu--company .nav-dropdown-menu-wrapper {
-  display: grid;
-  grid-template-columns: 50% 50%;
-}
-.nav-dropdown-menu--learn .dm-left,
-.nav-dropdown-menu--company .dm-left {
-  padding: 25px;
-}
-.nav-dropdown-menu--learn .dm-header,
-.nav-dropdown-menu--company .dm-header {
-  font-size: 1.1em;
-  font-weight: 500;
-  font-stretch: normal;
-  font-style: normal;
-  line-height: normal;
-  letter-spacing: 3.67px;
-  color: #505769;
-  margin-bottom: 20px;
-  text-transform: uppercase;
-}
-.nav-dropdown-menu--learn .dm-item,
-.nav-dropdown-menu--company .dm-item {
-  display: block;
-  font-size: 1.6em;
-  font-weight: 500;
-  color: #06102a;
-  margin-bottom: 15px;
-}
-.nav-dropdown-menu--learn .dm-item:last-child,
-.nav-dropdown-menu--company .dm-item:last-child {
-  margin-bottom: 0;
-}
-.nav-dropdown-menu--learn .dm-item:hover,
-.nav-dropdown-menu--company .dm-item:hover {
-  color: #1e54d5;
-}
-
-.dm-preview {
-  background: #edeff4;
-  overflow: hidden;
-  height: 100%;
-  display: flex;
-  flex-direction: column;
-}
-
-.dm-preview__feature-image {
-  overflow: hidden;
-  display: block;
-}
-
-.dm-preview__feature-image img {
-  width: 100%;
-  height: 145px;
-  background: #ffffff no-repeat 50%;
-  object-fit: cover;
-  vertical-align: middle;
-}
-
-.dm-preview__content {
-  padding: 15px;
-  display: flex;
-  justify-content: flex-start;
-  align-items: flex-start;
-  flex-direction: column;
-  flex: 1;
-  position: relative;
-}
-
-.dm-preview__tag {
-  display: block;
-  font-size: 1.2em;
-  color: #db7d11;
-  letter-spacing: 2.5px;
-  font-weight: 500;
-  margin: 0 0;
-  text-transform: uppercase;
-}
-
-.dm-preview__title {
-  font-size: 1.6em;
-  font-weight: 500;
-  line-height: 1.6em;
-  margin: 0;
-  color: #06102a;
-  display: block;
-  flex: 1;
-  position: relative;
-  z-index: 1;
-  padding-bottom: 20px;
-}
-
-.dm-preview .arrow-link {
-  justify-content: flex-start;
-  font-size: 1.4em;
-  position: absolute;
-  bottom: 12px;
-  z-index: 0;
-}
-
-/* Dropdown menu: Company */
-.nav-dropdown-menu--company {
-  width: 450px;
-}
-
-.nav-dropdown-menu--company .dm-right {
-  background: #06102a;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  flex-direction: column;
-  color: white;
-  padding: 20px;
-}
-.nav-dropdown-menu--company .dm-right p {
-  font-size: 1.6em;
-  font-weight: 500;
-  margin: 0 0 15px;
-  text-align: center;
-}
-.nav-dropdown-menu--company .dm-right a {
-  text-transform: uppercase;
-  line-height: 1.5em;
-  padding: 9px 12px;
-  font-size: 1.2em;
-}
-
-/* Demo */
-.site-header__demo-button .button--secondary {
-  font-size: 1.4em;
-  padding: 8px 12px;
-  border-radius: 6px;
-}
-
-/* Drawer */
-.site-header .drawer {
-  display: none;
-}
-
-@media (max-width: 1060px) {
-  .site-header__nav .menu-item-wrapper {
-    padding-left: 20px;
-  }
-}
-@media (max-width: 980px) {
-  .site-header__nav {
-    display: none;
-  }
-
-  .site-header .drawer {
-    display: block;
-  }
-
-  .site-header .right .site-header__demo-button {
-    display: none;
-  }
-
-  html [data-md-color-primary=indigo] .md-nav--primary .md-nav__title--site {
-    background-color: #06102a;
-  }
-
-  html .md-nav--primary .md-nav__title {
-    padding: 64px .8rem .2rem;
-  }
-
-  .md-search__inner {
-    top: 64px;
-    right: 0;
-  }
-}
-
-.md-header .md-search {
-  margin-left: 12.1rem;
-} 
-
-.site-header__main {
-  display: flex;
-  align-items: center;
-}
--- a/docs/content/assets/styles/menu.css
+++ b/docs/content/assets/styles/menu.css
@@ -1,101 +0,0 @@
-.md-nav__link {
-  margin-left: -0.4rem;
-  padding: 0 0.4rem;
-  line-height: 32px;
-  color: var(--dark) !important;
-}
-
-.md-nav__link::after {
-  font-size: 16px;
-  vertical-align: -.25em;
-}
-
-.md-nav__toggle:checked + .md-nav__link,
-.md-nav__link--active,
-.md-nav__link:hover {
-  border-radius: 8px;
-  background-color: var(--light-blue) !important;
-  color: var(--dark) !important;
-  transition: background-color 0.3s ease;
-}
-
-.md-nav__link--active {
-  color: var(--blue) !important;
-  font-weight: bold;
-}
-
-.md-sidebar--primary {
-  background-color: white;
-}
-
-.md-sidebar--secondary .md-nav__title {
-  font-size: 12px;
-  text-transform: uppercase;
-  margin-bottom: 0.4rem;
-  padding: 0;
-}
-
-.md-sidebar--secondary .md-sidebar__scrollwrap {
-  border-radius: 8px;
-  background-color: var(--light-blue) !important;
-}
-
-.md-sidebar--secondary .md-nav__title {
-  padding: 0.8rem 0.4rem 0.8rem;
-}
-
-.md-sidebar--secondary .md-nav__list {
-  padding: 0 0.4rem 0.8rem 1.2rem;
-}
-
-.md-sidebar--secondary .md-sidebar__scrollwrap .md-nav__link {
-  font-weight: 300;
-}
-
-.md-sidebar--secondary
-  .md-sidebar__scrollwrap
-  .md-nav__link[data-md-state='blur'],
-.md-sidebar--secondary .md-sidebar__scrollwrap .md-nav__link:hover {
-  color: var(--blue) !important;
-  font-weight: bold;
-}
-
-.md-sidebar--secondary .md-nav__item {
-  padding: 0 0 0 0.4rem;
-}
-
-.md-sidebar--secondary .md-nav__link {
-  margin-top: 0.225em;
-  padding: 0.1rem 0.2rem;
-}
-
-.md-sidebar--secondary li {
-  list-style-type: disc;
-}
-
-.md-sidebar--secondary .repo_url {
-  padding: 10px 0 14px 0;
-}
-
-
-.md-search__inner {
-  width: inherit;
-  float: inherit;
-}
-
-.md-search__input {
-  margin-bottom: 10px;
-  border-radius: 4px; 
-  background-color: inherit;
-  border: 1px solid rgba(0,0,0,.07);
-}
-
-.md-search__input::placeholder {
-  color: rgba(0,0,0,.07);
-}
-
-@media only screen and (min-width: 60em) {
-  [data-md-toggle=search]:checked~.md-header .md-search__inner {
-    margin-top: 100px;
-  }
-}
--- a/docs/content/assets/styles/product-switcher.css
+++ b/docs/content/assets/styles/product-switcher.css
@@ -1,11 +0,0 @@
-.product-switcher {
-  font-size: 10px;
-  font-family: 'Rubik', -apple-system, 'BlinkMacSystemFont', 'Segoe UI',
-    'Helvetica Neue', sans-serif;
-  color: #06102a;
-  -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
-}
-
-.product-switcher img {
-  margin-right: 10px;
-}
--- a/docs/content/assets/styles/root.css
+++ b/docs/content/assets/styles/root.css
@@ -1,10 +0,0 @@
-:root {
-  --dark: #06102a;
-  --blue: #04B5D1;
-  --light-blue: #E4F7FA;
-
-  --input-bg-color: white;
-  --input-color: black;
-  --input-placeholder-color: #bbb;
-  --input-border-color: #dcdcdc;
-}
--- a/docs/content/contributing/advocating.md
+++ b/docs/content/contributing/advocating.md
@@ -5,6 +5,6 @@ Spread the Love & Tell Us about It

 There are many ways to contribute to the project, and there is one that always spark joy: when we see/read about users talking about how Traefik helps them solve their problems.

-If you're talking about Traefik, [let us know](https://blog.containo.us/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
+If you're talking about Traefik, [let us know](https://blog.traefik.io/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!

-Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/containous/traefik/wiki/Awesome-Traefik).
+Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/traefik/traefik/wiki/Awesome-Traefik).
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -30,12 +30,12 @@ Successfully tagged traefik-webui:latest
 [...]
 docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
 Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.14-alpine
+Step 1/10 : FROM golang:1.16-alpine
 ---> f4bfb3d22bda
 [...]
 Successfully built 5c3c1a911277
 Successfully tagged traefik-dev:4475--feature-documentation
-docker run  -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER		 -v "/home/ldez/sources/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
+docker run  -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER		 -v "/home/ldez/sources/go/src/github.com/traefik/traefik/"dist":/go/src/github.com/traefik/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
 ---> Making bundle: generate (in .)
 removed 'autogen/genstatic/gen.go'

@@ -62,13 +62,13 @@ PRE_TARGET= make test-unit

 Requirements:

- `go` v1.14+
+- `go` v1.16+
 - environment variable `GO111MODULE=on`
 - [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`

 !!! tip "Source Directory"

-    It is recommended that you clone Traefik into the `~/go/src/github.com/containous/traefik` directory.
+    It is recommended that you clone Traefik into the `~/go/src/github.com/traefik/traefik` directory.
    This is the official golang workspace hierarchy that will allow dependencies to be properly resolved.

 !!! note "Environment"
@@ -104,7 +104,7 @@ Once you've set up your go environment and cloned the source repository, you can
 Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).

 ```bash
-cd ~/go/src/github.com/containous/traefik
+cd ~/go/src/github.com/traefik/traefik

 # Get go-bindata. (Important: the ellipses are required.)
 GO111MODULE=off go get github.com/containous/go-bindata/...
@@ -124,7 +124,7 @@ go generate
 go build ./cmd/traefik
 ```

-You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
+You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/traefik/traefik` directory.

 ## Testing

@@ -138,13 +138,13 @@ Run all tests (unit and integration) using the `test` target.
 $ make test-unit
 docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
 # […]
-docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
+docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/traefik/traefik/dist:/go/src/github.com/traefik/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
 ---> Making bundle: generate (in .)
 removed 'gen.go'

 ---> Making bundle: test-unit (in .)
 + go test -cover -coverprofile=cover.out .
-ok      github.com/containous/traefik   0.005s  coverage: 4.1% of statements
+ok      github.com/traefik/traefik   0.005s  coverage: 4.1% of statements

 Test success
 ```
@@ -172,7 +172,7 @@ More: https://labix.org/gocheck
 Unit tests can be run from the cloned directory using `$ go test ./...` which should return `ok`, similar to:

 ```test
-ok      _/home/user/go/src/github/containous/traefik    0.004s
+ok      _/home/user/go/src/github/traefik/traefik    0.004s
 ```

 Integration tests must be run from the `integration/` directory and require the `-integration` switch: `$ cd integration && go test -integration ./...`.
--- a/docs/content/contributing/data-collection.md
+++ b/docs/content/contributing/data-collection.md
@@ -9,19 +9,19 @@ Understanding how you use Traefik is very important to us: it helps us improve t
 For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us so we can benefit from your experience and use cases.

 !!! example "Enabling Data Collection"
-    
-    ```toml tab="File (TOML)"
-    [global]
-      # Send anonymous usage data
-      sendAnonymousUsage = true
-    ```
-    
+
    ```yaml tab="File (YAML)"
    global:
      # Send anonymous usage data
      sendAnonymousUsage: true
    ```
-    
+
+    ```toml tab="File (TOML)"
+    [global]
+      # Send anonymous usage data
+      sendAnonymousUsage = true
+    ```
+
    ```bash tab="CLI"
    # Send anonymous usage data
    --global.sendAnonymousUsage
@@ -29,7 +29,9 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to

 ## Collected Data

-This feature comes from the public proposal [here](https://github.com/containous/traefik/issues/2369).
+This feature comes from the public proposal [here](https://github.com/traefik/traefik/issues/2369).
+
+This feature is activated when using Traefik Pilot to better understand the community's need, and also to get information about plug-ins popularity.

 In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
 Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
@@ -43,53 +45,55 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
 - an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).

 !!! info
-    
+
    - We do not collect the dynamic configuration information (routers & services).
    - We do not collect this data to run advertising programs.
    - We do not sell this data to third-parties.

 ### Example of Collected Data

-```toml tab="Original configuration"
-[entryPoints]
-  [entryPoints.web]
-    address = ":80"
+```yaml tab="Original configuration"
+entryPoints:
+  web:
+  address: ":80"

-[api]
+api: {}

-[providers.docker]
-  endpoint = "tcp://10.10.10.10:2375"
-  exposedByDefault = true
-  swarmMode = true
+providers:
+  docker:
+    endpoint: "tcp://10.10.10.10:2375"
+    exposedByDefault: true
+    swarmMode: true

-  [providers.docker.TLS]
-    ca = "dockerCA"
-    cert = "dockerCert"
-    key = "dockerKey"
-    insecureSkipVerify = true
+    tls:
+      ca: dockerCA
+      cert: dockerCert
+      key: dockerKey
+      insecureSkipVerify: true
 ```

-```toml tab="Resulting Obfuscated Configuration"
-[entryPoints]
-  [entryPoints.web]
-    address = ":80"
+```yaml tab="Resulting Obfuscated Configuration"
+entryPoints:
+  web:
+  address: ":80"

-[api]
+api: {}

-[providers.docker]
-  endpoint = "xxxx"
-  exposedByDefault = true
-  swarmMode = true
+providers:
+  docker:
+    endpoint: "xxxx"
+    exposedByDefault: true
+    swarmMode: true

-  [providers.docker.TLS]
-    ca = "xxxx"
-    cert = "xxxx"
-    key = "xxxx"
-    insecureSkipVerify = true
+    tls:
+      ca: xxxx
+      cert: xxxx
+      key: xxxx
+      insecureSkipVerify: true
 ```

 ## The Code for Data Collection

-If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/pkg/collector/collector.go)
+If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)

 By default we anonymize all configuration fields, except fields tagged with `export=true`.
--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -10,17 +10,17 @@ Let's see how.

 ### General

-This [documentation](https://docs.traefik.io/) is built with [mkdocs](https://mkdocs.org/).
+This [documentation](https://doc.traefik.io/traefik/) is built with [mkdocs](https://mkdocs.org/).

 ### Method 1: `Docker` and `make`

-You can build the documentation and test it locally (with live reloading), using the `docs` target:
+You can build the documentation and test it locally (with live reloading), using the `docs-serve` target:

 ```bash
-$ make docs
+$ make docs-serve
 docker build -t traefik-docs -f docs.Dockerfile .
 # […]
-docker run  --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
+docker run  --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
 # […]
 [I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000
 [I 170828 20:47:48 handlers:60] Start watching changes
@@ -75,24 +75,26 @@ To check that the documentation meets standard expectations (no dead links, html
 $ make docs-verify
 docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image
 ...
-docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
+docker run --rm -v /home/travis/build/traefik/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
 === Checking HTML content...
 Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html...
 ```

 !!! note "Clean & Verify"

-    If you've made changes to the documentation, it's safter to clean it before verifying it. 
+    If you've made changes to the documentation, it's safter to clean it before verifying it.

    ```bash
-    $ make docs-clean docs-verify
+    $ make docs
    ...
    ```

+    Will perform all necessary steps for you.
+
 !!! note "Disabling Documentation Verification"

    Verification can be disabled by setting the environment variable `DOCS_VERIFY_SKIP` to `true`:
-    
+
    ```shell
    DOCS_VERIFY_SKIP=true make docs-verify
    ...
--- a/docs/content/contributing/maintainers-guidelines.md
+++ b/docs/content/contributing/maintainers-guidelines.md
@@ -0,0 +1,129 @@
+# Maintainer's Guidelines
+
+![Maintainer's Guidelines](../assets/img/maintainers-guidelines.png)
+
+Note: the document is a work in progress.
+
+Welcome to the Traefik Community.
+This document describes how to be part of the core team
+as well as various responsibilities
+and guidelines for Traefik maintainers.
+We are strongly promoting a philosophy of openness and sharing,
+and firmly standing against the elitist closed approach.
+Being part of the core team should be accessible to anyone motivated
+and wants to be part of that journey!
+
+## Onboarding Process
+
+If you consider joining our community please drop us a line using Twitter or leave a note in the issue.
+We will schedule a quick call to meet you and learn more about your motivation.
+During the call, the team will discuss the process of becoming a maintainer.
+We will be happy to answer any questions and explain all your doubts.
+
+## Maintainer's Requirements
+
+Note: you do not have to meet all the listed requirements,
+but must have achieved several.
+
+- Enabled [2FA](https://docs.github.com/en/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) on your Github account
+- The contributor has opened and successfully run medium to large PR’s in the past 6 months.
+- The contributor has participated in multiple code reviews of other PR’s,
+  including those of other maintainers and contributors.
+- The contributor showed a consistent pattern of helpful, non-threatening, and friendly behavior towards other community members in the past.
+- The contributor is active on Traefik Community forums
+  or other technical forums/boards such as K8S slack, Reddit, StackOverflow, hacker news.
+- Have read and accepted the contributor guidelines.
+
+## Maintainer's Responsibilities and Privileges
+
+There are lots of areas where you can contribute to the project,
+but we can suggest you start with activities such as:
+
+- PR reviewing.
+    - According to our guidelines we require you have at least 3 reviewers,
+      thus you can review a PR and leave the relevant comment if it is necessary.
+- Participating in a daily [issue triage](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md).
+    - The process helps to understand and prioritize the reported issue according to its importance and severity.
+      This is crucial to learn how our users implement Traefik.
+      Each of the issues that are labeled as bug/possible bug/confirmed requires a reproducible use case. 
+      You can help in creating a reproducible use case if it has not been added to the issue
+      or use the sample code provided by the reporter.
+      Typically, a simple docker compose should be enough to reproduce the issue.
+- Code contribution.
+- Documentation contribution.
+    - Technical documentation is one of the most important components of the product.
+      The ability to set up a testing environment in a few minutes,
+      using the official documentation,
+      is a game changer.
+- You will be listed on our Maintainers Github page
+  as well as on our website in the section [maintainers](maintainers.md).
+- We will be promoting you on social channels (mostly on Twitter).
+
+## Governance
+
+- Roadmap meetings on a regular basis where all maintainers are welcome.
+
+## Communicating
+
+- All of our maintainers are added to Slack #traefik-maintainers channel that belongs to Traefik labs workspace.
+  Having the team in one place helps us to communicate effectively. 
+  You can reach Traefik core developers directly,
+  which offers the possibility to discuss issues, pull requests, enhancements more efficiently
+  and get the feedback almost immediately.
+  Fewer blockers mean more fun and engaging work.
+
+- On a daily basis, we publish a report that includes all the activities performed during the day.
+  You are updated in regard to the workload that has been processed including:
+  working on the new features and enhancements,
+  activities related to the reported issues and PR’s,
+  other important project-related announcements.
+
+- At 5:00 PM CET every day we review all the created issues that have been reported,
+  assign them the appropriate *[labels](maintainers.md#labels)*
+  and prioritize them based on the severity of the problem.
+  The process is called *[issue triaging](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md)*.
+  Each of the maintainers is welcome to join the meeting.
+  For that purpose, we use a dedicated Discord server
+  where you are invited once you have become the official maintainer.
+
+## Maintainers Activity
+
+In order to keep the core team efficient and dynamic,
+maintainers' activity and involvement will be reviewed on a regular basis.
+
+- Has the maintainer engaged with the team and the community by meeting two or more of these benchmarks in the past six months?
+    - Has the maintainer participated in at least two or three maintainer meetings?
+    - Substantial review of at least one or two PRs from either contributors or maintainers.
+    - Opened at least one or two bug fixes or feature request PRs
+      that were eventually merged (or on a trajectory for merge).
+    - Substantial participation in the Help Wanted program (answered questions, helped identify issues, applied guidelines from the Help Wanted guide to open issues).
+    - Substantial participation with the community in general.
+
+- Has the maintainer shown a consistent pattern of helpful,
+  non-threatening,
+  and friendly behavior towards other people on the maintainer team and with our community?
+
+## Additional Comments for (not only) Maintainers
+
+- Be able to put yourself in users’ shoes.
+- Be open-minded and respectful with other maintainers and other community members.
+- Keep the communication public - 
+  if anyone tries to communicate with you directly,
+  ask him politely to move the conversation to a public communication channel.
+- Stay away from defensive comments.
+- Please try to express your thoughts clearly enough
+  and note that some of us are not native English speakers.
+  Try to rephrase your sentences, avoiding mental shortcuts;
+  none of us is able to predict your thoughts.
+- There are a lot of use cases of using Traefik
+  and even more issues that are difficult to reproduce.
+  If the issue can’t be replicated due to a lack of reproducible case (a simple docker compose should be enough) - 
+  set your time limits while working on the issue
+  and express clearly that you were not able to replicate it.
+  You can come back later to that case.
+- Be proactive.
+- Emoji are fine,
+  but if you express yourself clearly enough they are not necessary.
+  They will not replace good communication.
+- Embrace mentorship.
+- Keep in mind that we all have the same intent to improve the project.
--- a/docs/content/contributing/maintainers.md
+++ b/docs/content/contributing/maintainers.md
@@ -1,6 +1,6 @@
 # Maintainers

-## The team
+## The Team

 * Emile Vauge [@emilevauge](https://github.com/emilevauge)
 * Vincent Demeester [@vdemeester](https://github.com/vdemeester)
@@ -11,75 +11,26 @@
 * Ludovic Fernandez [@ldez](https://github.com/ldez)
 * Julien Salleyron [@juliens](https://github.com/juliens)
 * Nicolas Mengin [@nmengin](https://github.com/nmengin)
-* Marco Jantke [@marco-jantke](https://github.com/marco-jantke)
+* Marco Jantke [@mjantke](https://github.com/mjeri)
 * Michaël Matur [@mmatur](https://github.com/mmatur)
 * Gérald Croës [@geraldcroes](https://github.com/geraldcroes)
 * Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou)
 * Mathieu Lonjaret [@mpl](https://github.com/mpl)
 * Romain Tribotté [@rtribotte](https://github.com/rtribotte)
+* Kevin Pollet [@kevinpollet](https://github.com/kevinpollet)
+* Harold Ozouf [@jspdown](https://github.com/jspdown)

-## Contributions Daily Meeting
+## Maintainer's Guidelines

-* 3 Maintainers should attend to a Contributions Daily Meeting where we sort and label new issues ([is:issue label:status/0-needs-triage](https://github.com/containous/traefik/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Astatus%2F0-needs-triage+)), and review every Pull Requests
-* Every pull request should be checked during the Contributions Daily Meeting
-    * Even if it’s already assigned
-    * Even PR labelled with `contributor/waiting-for-corrections` or `contributor/waiting-for-feedback`
-* Issues labeled with `priority/P0` and `priority/P1` should be assigned.
-* Modifying an issue or a pull request (labels, assignees, milestone) is only possible:
-    * During the Contributions Daily Meeting
-    * By an assigned maintainer
-    * In case of emergency, if a change proposal is approved by 2 other maintainers (on Slack, Discord, Discourse, etc)
+Please read the [maintainer's guidelines](maintainers-guidelines.md)

-## PR review process:
+## Issue Triage

-* The status `needs-design-review` is only used in complex/heavy/tricky PRs.
-* From `1` to `2`: 1 comment that says “design LGTM” (by a senior maintainer).
-* From `2` to `3`: 3 LGTM approvals by any maintainer.
-* If needed, a specific maintainer familiar with a particular domain can be requested for the review.
-* If a PR has been implemented in pair programming, one peer's LGTM goes into the review for free
-* Amending someone else's pull request is authorized only in emergency, if a rebase is needed, or if the initial contributor is silent
+Issues and PRs are triaged daily and the process for triaging may be found under [triaging issues](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in our [contributors guide repository](https://github.com/traefik/contributors-guide).

-We use [PRM](https://github.com/ldez/prm) to manage locally pull requests.
+## PR Review Process

-## Bots
-
-### [Myrmica Lobicornis](https://github.com/containous/lobicornis/)
-
-Update and Merge Pull Request.
-
-The maintainer giving the final LGTM must add the `status/3-needs-merge` label to trigger the merge bot.
-
-By default, a squash-rebase merge will be carried out.
-To preserve commits, add `bot/merge-method-rebase` before `status/3-needs-merge`.
-
-The status `status/4-merge-in-progress` is only used by the bot.
-
-If the bot is not able to perform the merge, the label `bot/need-human-merge` is added.  
-In such a situation, solve the conflicts/CI/... and then remove the label `bot/need-human-merge`.
-
-To prevent the bot from automatically merging a PR, add the label `bot/no-merge`.
-
-The label `bot/light-review` decreases the number of required LGTM from 3 to 1.
-
-This label is used when:
-
-* Updating the vendors from previously reviewed PRs
-* Merging branches into the master
-* Preparing the release
-
-### [Myrmica Bibikoffi](https://github.com/containous/bibikoffi/)
-
-* closes stale issues [cron]
-    * use some criterion as number of days between creation, last update, labels, ...
-
-### [Myrmica Aloba](https://github.com/containous/aloba)
-
-Manage GitHub labels.
-
-* Add labels on new PR [GitHub WebHook]
-* Add milestone to a new PR based on a branch version (1.4, 1.3, ...) [GitHub WebHook]
-* Add and remove `contributor/waiting-for-corrections` label when a review request changes [GitHub WebHook]
-* Weekly report of PR status on Slack (CaptainPR) [cron]
+The process for reviewing PRs may be found under [review guidelines](https://github.com/traefik/contributors-guide/blob/master/review_guidelines.md) in our contributors guide repository.

 ## Labels

@@ -167,7 +118,7 @@ The `status/*` labels represent the desired state in the workflow.
 * `priority/P2`: need to be fixed in the future.
 * `priority/P3`: maybe.

-### PR size
+### PR Size

 Automatically set by a bot.

--- a/docs/content/contributing/submitting-issues.md
+++ b/docs/content/contributing/submitting-issues.md
@@ -3,7 +3,7 @@
 Help Us Help You!
 {: .subtitle }

-We use the [GitHub issue tracker](https://github.com/containous/traefik/issues) to keep track of issues in Traefik. 
+We use the [GitHub issue tracker](https://github.com/traefik/traefik/issues) to keep track of issues in Traefik. 

 The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting).
 To save us some time and get quicker feedback, be sure to follow the guide lines below.
@@ -14,7 +14,7 @@ To save us some time and get quicker feedback, be sure to follow the guide lines

    For end-user related support questions, try using first:

-    - the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+    - the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)

 ## Issue Title

@@ -22,7 +22,7 @@ The title must be short and descriptive. (~60 characters)

 ## Description

-Follow the [issue template](https://github.com/containous/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible.
+Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible.

 Explain us in which conditions you encountered the issue, what is your context.

--- a/docs/content/contributing/submitting-pull-requests.md
+++ b/docs/content/contributing/submitting-pull-requests.md
@@ -5,41 +5,5 @@ A Quick Guide for Efficient Contributions

 So you've decided to improve Traefik? 
 Thank You! 
-Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.

-Let's go through the classic pitfalls to make sure everything is right. 
-
-## Title
-
-The title must be short and descriptive. (~60 characters)
-
-## Description
-
-Follow the [pull request template](https://github.com/containous/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible.
-
-Explain the conditions which led you to write this PR: give us context.
-The context should lead to something, an idea or a problem that you’re facing.
-
-Remain clear and concise.
-
-Take time to polish the format of your message so we'll enjoy reading it and working on it.
-Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
-
-## PR Content
-
- Make it small.
- One feature per Pull Request.
- Write useful descriptions and titles.
- Avoid re-formatting code that is not on the path of your PR.
- Make sure the [code builds](building-testing.md).
- Make sure [all tests pass](building-testing.md).
- Add tests.
- Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
-
-!!! note "Third-Party Dependencies"
-
-    If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
-
-!!! tip "10 Tips for Better Pull Requests"
-
-    We enjoyed this article, maybe you will too! [10 tips for better pull requests](https://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).
+Please review the [guidelines on creating PRs](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md) for Traefik in our [contributors guide repository](https://github.com/traefik/contributors-guide).
--- a/docs/content/contributing/thank-you.md
+++ b/docs/content/contributing/thank-you.md
@@ -3,8 +3,8 @@
 _You_ Made It
 {: .subtitle}

-Traefik truly is an [open-source project](https://github.com/containous/traefik/),
-and wouldn't have become what it is today without the help of our [many contributors](https://github.com/containous/traefik/graphs/contributors) (at the time of writing this),
+Traefik truly is an [open-source project](https://github.com/traefik/traefik/),
+and wouldn't have become what it is today without the help of our [many contributors](https://github.com/traefik/traefik/graphs/contributors) (at the time of writing this),
 not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.

 So once again, thank you for your invaluable help on making Traefik such a good product.
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -13,13 +13,13 @@ Configuration in Traefik can refer to two different things:
 Elements in the _static configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).

 The _dynamic configuration_ contains everything that defines how the requests are handled by your system.
-This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.    
+This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.

 !!! warning "Incompatible Configuration"
    Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now.
    If you are running v2, please ensure you are using a v2 configuration.

-## The Dynamic Configuration 
+## The Dynamic Configuration

 Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file.

@@ -28,14 +28,14 @@ Since this configuration is specific to your infrastructure choices, we invite y
 !!! info ""

    In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
-    
+
 !!! info "HTTPS Certificates also belong to the dynamic configuration."
-    
-    You can add / update / remove them without restarting your Traefik instance. 
- 
+
+    You can add / update / remove them without restarting your Traefik instance.
+
 ## The Static Configuration

-There are three different, **mutually exclusive** (e.g. you can use only one at the same time), ways to define static configuration options in Traefik:
+There are three different, **mutually exclusive** (i.e. you can use only one at the same time), ways to define static configuration options in Traefik:

 1. In a configuration file
 1. In the command-line arguments
@@ -45,13 +45,13 @@ These ways are evaluated in the order listed above.

 If no value was provided for a given option, a default value applies.
 Moreover, if an option has sub-options, and any of these sub-options is not specified, a default value will apply as well.
-    
+
 For example, the `--providers.docker` option is enough by itself to enable the docker provider, even though sub-options like `--providers.docker.endpoint` exist.
 Once positioned, this option sets (and resets) all the default values of the sub-options of `--providers.docker`.
-    
+
 ### Configuration File

-At startup, Traefik searches for a file named `traefik.toml` (or `traefik.yml` or `traefik.yaml`) in:
+At startup, Traefik searches for a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:

 - `/etc/traefik/`
 - `$XDG_CONFIG_HOME/`
@@ -61,7 +61,7 @@ At startup, Traefik searches for a file named `traefik.toml` (or `traefik.yml` o
 You can override this using the `configFile` argument.

 ```bash
-traefik --configFile=foo/bar/myconfigfile.toml
+traefik --configFile=foo/bar/myconfigfile.yml
 ```

 ### Arguments
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -0,0 +1,139 @@
+# FAQ
+
+## Why is Traefik Answering `XXX` HTTP Response Status Code?
+
+Traefik is a dynamic reverse proxy,
+and while the documentation often demonstrates configuration options through file examples,
+the core feature of Traefik is its dynamic configurability,
+directly reacting to changes from providers over time.
+
+Notably, a part of the configuration is [static](../configuration-overview/#the-static-configuration),
+and can be provided by a file on startup, whereas various providers,
+such as the file provider,
+contribute dynamically all along the traefik instance lifetime to its [dynamic configuration](../configuration-overview/#the-dynamic-configuration) changes.
+
+In addition, the configuration englobes concepts such as the EntryPoint which can be seen as a listener on the Transport Layer (TCP),
+as apposed to the Router which is more about the Presentation (TLS) and Application layers (HTTP).
+And there can be as many routers as one wishes for a given EntryPoint.
+
+In other words, for a given Entrypoint,
+at any given time the traffic seen is not bound to be just about one protocol.
+It could be HTTP, or otherwise. Over TLS, or not.
+Not to mention that dynamic configuration changes potentially make that kind of traffic vary over time.
+
+Therefore, in this dynamic context,
+the static configuration of an `entryPoint` does not give any hint whatsoever about how the traffic going through that `entryPoint` is going to be routed.
+Or whether it's even going to be routed at all,
+i.e. whether there is a Router matching the kind of traffic going through it.
+
+### `404 Not found`
+
+Traefik returns a `404` response code in the following situations:
+
+- A request reaching an EntryPoint that has no Routers
+- An HTTP request reaching an EntryPoint that has no HTTP Router
+- An HTTPS request reaching an EntryPoint that has no HTTPS Router
+- A request reaching an EntryPoint that has HTTP/HTTPS Routers that cannot be matched
+
+From Traefik's point of view,
+every time a request cannot be matched with a router the correct response code is a `404 Not found`.
+
+In this situation, the response code is not a `503 Service Unavailable`
+because Traefik is not able to confirm that the lack of a matching router for a request is only temporary.
+Traefik's routing configuration is dynamic and aggregated from different providers,
+hence it's not possible to assume at any moment that a specific route should be handled or not.
+
+??? info "This behavior is consistent with rfc7231"
+
+    ```txt
+    The server is currently unable to handle the request due to a
+    temporary overloading or maintenance of the server. The implication
+    is that this is a temporary condition which will be alleviated after
+    some delay. If known, the length of the delay MAY be indicated in a
+    Retry-After header. If no Retry-After is given, the client SHOULD
+    handle the response as it would for a 500 response.
+
+        Note: The existence of the 503 status code does not imply that a
+        server must use it when becoming overloaded. Some servers may wish
+        to simply refuse the connection.
+    ```
+
+    Extract from [rfc7231#section-6.6.4](https://datatracker.ietf.org/doc/html/rfc7231#section-6.6.4).
+
+### `502 Bad Gateway`
+
+Traefik returns a `502` response code when an error happens while contacting the upstream service.
+
+### `503 Service Unavailable`
+
+Traefik returns a `503` response code when a Router has been matched
+but there are no servers ready to handle the request.
+
+This situation is encountered when a service has been explicitly configured without servers,
+or when a service has healthcheck enabled and all servers are unhealthy.
+
+### `XXX` Instead of `404`
+
+Sometimes, the `404` response code doesn't play well with other parties or services (such as CDNs).
+
+In these situations, you may want Traefik to always reply with a `503` response code,
+instead of a `404` response code.
+
+To achieve this behavior, a simple catchall router,
+with the lowest possible priority and routing to a service without servers,
+can handle all the requests when no other router has been matched.
+
+The example below is a file provider only version (`yaml`) of what this configuration could look like:
+
+```yaml tab="Static configuration"
+# traefik.yml
+
+entrypoints:
+  web:
+    address: :80
+
+providers:
+  file:
+    filename: dynamic.yaml
+```
+
+```yaml tab="Dynamic configuration"
+# dynamic.yaml
+
+http:
+  routers:
+    catchall:
+      # attached only to web entryPoint
+      entryPoints:
+        - "web"
+      # catchall rule
+      rule: "PathPrefix(`/`)"
+      service: unavailable
+      # lowest possible priority
+      # evaluated when no other router is matched
+      priority: 1
+
+  services:
+    # Service that will always answer a 503 Service Unavailable response
+    unavailable:
+      loadBalancer:
+        servers: {}
+```
+
+!!! info "Dedicated service"
+    If there is a need for a response code other than a `503` and/or a custom message,
+    the principle of the above example above (a catchall router) still stands,
+    but the `unavailable` service should be adapted to fit such a need.
+
+## Why Is My TLS Certificate Not Reloaded When Its Contents Change ? 
+
+With the file provider,
+a configuration update is only triggered when one of the [watched](../providers/file.md#provider-configuration) configuration files is modified.
+
+Which is why, when a certificate is defined by path,
+and the actual contents of this certificate change,
+a configuration update is _not_ triggered.
+
+To take into account the new certificate contents, the update of the dynamic configuration must be forced.
+One way to achieve that, is to trigger a file notification,
+for example, by using the `touch` command on the configuration file.
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -9,11 +9,14 @@ You can install Traefik with the following flavors:

 ## Use the Official Docker Image

-Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.2/traefik.sample.toml):
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
+
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.5/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.5/traefik.sample.toml)

 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.2
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.5
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -28,11 +31,11 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 ## Use the Helm Chart

 !!! warning
-    
-    The Traefik Chart from 
-    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://docs.traefik.io/v1.7).

-Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/containous/traefik-helm-chart>.
+    The Traefik Chart from
+    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://doc.traefik.io/traefik/v1.7).
+
+Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/traefik/traefik-helm-chart>.

 Ensure that the following requirements are met:

@@ -42,7 +45,7 @@ Ensure that the following requirements are met:
 Add Traefik's chart repository to Helm:

 ```bash
-helm repo add traefik https://containous.github.io/traefik-helm-chart
+helm repo add traefik https://helm.traefik.io/traefik
 ```

 You can update the chart repository by running:
@@ -58,7 +61,7 @@ helm install traefik traefik/traefik
 ```

 !!! tip "Helm Features"
-    
+
    All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
    For instance, installing the chart in a dedicated namespace:

@@ -70,30 +73,30 @@ helm install traefik traefik/traefik
    ```

 ??? example "Installing with Custom Values"
-    
+
    You can customize the installation by specifying custom values,
    as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
    {: #helm-custom-values }
-    
+
    The values are not (yet) documented, but are self-explanatory:
-    you can look at the [default `values.yaml`](https://github.com/containous/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
-    
+    you can look at the [default `values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
+
    You can also set Traefik command line flags using `additionalArguments`.
    Example of installation with logging set to `DEBUG`:
-    
+
    ```bash tab="Using Helm CLI"
    helm install --namespace=traefik-v2 \
        --set="additionalArguments={--log.level=DEBUG}" \
        traefik traefik/traefik
    ```
-    
+
    ```yml tab="With a custom values file"
    # File custom-values.yml
    ## Install with "helm install --values=./custom-values.yml traefik traefik/traefik
    additionalArguments:
      - "--log.level=DEBUG"
    ```
-    
+
 ### Exposing the Traefik dashboard

 This HelmChart does not expose the Traefik dashboard by default, for security concerns.
@@ -128,7 +131,7 @@ spec:

 ## Use the Binary Distribution

-Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page.
+Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page.

 ??? info "Check the integrity of the downloaded file"

--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -15,7 +15,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v2 Traefik docker image
-    image: traefik:v2.2
+    image: traefik:v2.5
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
@@ -48,7 +48,7 @@ Edit your `docker-compose.yml` file and add the following at the end of your fil
 # ...
  whoami:
    # A container that exposes an API to show its IP address
-    image: containous/whoami
+    image: traefik/whoami
    labels:
      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
 ```
--- a/docs/content/glossary.md
+++ b/docs/content/glossary.md
@@ -1,22 +0,0 @@
-# TODO -- Glossary
-
-Where Every Technical Word finds its Definition`
-{: .subtitle}
-
- [ ] Provider
-    - [ ] Types of providers (KV, annotation based, label based, configuration based)
- [ ] Entrypoint
- [ ] Routers
- [ ] Middleware
- [ ] Service
- [ ] [Static configuration](getting-started/configuration-overview.md#the-static-configuration)
- [ ] [Dynamic configuration](getting-started/configuration-overview.md#the-dynamic-configuration)
- [ ] ACME
- [ ] TraefikEE
- [ ] Tracing
- [ ] Metrics
- [ ] Orchestrator
- [ ] Key Value Store
- [ ] Logs
- [ ] Traefiker
- [ ] Traefik (How to pronounce)
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -10,10 +10,10 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom

    Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
    when experimenting to avoid hitting this limit too fast.
-    
+
 ## Certificate Resolvers

-Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration), 
+Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration),
 which are responsible for retrieving certificates from an ACME server.

 Then, each ["router"](../routing/routers/index.md) is configured to enable TLS,
@@ -26,33 +26,33 @@ You can read more about this retrieval mechanism in the following section: [ACME
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."

 ??? note "Configuration Reference"
-    
+
    There are many available options for ACME.
    For a quick glance at what's possible, browse the configuration reference:
-    
-    ```toml tab="File (TOML)"
-    --8<-- "content/https/ref-acme.toml"
-    ```
-    
+
    ```yaml tab="File (YAML)"
    --8<-- "content/https/ref-acme.yaml"
    ```
-    
+
+    ```toml tab="File (TOML)"
+    --8<-- "content/https/ref-acme.toml"
+    ```
+
    ```bash tab="CLI"
    --8<-- "content/https/ref-acme.txt"
    ```

 ## Domain Definition

-Certificate resolvers request certificates for a set of the domain names 
+Certificate resolvers request certificates for a set of the domain names
 inferred from routers, with the following logic:

 - If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
  then the certificate resolver uses the `main` (and optionally `sans`) option of `tls.domains` to know the domain names for this router.

- If no [`tls.domains`](../routing/routers/index.md#domains) option is set, 
-  then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule), 
-  by checking the `Host()` matchers. 
+- If no [`tls.domains`](../routing/routers/index.md#domains) option is set,
+  then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule),
+  by checking the `Host()` matchers.
  Please note that [multiple `Host()` matchers can be used](../routing/routers/index.md#certresolver)) for specifying multiple domain names for this router.

 Please note that:
@@ -69,31 +69,15 @@ Please check the [configuration examples below](#configuration-examples) for mor
 ## Configuration Examples

 ??? example "Enabling ACME"
-    
-    ```toml tab="File (TOML)"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-    
-      [entryPoints.websecure]
-        address = ":443"
-    
-    [certificatesResolvers.myresolver.acme]
-      email = "your-email@example.com"
-      storage = "acme.json"
-      [certificatesResolvers.myresolver.acme.httpChallenge]
-        # used during the challenge
-        entryPoint = "web"
-    ```
-    
+
    ```yaml tab="File (YAML)"
    entryPoints:
      web:
        address: ":80"
-    
+
      websecure:
        address: ":443"
-    
+
    certificatesResolvers:
      myresolver:
        acme:
@@ -103,7 +87,23 @@ Please check the [configuration examples below](#configuration-examples) for mor
            # used during the challenge
            entryPoint: web
    ```
-    
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+
+    [certificatesResolvers.myresolver.acme]
+      email = "your-email@example.com"
+      storage = "acme.json"
+      [certificatesResolvers.myresolver.acme.httpChallenge]
+        # used during the challenge
+        entryPoint = "web"
+    ```
+
    ```bash tab="CLI"
    --entrypoints.web.address=:80
    --entrypoints.websecure.address=:443
@@ -117,23 +117,23 @@ Please check the [configuration examples below](#configuration-examples) for mor
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."

 ??? example "Single Domain from Router's Rule Example"
-    
+
    * A certificate for the domain `example.com` is requested:

    --8<-- "content/https/include-acme-single-domain-example.md"

 ??? example "Multiple Domains from Router's Rule Example"
- 
+
    * A certificate for the domains `example.com` (main) and `blog.example.org`
      is requested:
-    
+
    --8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
-    
+
 ??? example "Multiple Domains from Router's `tls.domain` Example"

    * A certificate for the domains `example.com` (main) and `*.example.org` (SAN)
      is requested:
-      
+
    --8<-- "content/https/include-acme-multiple-domains-example.md"

 ## Automatic Renewals
@@ -165,12 +165,6 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry

 ??? example "Configuring the `tlsChallenge`"

-    ```toml tab="File (TOML)"
-    [certificatesResolvers.myresolver.acme]
-      # ...
-      [certificatesResolvers.myresolver.acme.tlsChallenge]
-    ```
-
    ```yaml tab="File (YAML)"
    certificatesResolvers:
      myresolver:
@@ -178,7 +172,13 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
          # ...
          tlsChallenge: {}
    ```
-    
+
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.tlsChallenge]
+    ```
+
    ```bash tab="CLI"
    # ...
    --certificatesresolvers.myresolver.acme.tlschallenge=true
@@ -193,28 +193,14 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc

 ??? example "Using an EntryPoint Called web for the `httpChallenge`"

-    ```toml tab="File (TOML)"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-      
-      [entryPoints.websecure]
-        address = ":443"
-    
-    [certificatesResolvers.myresolver.acme]
-      # ...
-      [certificatesResolvers.myresolver.acme.httpChallenge]
-        entryPoint = "web"
-    ```
-
    ```yaml tab="File (YAML)"
    entryPoints:
      web:
        address: ":80"
-    
+
      websecure:
        address: ":443"
-    
+
    certificatesResolvers:
      myresolver:
        acme:
@@ -222,7 +208,21 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
          httpChallenge:
            entryPoint: web
    ```
-    
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.httpChallenge]
+        entryPoint = "web"
+    ```
+
    ```bash tab="CLI"
    --entrypoints.web.address=:80
    --entrypoints.websecure.address=:443
@@ -239,15 +239,6 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni

 ??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"

-    ```toml tab="File (TOML)"
-    [certificatesResolvers.myresolver.acme]
-      # ...
-      [certificatesResolvers.myresolver.acme.dnsChallenge]
-        provider = "digitalocean"
-        delayBeforeCheck = 0
-    # ...
-    ```
-    
    ```yaml tab="File (YAML)"
    certificatesResolvers:
      myresolver:
@@ -258,7 +249,16 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
            delayBeforeCheck: 0
        # ...
    ```
-    
+
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.dnsChallenge]
+        provider = "digitalocean"
+        delayBeforeCheck = 0
+    # ...
+    ```
+
    ```bash tab="CLI"
    # ...
    --certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
@@ -270,7 +270,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
        A `provider` is mandatory.

 #### `providers`
- 
+
 Here is a list of supported `providers`, that can automate the DNS verification,
 along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
 Do not hesitate to complete it.
@@ -284,7 +284,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 |-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
 | [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
 | [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
-| [ArvanCloud](https://arvancloud.com)                        | `arvancloud`   | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)   |
+| [ArvanCloud](https://www.arvancloud.com/en)                 | `arvancloud`   | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)   |
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)    | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
 | [Autodns](https://www.internetx.com/domains/autodns/)       | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
 | [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
@@ -303,6 +303,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
 | [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)       |
 | [Domain Offensive (do.de)](https://www.do.de/)              | `dode`         | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)         |
+| [Domeneshop](https://domene.shop)                           | `domeneshop`   | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)   |
 | [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)    |
 | [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)      |
 | [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)          |
@@ -322,11 +323,15 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
 | [HyperOne](https://www.hyperone.com)                        | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
+| [Infoblox](https://www.infoblox.com/)                       | `infoblox`     | `INFOBLOX_USER`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)     |
+| [Infomaniak](https://www.infomaniak.com)                    | `infomaniak`   | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)   |
 | [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
-| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
+| [ionos](https://ionos.com/)                                 | `ionos`        | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)        |
+| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
 | [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
 | [Linode v4](https://www.linode.com)                         | `linode`       | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
 | [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
+| [Loopia](https://loopia.com/)                               | `loopia`       | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)       |
 | [LuaDNS](https://luadns.com)                                | `luadns`       | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)       |
 | manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
@@ -337,11 +342,13 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
 | [Netlify](https://www.netlify.com)                          | `netlify`      | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)      |
 | [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
+| [Njalla](https://njal.la)                                   | `njalla`       | `NJALLA_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)       |
 | [NS1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
 | [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
 | [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
 | [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)    |
 | [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)  |
+| [Porkbun](https://porkbun.com/)                             | `porkbun`      | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)      |
 | [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)         |
 | [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)    |
 | [reg.ru](https://www.reg.ru)                                | `regru`        | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)        |
@@ -352,12 +359,16 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Scaleway](https://www.scaleway.com)                        | `scaleway`     | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)     |
 | [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
 | [Servercow](https://servercow.de)                           | `servercow`    | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)    |
+| [Simply.com](https://www.simply.com/en/domains/)            | `simply`       | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/simply)       |
+| [Sonic](https://www.sonic.com/)                             | `sonic`        | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)        |
 | [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
 | [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
 | [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
+| [VinylDNS](https://www.vinyldns.io)                         | `vinyldns`     | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)     |
 | [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)       |
 | [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)        |
+| [WEDOS](https://www.wedos.com)                              | `wedos`        | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)        |
 | [Yandex](https://yandex.com)                                | `yandex`       | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)       |
 | [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
 | [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
@@ -377,14 +388,6 @@ For complete details, refer to your provider's _Additional configuration_ link.

 Use custom DNS servers to resolve the FQDN authority.

-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  [certificatesResolvers.myresolver.acme.dnsChallenge]
-    # ...
-    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
-```
-
 ```yaml tab="File (YAML)"
 certificatesResolvers:
  myresolver:
@@ -397,6 +400,14 @@ certificatesResolvers:
          - "8.8.8.8:53"
 ```

+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
+```
+
 ```bash tab="CLI"
 # ...
 --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
@@ -407,6 +418,35 @@ certificatesResolvers:
 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
 As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).

+## External Account Binding
+
+- `kid`: Key identifier from External CA
+- `hmacEncoded`: HMAC key from External CA, should be in Base64 URL Encoding without padding format
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      eab:
+        kid: abc-keyID-xyz
+        hmacEncoded: abc-hmac-xyz
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.eab]
+    kid = "abc-keyID-xyz"
+    hmacEncoded = "abc-hmac-xyz"
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.eab.kid=abc-keyID-xyz
+--certificatesresolvers.myresolver.acme.eab.hmacencoded=abc-hmac-xyz
+```
+
 ## More Configuration

 ### `caServer`
@@ -420,13 +460,6 @@ The CA server to use:

 ??? example "Using the Let's Encrypt staging server"

-    ```toml tab="File (TOML)"
-    [certificatesResolvers.myresolver.acme]
-      # ...
-      caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
-      # ...
-    ```
-    
    ```yaml tab="File (YAML)"
    certificatesResolvers:
      myresolver:
@@ -436,6 +469,13 @@ The CA server to use:
          # ...
    ```

+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
+      # ...
+    ```
+
    ```bash tab="CLI"
    # ...
    --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
@@ -448,13 +488,6 @@ _Required, Default="acme.json"_

 The `storage` option sets the location where your ACME certificates are saved to.

-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  storage = "acme.json"
-  # ...
-```
-
 ```yaml tab="File (YAML)"
 certificatesResolvers:
  myresolver:
@@ -464,6 +497,13 @@ certificatesResolvers:
      # ...
 ```

+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  storage = "acme.json"
+  # ...
+```
+
 ```bash tab="CLI"
 # ...
 --certificatesresolvers.myresolver.acme.storage=acme.json
@@ -494,13 +534,6 @@ Preferred chain to use.
 If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
 If no match, the default offered chain will be used.

-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  preferredChain = "ISRG Root X1"
-  # ...
-```
-
 ```yaml tab="File (YAML)"
 certificatesResolvers:
  myresolver:
@@ -510,12 +543,47 @@ certificatesResolvers:
      # ...
 ```

+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  preferredChain = "ISRG Root X1"
+  # ...
+```
+
 ```bash tab="CLI"
 # ...
 --certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
 # ...
 ```

+### `keyType`
+
+_Optional, Default="RSA4096"_
+
+KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      keyType: 'RSA4096'
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  keyType = "RSA4096"
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.keyType="RSA4096"
+# ...
+```
+
 ## Fallback

 If Let's Encrypt is not reachable, the following certificates will apply:
--- a/docs/content/https/include-acme-multiple-domains-example.md
+++ b/docs/content/https/include-acme-multiple-domains-example.md
@@ -64,18 +64,6 @@ labels:
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```

-```toml tab="File (TOML)"
-## Dynamic configuration
-[http.routers]
-  [http.routers.blog]
-    rule = "Host(`example.com`) && Path(`/blog`)"
-    [http.routers.blog.tls]
-      certResolver = "myresolver" # From static configuration
-      [[http.routers.blog.tls.domains]]
-        main = "example.org"
-        sans = ["*.example.org"]
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
@@ -89,3 +77,15 @@ http:
            sans:
              - "*.example.org"
 ```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "Host(`example.com`) && Path(`/blog`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver" # From static configuration
+      [[http.routers.blog.tls.domains]]
+        main = "example.org"
+        sans = ["*.example.org"]
+```
--- a/docs/content/https/include-acme-multiple-domains-from-rule-example.md
+++ b/docs/content/https/include-acme-multiple-domains-from-rule-example.md
@@ -52,15 +52,6 @@ labels:
  - traefik.http.routers.blog.tls.certresolver=myresolver
 ```

-```toml tab="File (TOML)"
-## Dynamic configuration
-[http.routers]
-  [http.routers.blog]
-    rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
-    [http.routers.blog.tls]
-      certResolver = "myresolver"
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
@@ -70,3 +61,12 @@ http:
      tls:
        certResolver: myresolver
 ```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver"
+```
--- a/docs/content/https/include-acme-single-domain-example.md
+++ b/docs/content/https/include-acme-single-domain-example.md
@@ -52,15 +52,6 @@ labels:
  - traefik.http.routers.blog.tls.certresolver=myresolver
 ```

-```toml tab="File (TOML)"
-## Dynamic configuration
-[http.routers]
-  [http.routers.blog]
-  rule = "Host(`example.com`) && Path(`/blog`)"
-  [http.routers.blog.tls]
-    certResolver = "myresolver"
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
@@ -70,3 +61,12 @@ http:
      tls:
        certResolver: myresolver
 ```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+  rule = "Host(`example.com`) && Path(`/blog`)"
+  [http.routers.blog.tls]
+    certResolver = "myresolver"
+```
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -13,18 +13,6 @@ See the [Let's Encrypt](./acme.md) page.

 To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:

-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[[tls.certificates]]
-  certFile = "/path/to/domain.cert"
-  keyFile = "/path/to/domain.key"
-
-[[tls.certificates]]
-  certFile = "/path/to/other-domain.cert"
-  keyFile = "/path/to/other-domain.key"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration

@@ -36,23 +24,28 @@ tls:
      keyFile: /path/to/other-domain.key
 ```

+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[[tls.certificates]]
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"
+
+[[tls.certificates]]
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
+```
+
 !!! important "Restriction"

    In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
    It is the only available method to configure the certificates (as well as the options and the stores).
-    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
+    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/).

 ## Certificates Stores

 In Traefik, certificates are grouped together in certificates stores, which are defined as such:

-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.stores]
-  [tls.stores.default]
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration

@@ -61,28 +54,20 @@ tls:
    default: {}
 ```

-!!! important "Restriction"
-
-    Any store definition other than the default one (named `default`) will be ignored,
-    and there is thefore only one globally available TLS store.
-
-In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
-
 ```toml tab="File (TOML)"
 # Dynamic configuration

-[[tls.certificates]]
-  certFile = "/path/to/domain.cert"
-  keyFile = "/path/to/domain.key"
-  stores = ["default"]
-
-[[tls.certificates]]
-  # Note that since no store is defined,
-  # the certificate below will be stored in the `default` store.
-  certFile = "/path/to/other-domain.cert"
-  keyFile = "/path/to/other-domain.key"
+[tls.stores]
+  [tls.stores.default]
 ```

+!!! important "Restriction"
+
+    Any store definition other than the default one (named `default`) will be ignored,
+    and there is therefore only one globally available TLS store.
+
+In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
+
 ```yaml tab="File (YAML)"
 # Dynamic configuration

@@ -98,6 +83,21 @@ tls:
      keyFile: /path/to/other-domain.key
 ```

+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[[tls.certificates]]
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"
+  stores = ["default"]
+
+[[tls.certificates]]
+  # Note that since no store is defined,
+  # the certificate below will be stored in the `default` store.
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
+```
+
 !!! important "Restriction"

    The `stores` list will actually be ignored and automatically set to `["default"]`.
@@ -107,16 +107,6 @@ tls:
 Traefik can use a default certificate for connections without a SNI, or without a matching domain.
 This default certificate should be defined in a TLS store:

-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.stores]
-  [tls.stores.default]
-    [tls.stores.default.defaultCertificate]
-      certFile = "path/to/cert.crt"
-      keyFile  = "path/to/cert.key"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration

@@ -128,36 +118,43 @@ tls:
        keyFile: path/to/cert.key
 ```

+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.stores]
+  [tls.stores.default]
+    [tls.stores.default.defaultCertificate]
+      certFile = "path/to/cert.crt"
+      keyFile  = "path/to/cert.key"
+```
+
 If no default certificate is provided, Traefik generates and uses a self-signed certificate.

 ## TLS Options

 The TLS options allow one to configure some parameters of the TLS connection.

+!!! important "'default' TLS Option"
+
+    The `default` option is special.
+    When no tls options are specified in a tls router, the `default` option is used.  
+    When specifying the `default` option explicitly, make sure not to specify provider namespace as the `default` option does not have one.  
+    Conversely, for cross-provider references, for example, when referencing the file provider from a docker label,
+    you must specify the provider namespace, for example:  
+    `traefik.http.routers.myrouter.tls.options=myoptions@file`
+
 !!! important "TLSOptions in Kubernetes"

    When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that,
-    if not explicitly overwritten, should apply to all ingresses. To achieve that, you'll have to
-    create a TLSOptions CR with the name `default`. There may exist only one TLSOption with the 
-    name `default` (across all namespaces) - otherwise they will be dropped.  
-    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources) you'll 
-    have to add an annotation to the Ingress in the following form:
+    if not explicitly overwritten, should apply to all ingresses.  
+    To achieve that, you'll have to create a TLSOptions CR with the name `default`.
+    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
+    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
+    you'll have to add an annotation to the Ingress in the following form:
    `traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd`

 ### Minimum TLS Version

-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-
-  [tls.options.default]
-    minVersion = "VersionTLS12"
-
-  [tls.options.mintls13]
-    minVersion = "VersionTLS13"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration

@@ -170,6 +167,18 @@ tls:
      minVersion: VersionTLS13
 ```

+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    minVersion = "VersionTLS12"
+
+  [tls.options.mintls13]
+    minVersion = "VersionTLS13"
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -197,18 +206,6 @@ We discourage the use of this setting to disable TLS1.3.

 The recommended approach is to update the clients to support TLS1.3.

-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-
-  [tls.options.default]
-    maxVersion = "VersionTLS13"
-
-  [tls.options.maxtls12]
-    maxVersion = "VersionTLS12"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration

@@ -221,6 +218,18 @@ tls:
      maxVersion: VersionTLS12
 ```

+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    maxVersion = "VersionTLS13"
+
+  [tls.options.maxtls12]
+    maxVersion = "VersionTLS12"
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -246,16 +255,6 @@ spec:

 See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.

-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    cipherSuites = [
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
-    ]
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration

@@ -266,6 +265,16 @@ tls:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 ```

+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+    ]
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -292,14 +301,6 @@ The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#Curve

 See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.

-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    curvePreferences = ["CurveP521", "CurveP384"]
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration

@@ -311,6 +312,14 @@ tls:
        - CurveP384
 ```

+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    curvePreferences = ["CurveP521", "CurveP384"]
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -329,14 +338,6 @@ spec:
 With strict SNI checking enabled, Traefik won't allow connections from clients
 that do not specify a server_name extension or don't match any certificate configured on the tlsOption.

-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    sniStrict = true
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration

@@ -346,6 +347,14 @@ tls:
      sniStrict: true
 ```

+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    sniStrict = true
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -362,14 +371,6 @@ spec:
 This option allows the server to choose its most preferred cipher suite instead of the client's.
 Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.

-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    preferServerCipherSuites = true
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration

@@ -379,6 +380,14 @@ tls:
      preferServerCipherSuites: true
 ```

+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    preferServerCipherSuites = true
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -395,25 +404,14 @@ spec:
 Traefik supports mutual authentication, through the `clientAuth` section.

 For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `clientAuth.caFiles`.
- 
+
 The `clientAuth.clientAuthType` option governs the behaviour as follows:

 - `NoClientCert`: disregards any client certificate.
 - `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
 - `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles`.
 - `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles`. Otherwise proceeds without any certificate.
- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`. 
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    [tls.options.default.clientAuth]
-      # in PEM format. each file can contain multiple CAs.
-      caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
-      clientAuthType = "RequireAndVerifyClientCert"
-```
+- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`.

 ```yaml tab="File (YAML)"
 # Dynamic configuration
@@ -429,6 +427,17 @@ tls:
        clientAuthType: RequireAndVerifyClientCert
 ```

+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    [tls.options.default.clientAuth]
+      # in PEM format. each file can contain multiple CAs.
+      caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
+      clientAuthType = "RequireAndVerifyClientCert"
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -438,7 +447,7 @@ metadata:

 spec:
  clientAuth:
-    # the CA certificate is extracted from key `tls.ca` of the given secrets.
+    # the CA certificate is extracted from key `tls.ca` or `ca.crt` of the given secrets.
    secretNames:
      - secretCA
    clientAuthType: RequireAndVerifyClientCert
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -3,7 +3,7 @@

 ![Architecture](assets/img/traefik-architecture.png)

-Traefik is an [open-source](https://github.com/containous/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
+Traefik is an [open-source](https://github.com/traefik/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
 It receives requests on behalf of your system and finds out which components are responsible for handling them. 

 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
@@ -20,9 +20,9 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo

 !!! info

-    Join our user friendly and active [Community Forum](https://community.containo.us) to discuss, learn, and connect with the traefik community.
+    Join our user friendly and active [Community Forum](https://community.traefik.io) to discuss, learn, and connect with the traefik community.
    
    If you're a business running critical services behind Traefik,
-    know that [Containous](https://containo.us), the company that sponsors Traefik's development,
-    can provide [commercial support](https://info.containo.us/commercial-services)
-    and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik.
+    know that [Traefik Labs](https://traefik.io), the company that sponsors Traefik's development,
+    can provide [commercial support](https://info.traefik.io/commercial-services)
+    and develops an [Enterprise Edition](https://traefik.io/traefik-enterprise/) of Traefik.
--- a/docs/content/middlewares/http/addprefix.md
+++ b/docs/content/middlewares/http/addprefix.md
@@ -1,11 +1,11 @@
 # Add Prefix

-Prefixing the Path 
+Prefixing the Path
 {: .subtitle }

-![AddPrefix](../assets/img/middleware/addprefix.png) 
+![AddPrefix](../../assets/img/middleware/addprefix.png)

-The AddPrefix middleware updates the URL Path of the request before forwarding it.
+The AddPrefix middleware updates the path of a request before forwarding it.

 ## Configuration Examples

@@ -43,13 +43,6 @@ labels:
  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```

-```toml tab="File (TOML)"
-# Prefixing with /foo
-[http.middlewares]
-  [http.middlewares.add-foo.addPrefix]
-    prefix = "/foo"
-```
-
 ```yaml tab="File (YAML)"
 # Prefixing with /foo
 http:
@@ -59,9 +52,16 @@ http:
        prefix: "/foo"
 ```

+```toml tab="File (TOML)"
+# Prefixing with /foo
+[http.middlewares]
+  [http.middlewares.add-foo.addPrefix]
+    prefix = "/foo"
+```
+
 ## Configuration Options

 ### `prefix`

 `prefix` is the string to add before the current path in the requested URL.
-It should include the leading slash (`/`).
+It should include a leading slash (`/`).
--- a/docs/content/middlewares/http/basicauth.md
+++ b/docs/content/middlewares/http/basicauth.md
@@ -3,9 +3,9 @@
 Adding Basic Authentication
 {: .subtitle }

-![BasicAuth](../assets/img/middleware/basicauth.png)
+![BasicAuth](../../assets/img/middleware/basicauth.png)

-The BasicAuth middleware is a quick way to restrict access to your services to known users.
+The BasicAuth middleware restricts access to your services to known users.

 ## Configuration Examples

@@ -14,7 +14,7 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
 #
 # Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
 # To create user:password pair, it's possible to use this command:
-# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
 #
 # Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
 labels:
@@ -48,16 +48,6 @@ labels:
  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```

-```toml tab="File (TOML)"
-# Declaring the user list
-[http.middlewares]
-  [http.middlewares.test-auth.basicAuth]
-  users = [
-    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
-    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-  ]
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -65,26 +55,36 @@ http:
    test-auth:
      basicAuth:
        users:
-          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```

+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```
+
 ## Configuration Options

 ### General

 Passwords must be hashed using MD5, SHA1, or BCrypt.

-!!! tip 
+!!! tip

    Use `htpasswd` to generate the passwords.

 ### `users`

-The `users` option is an array of authorized users. Each user will be declared using the `name:hashed-password` format.
+The `users` option is an array of authorized users. Each user must be declared using the `name:hashed-password` format.

 !!! note ""
-    
+
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

@@ -142,16 +142,6 @@ labels:
  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```

-```toml tab="File (TOML)"
-# Declaring the user list
-[http.middlewares]
-  [http.middlewares.test-auth.basicAuth]
-    users = [
-      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
-      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-    ]
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -159,10 +149,20 @@ http:
    test-auth:
      basicAuth:
        users:
-          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```

+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    users = [
+      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+    ]
+```
+
 ### `usersFile`

 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@@ -170,9 +170,9 @@ The `usersFile` option is the path to an external file that contains the authori
 The file content is a list of `name:hashed-password`.

 !!! note ""
-    
+
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
-    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

 ```yaml tab="Docker"
 labels:
@@ -216,12 +216,6 @@ labels:
  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.basicAuth]
-    usersFile = "/path/to/my/usersfile"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -230,6 +224,12 @@ http:
        usersFile: "/path/to/my/usersfile"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
 ??? example "A file containing test/test and test2/test2"

    ```txt
@@ -239,7 +239,7 @@ http:

 ### `realm`

-You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 
+You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.

 ```yaml tab="Docker"
 labels:
@@ -271,12 +271,6 @@ labels:
  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.basicAuth]
-    realm = "MyRealm"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -285,6 +279,12 @@ http:
        realm: "MyRealm"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    realm = "MyRealm"
+```
+
 ### `headerField`

 You can define a header field to store the authenticated user using the `headerField`option.
@@ -315,12 +315,6 @@ spec:
 }
 ```

-```toml tab="File (TOML)"
-[http.middlewares.my-auth.basicAuth]
-  # ...
-  headerField = "X-WebAuth-User"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -330,6 +324,12 @@ http:
        headerField: "X-WebAuth-User"
 ```

+```toml tab="File (TOML)"
+[http.middlewares.my-auth.basicAuth]
+  # ...
+  headerField = "X-WebAuth-User"
+```
+
 ### `removeHeader`

 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
@@ -364,12 +364,6 @@ labels:
  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.basicAuth]
-    removeHeader = true
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -377,3 +371,9 @@ http:
      basicAuth:
        removeHeader: true
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    removeHeader = true
+```
--- a/docs/content/middlewares/http/buffering.md
+++ b/docs/content/middlewares/http/buffering.md
@@ -3,24 +3,24 @@
 How to Read the Request before Forwarding It
 {: .subtitle }

-![Buffering](../assets/img/middleware/buffering.png)
+![Buffering](../../assets/img/middleware/buffering.png)

-The Buffering middleware gives you control on how you want to read the requests before sending them to services.
+The Buffering middleware limits the size of requests that can be forwarded to services.

-With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified limit.
+With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified size limit.

-This can help services deal with large data (multipart/form-data for example), and can minimize time spent sending data to a service.
+This can help services avoid large amounts of data (`multipart/form-data` for example), and can minimize the time spent sending data to a service.

 ## Configuration Examples

 ```yaml tab="Docker"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 labels:
  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```

 ```yaml tab="Kubernetes"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
@@ -31,7 +31,7 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```

@@ -42,20 +42,13 @@ spec:
 ```

 ```yaml tab="Rancher"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 labels:
  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```

-```toml tab="File (TOML)"
-# Sets the maximum request body to 2Mb
-[http.middlewares]
-  [http.middlewares.limit.buffering]
-    maxRequestBodyBytes = 2000000
-```
-
 ```yaml tab="File (YAML)"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 http:
  middlewares:
    limit:
@@ -63,13 +56,20 @@ http:
        maxRequestBodyBytes: 2000000
 ```

+```toml tab="File (TOML)"
+# Sets the maximum request body to 2MB
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxRequestBodyBytes = 2000000
+```
+
 ## Configuration Options

 ### `maxRequestBodyBytes`

-With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
+The `maxRequestBodyBytes` option configures the maximum allowed body size for the request (in bytes).

-If the request exceeds the allowed size, it is not forwarded to the service and the client gets a `413 (Request Entity Too Large)` response.
+If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a `413 (Request Entity Too Large)` response.

 ```yaml tab="Docker"
 labels:
@@ -101,12 +101,6 @@ labels:
  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.limit.buffering]
-    maxRequestBodyBytes = 2000000
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -115,9 +109,15 @@ http:
        maxRequestBodyBytes: 2000000
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxRequestBodyBytes = 2000000
+```
+
 ### `memRequestBodyBytes`

-You can configure a threshold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. 
+You can configure a threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.

 ```yaml tab="Docker"
 labels:
@@ -149,12 +149,6 @@ labels:
  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.limit.buffering]
-    memRequestBodyBytes = 2000000
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -163,9 +157,15 @@ http:
        memRequestBodyBytes: 2000000
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    memRequestBodyBytes = 2000000
+```
+
 ### `maxResponseBodyBytes`

-With the `maxResponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
+The `maxResponseBodyBytes` option configures the maximum allowed response size from the service (in bytes).

 If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.

@@ -199,12 +199,6 @@ labels:
  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.limit.buffering]
-    maxResponseBodyBytes = 2000000
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -213,9 +207,15 @@ http:
        maxResponseBodyBytes: 2000000
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxResponseBodyBytes = 2000000
+```
+
 ### `memResponseBodyBytes`

-You can configure a threshold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. 
+You can configure a threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.

 ```yaml tab="Docker"
 labels:
@@ -247,12 +247,6 @@ labels:
  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.limit.buffering]
-    memResponseBodyBytes = 2000000
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -261,17 +255,23 @@ http:
        memResponseBodyBytes: 2000000
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    memResponseBodyBytes = 2000000
+```
+
 ### `retryExpression`

-You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
+You can have the Buffering middleware replay the request using `retryExpression`.
+
+??? example "Retries once in the case of a network error"

-??? example "Retries once in case of a network error"
-    
    ```yaml tab="Docker"
    labels:
      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
    ```
-    
+
    ```yaml tab="Kubernetes"
    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
@@ -281,28 +281,22 @@ You can have the Buffering middleware replay the request with the help of the `r
      buffering:
        retryExpression: "IsNetworkError() && Attempts() < 2"
    ```
-    
+
    ```yaml tab="Consul Catalog"
    - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
    ```
-        
+
    ```json tab="Marathon"
    "labels": {
      "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"
    }
    ```
-    
+
    ```yaml tab="Rancher"
    labels:
      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
    ```
-    
-    ```toml tab="File (TOML)"
-    [http.middlewares]
-      [http.middlewares.limit.buffering]
-        retryExpression = "IsNetworkError() && Attempts() < 2"
-    ```
-    
+
    ```yaml tab="File (YAML)"
    http:
      middlewares:
@@ -311,8 +305,14 @@ You can have the Buffering middleware replay the request with the help of the `r
            retryExpression: "IsNetworkError() && Attempts() < 2"
    ```

+    ```toml tab="File (TOML)"
+    [http.middlewares]
+      [http.middlewares.limit.buffering]
+        retryExpression = "IsNetworkError() && Attempts() < 2"
+    ```
+
 The retry expression is defined as a logical combination of the functions below with the operators AND (`&&`) and OR (`||`). At least one function is required:

 - `Attempts()` number of attempts (the first one counts)
 - `ResponseCode()` response code of the service
- `IsNetworkError()` - if the response code is related to networking error 
+- `IsNetworkError()` whether the response code is related to networking error
--- a/docs/content/middlewares/http/chain.md
+++ b/docs/content/middlewares/http/chain.md
@@ -3,14 +3,14 @@
 When One Isn't Enough
 {: .subtitle }

-![Chain](../assets/img/middleware/chain.png)
+![Chain](../../assets/img/middleware/chain.png)

-The Chain middleware enables you to define reusable combinations of other pieces of middleware. 
+The Chain middleware enables you to define reusable combinations of other pieces of middleware.
 It makes reusing the same groups easier.

 ## Configuration Example

-Example "A Chain for WhiteList, BasicAuth, and HTTPS"
+Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.

 ```yaml tab="Docker"
 labels:
@@ -21,7 +21,7 @@ labels:
  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-  - "http.services.service1.loadbalancer.server.port=80"
+  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

 ```yaml tab="Kubernetes"
@@ -30,11 +30,9 @@ kind: IngressRoute
 metadata:
  name: test
  namespace: default
-
 spec:
  entryPoints:
    - web
-
  routes:
    - match: Host(`mydomain`)
      kind: Rule
@@ -91,7 +89,7 @@ spec:
 - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
 - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "http.services.service1.loadbalancer.server.port=80"
+- "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

 ```json tab="Marathon"
@@ -103,7 +101,7 @@ spec:
  "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
  "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
  "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
-  "http.services.service1.loadbalancer.server.port": "80"
+  "traefik.http.services.service1.loadbalancer.server.port": "80"
 }
 ```

@@ -116,39 +114,11 @@ labels:
  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-  - "http.services.service1.loadbalancer.server.port=80"
-```
-
-```toml tab="File (TOML)"
-# ...    
-[http.routers]
-  [http.routers.router1]
-    service = "service1"
-    middlewares = ["secured"]
-    rule = "Host(`mydomain`)"
-
-[http.middlewares]
-  [http.middlewares.secured.chain]
-    middlewares = ["https-only", "known-ips", "auth-users"]
-
-  [http.middlewares.auth-users.basicAuth]
-    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
-
-  [http.middlewares.https-only.redirectScheme]
-    scheme = "https"
-
-  [http.middlewares.known-ips.ipWhiteList]
-    sourceRange = ["192.168.1.7", "127.0.0.1/32"]
-
-[http.services]
-  [http.services.service1]
-    [http.services.service1.loadBalancer]
-      [[http.services.service1.loadBalancer.servers]]
-        url = "http://127.0.0.1:80"
+  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

 ```yaml tab="File (YAML)"
-# ...    
+# ...
 http:
  routers:
    router1:
@@ -186,3 +156,31 @@ http:
        servers:
          - url: "http://127.0.0.1:80"
 ```
+
+```toml tab="File (TOML)"
+# ...
+[http.routers]
+  [http.routers.router1]
+    service = "service1"
+    middlewares = ["secured"]
+    rule = "Host(`mydomain`)"
+
+[http.middlewares]
+  [http.middlewares.secured.chain]
+    middlewares = ["https-only", "known-ips", "auth-users"]
+
+  [http.middlewares.auth-users.basicAuth]
+    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
+
+  [http.middlewares.https-only.redirectScheme]
+    scheme = "https"
+
+  [http.middlewares.known-ips.ipWhiteList]
+    sourceRange = ["192.168.1.7", "127.0.0.1/32"]
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://127.0.0.1:80"
+```
--- a/docs/content/middlewares/http/circuitbreaker.md
+++ b/docs/content/middlewares/http/circuitbreaker.md
@@ -3,27 +3,24 @@
 Don't Waste Time Calling Unhealthy Services
 {: .subtitle }

-![CircuitBreaker](../assets/img/middleware/circuitbreaker.png) 
+![CircuitBreaker](../../assets/img/middleware/circuitbreaker.png)

-The circuit breaker protects your system from stacking requests to unhealthy services (resulting in cascading failures).
+The circuit breaker protects your system from stacking requests to unhealthy services, resulting in cascading failures.

 When your system is healthy, the circuit is closed (normal operations).
-When your system becomes unhealthy, the circuit becomes open and the requests are no longer forwarded (but handled by a fallback mechanism).
+When your system becomes unhealthy, the circuit opens, and the requests are no longer forwarded, but instead are handled by a fallback mechanism.

-To assess if your system is healthy, the circuit breaker constantly monitors the services. 
+To assess if your system is healthy, the circuit breaker constantly monitors the services.

 !!! note ""

-    - The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state.
-    - The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state.
+    The CircuitBreaker only analyzes what happens _after_ its position within the middleware chain. What happens _before_ has no impact on its state.

 !!! important

-    Each router will eventually gets its own instance of a given circuit breaker.
-    
-    If two different routers refer to the same circuit breaker definition, they will get one instance each.
-    It means that one circuit breaker can be open while the other stays closed: their state is not shared.
-    
+    Each router gets its own instance of a given circuit breaker.
+    One circuit breaker instance can be open while the other remains closed: their state is not shared.
+
    This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.

 ## Configuration Examples
@@ -62,13 +59,6 @@ labels:
  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```

-```toml tab="File (TOML)"
-# Latency Check
-[http.middlewares]
-  [http.middlewares.latency-check.circuitBreaker]
-    expression = "LatencyAtQuantileMS(50.0) > 100"
-```
-
 ```yaml tab="File (YAML)"
 # Latency Check
 http:
@@ -78,6 +68,13 @@ http:
        expression: "LatencyAtQuantileMS(50.0) > 100"
 ```

+```toml tab="File (TOML)"
+# Latency Check
+[http.middlewares]
+  [http.middlewares.latency-check.circuitBreaker]
+    expression = "LatencyAtQuantileMS(50.0) > 100"
+```
+
 ## Possible States

 There are three possible states for your circuit breaker:
@@ -90,70 +87,71 @@ There are three possible states for your circuit breaker:

 While the circuit is closed, the circuit breaker only collects metrics to analyze the behavior of the requests.

-At specified intervals (`checkPeriod`), it will evaluate `expression` to decide if its state must change. 
+At specified intervals (`checkPeriod`), the circuit breaker evaluates `expression` to decide if its state must change.

 ### Open

 While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
-After this duration, it will enter the recovering state.
+After this duration, it enters the recovering state.

 ### Recovering

-While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`).
-If your service fails during recovery, the circuit breaker becomes open again.
-If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
+While recovering, the circuit breaker sends linearly increasing amounts of requests to your service (for `RecoveryDuration`).
+If your service fails during recovery, the circuit breaker opens again.
+If the service operates normally during the entire recovery duration, then the circuit breaker closes.

 ## Configuration Options

 ### Configuring the Trigger

-You can specify an `expression` that, once matched, will trigger the circuit breaker (and apply the fallback mechanism instead of calling your services).
+You can specify an `expression` that, once matched, opens the circuit breaker and applies the fallback mechanism instead of calling your services.

-The `expression` can check three different metrics:
+The `expression` option can check three different metrics:

 - The network error ratio (`NetworkErrorRatio`)
 - The status code ratio (`ResponseCodeRatio`)
- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
+- The latency at a quantile in milliseconds (`LatencyAtQuantileMS`)

 #### `NetworkErrorRatio`

-If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
+If you want the circuit breaker to open at a 30% ratio of network errors, the `expression` is `NetworkErrorRatio() > 0.30`

 #### `ResponseCodeRatio`

-You can trigger the circuit breaker based on the ratio of a given range of status codes.
+You can configure the circuit breaker to open based on the ratio of a given range of status codes.

 The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`, `dividedByTo`.

 The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`).

 !!! note ""
-    If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
-    
-    `from`is inclusive, `to` is exclusive. 

-For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX). 
+    If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
+
+    `from`is inclusive, `to` is exclusive.
+
+For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).

 #### `LatencyAtQuantileMS`

-You can trigger the circuit breaker when a given proportion of your requests become too slow.
+You can configure the circuit breaker to open when a given proportion of your requests become too slow.

-For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
+For example, the expression `LatencyAtQuantileMS(50.0) > 100` opens the circuit breaker when the median latency (quantile 50) reaches 100ms.

 !!! note ""

-    You must provide a float number (with the trailing .0) for the quantile value
- 
-#### Using multiple metrics
+    You must provide a floating point number (with the trailing .0) for the quantile value

-You can combine multiple metrics using operators in your expression.
+#### Using Multiple Metrics
+
+You can combine multiple metrics using operators in your `expression`.

 Supported operators are:

 - AND (`&&`)
 - OR (`||`)

-For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%. 
+For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.

 #### Operators

@@ -168,8 +166,8 @@ Here is the list of supported operators:

 ### Fallback mechanism

-The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service).
-This behavior cannot be configured. 
+The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.
+This behavior cannot be configured.

 ### `CheckPeriod`

@@ -182,6 +180,6 @@ By default, `FallbackDuration` is 10 seconds. This value cannot be configured.

 ### `RecoveringDuration`

-The duration of the recovering mode (recovering state). 
+The duration of the recovering mode (recovering state).

-By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.  
+By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -1,11 +1,11 @@
 # Compress

-Compressing the Response before Sending it to the Client
+Compress Responses before Sending them to the Client
 {: .subtitle }

-![Compress](../assets/img/middleware/compress.png)
+![Compress](../../assets/img/middleware/compress.png)

-The Compress middleware enables the gzip compression. 
+The Compress middleware uses gzip compression.

 ## Configuration Examples

@@ -42,12 +42,6 @@ labels:
  - "traefik.http.middlewares.test-compress.compress=true"
 ```

-```toml tab="File (TOML)"
-# Enable gzip compression
-[http.middlewares]
-  [http.middlewares.test-compress.compress]
-```
-
 ```yaml tab="File (YAML)"
 # Enable gzip compression
 http:
@@ -56,24 +50,30 @@ http:
      compress: {}
 ```

+```toml tab="File (TOML)"
+# Enable gzip compression
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+```
+
 !!! info
-    
-    Responses are compressed when:
-    
+
+    Responses are compressed when the following criteria are all met:
+
    * The response body is larger than `1400` bytes.
    * The `Accept-Encoding` request header contains `gzip`.
    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.

-    If Content-Type header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type. 
-    It will also set accordingly the `Content-Type` header with the detected MIME type.
-    
+    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+    It will also set the `Content-Type` header according to the detected MIME type.
+
 ## Configuration Options

 ### `excludedContentTypes`

-`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests to before compressing.
+`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.

-The requests with content types defined in `excludedContentTypes` are not compressed.
+The responses with content types defined in `excludedContentTypes` are not compressed.

 Content types are compared in a case-insensitive, whitespace-ignored manner.

@@ -108,12 +108,6 @@ labels:
  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-compress.compress]
-    excludedContentTypes = ["text/event-stream"]
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -122,3 +116,9 @@ http:
        excludedContentTypes:
          - text/event-stream
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    excludedContentTypes = ["text/event-stream"]
+```
--- a/docs/content/middlewares/http/contenttype.md
+++ b/docs/content/middlewares/http/contenttype.md
@@ -1,18 +1,18 @@
-
 # ContentType

-Handling ContentType auto-detection
+Handling Content-Type auto-detection
 {: .subtitle }

-The Content-Type middleware - or rather its unique `autoDetect` option -
+The Content-Type middleware - or rather its `autoDetect` option -
 specifies whether to let the `Content-Type` header,
-if it has not been set by the backend,
+if it has not been defined by the backend,
 be automatically set to a value derived from the contents of the response.

 As a proxy, the default behavior should be to leave the header alone,
 regardless of what the backend did with it.
-However, the historic default was to always auto-detect and set the header if it was nil,
-and it is going to be kept that way in order to support users currently relying on it.
+However, the historic default was to always auto-detect and set the header if it was not already defined,
+and altering this behavior would be a breaking change which would impact many users.
+
 This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.

 !!! info
@@ -21,7 +21,7 @@ This middleware exists to enable the correct behavior until at least the default
    is still to automatically set the `Content-Type` header.
    Therefore, given the default value of the `autoDetect` option (false),
    simply enabling this middleware for a router switches the router's behavior.
-    
+
    The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
    Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).

@@ -61,13 +61,6 @@ labels:
  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
 ```

-```toml tab="File (TOML)"
-# Disable auto-detection
-[http.middlewares]
-  [http.middlewares.autodetect.contentType]
-     autoDetect=false
-```
-
 ```yaml tab="File (YAML)"
 # Disable auto-detection
 http:
@@ -77,6 +70,13 @@ http:
        autoDetect: false
 ```

+```toml tab="File (TOML)"
+# Disable auto-detection
+[http.middlewares]
+  [http.middlewares.autodetect.contentType]
+     autoDetect=false
+```
+
 ## Configuration Options

 ### `autoDetect`
--- a/docs/content/middlewares/http/digestauth.md
+++ b/docs/content/middlewares/http/digestauth.md
@@ -1,11 +1,11 @@
 # DigestAuth

 Adding Digest Authentication
-{: .subtitle } 
+{: .subtitle }

-![BasicAuth](../assets/img/middleware/digestauth.png)
+![BasicAuth](../../assets/img/middleware/digestauth.png)

-The DigestAuth middleware is a quick way to restrict access to your services to known users.
+The DigestAuth middleware restricts access to your services to known users.

 ## Configuration Examples

@@ -43,16 +43,6 @@ labels:
  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```

-```toml tab="File (TOML)"
-# Declaring the user list
-[http.middlewares]
-  [http.middlewares.test-auth.digestAuth]
-    users = [
-      "test:traefik:a2688e031edb4be6a3797f3882655c05",
-      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
-    ]
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -64,10 +54,20 @@ http:
          - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```

+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    users = [
+      "test:traefik:a2688e031edb4be6a3797f3882655c05",
+      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+    ]
+```
+
 ## Configuration Options

-!!! tip 
-   
+!!! tip
+
    Use `htdigest` to generate passwords.

 ### `users`
@@ -75,9 +75,9 @@ http:
 The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.

 !!! note ""
-    
+
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
-    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

 ```yaml tab="Docker"
 labels:
@@ -120,15 +120,6 @@ labels:
  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.digestAuth]
-    users = [
-      "test:traefik:a2688e031edb4be6a3797f3882655c05",
-      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
-    ]
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -139,6 +130,15 @@ http:
          - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    users = [
+      "test:traefik:a2688e031edb4be6a3797f3882655c05",
+      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+    ]
+```
+
 ### `usersFile`

 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@@ -146,9 +146,9 @@ The `usersFile` option is the path to an external file that contains the authori
 The file content is a list of `name:realm:encoded-password`.

 !!! note ""
-    
+
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
-    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

 ```yaml tab="Docker"
 labels:
@@ -192,12 +192,6 @@ labels:
  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.digestAuth]
-    usersFile = "/path/to/my/usersfile"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -206,6 +200,12 @@ http:
        usersFile: "/path/to/my/usersfile"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
 ??? example "A file containing test/test and test2/test2"

    ```txt
@@ -215,7 +215,7 @@ http:

 ### `realm`

-You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 
+You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.

 ```yaml tab="Docker"
 labels:
@@ -247,12 +247,6 @@ labels:
  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.digestAuth]
-    realm = "MyRealm"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -261,6 +255,12 @@ http:
        realm: "MyRealm"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    realm = "MyRealm"
+```
+
 ### `headerField`

 You can customize the header field for the authenticated user using the `headerField`option.
@@ -296,12 +296,6 @@ labels:
  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```

-```toml tab="File (TOML)"
-[http.middlewares.my-auth.digestAuth]
-  # ...
-  headerField = "X-WebAuth-User"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -311,6 +305,12 @@ http:
        headerField: "X-WebAuth-User"
 ```

+```toml tab="File (TOML)"
+[http.middlewares.my-auth.digestAuth]
+  # ...
+  headerField = "X-WebAuth-User"
+```
+
 ### `removeHeader`

 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
@@ -345,12 +345,6 @@ labels:
  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.digestAuth]
-    removeHeader = true
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -358,3 +352,9 @@ http:
      digestAuth:
        removeHeader: true
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    removeHeader = true
+```
--- a/docs/content/middlewares/http/errorpages.md
+++ b/docs/content/middlewares/http/errorpages.md
@@ -3,7 +3,7 @@
 It Has Never Been Easier to Say That Something Went Wrong
 {: .subtitle }

-![ErrorPages](../assets/img/middleware/errorpages.png)
+![ErrorPages](../../assets/img/middleware/errorpages.png)

 The ErrorPage middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.

@@ -28,7 +28,7 @@ metadata:
 spec:
  errors:
    status:
-      - 500-599
+      - "500-599"
    query: /{status}.html
    service:
      name: whoami
@@ -58,6 +58,21 @@ labels:
  - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
 ```

+```yaml tab="File (YAML)"
+# Custom Error Page for 5XX
+http:
+  middlewares:
+    test-errorpage:
+      errors:
+        status:
+          - "500-599"
+        service: serviceError
+        query: "/{status}.html"
+
+  services:
+    # ... definition of error-handler-service and my-service
+```
+
 ```toml tab="File (TOML)"
 # Custom Error Page for 5XX
 [http.middlewares]
@@ -70,43 +85,33 @@ labels:
  # ... definition of error-handler-service and my-service
 ```

-```yaml tab="File (YAML)"
-# Custom Error Page for 5XX
-http:
-  middlewares:
-    test-errorpage:
-      errors:
-        status:
-          - "500-599"
-        service: serviceError
-        query: "/{status}.html"
+!!! note ""

-[http.services]
-  # ... definition of error-handler-service and my-service
-```
-
-!!! note "" 
    In this example, the error page URL is based on the status code (`query=/{status}.html`).

 ## Configuration Options

 ### `status`

-The `status` that will trigger the error page.
+The `status` option defines which status or range of statuses should result in an error page.

 The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
- 
-!!! note "" 

-    You can define either a status code like `500` or ranges with a syntax like `500-599`.
+!!! note ""
+
+    You can define either a status code as a number (`500`),
+    as multiple comma-separated numbers (`500,502`),
+    as ranges by separating two codes with a dash (`500-599`),
+    or a combination of the two (`404,418,500-599`).

 ### `service`

 The service that will serve the new requested error page.

-!!! note "" 
-    In kubernetes, you need to reference a kubernetes service instead of a traefik service.
+!!! note ""
+
+    In Kubernetes, you need to reference a Kubernetes Service instead of a Traefik service.

 ### `query`

-The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.
+The URL for the error page (hosted by `service`). You can use the `{status}` variable in the `query` option in order to insert the status code in the URL.
--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -1,12 +1,12 @@
 # ForwardAuth

-Using an External Service to Check for Credentials
+Using an External Service to Forward Authentication
 {: .subtitle }

-![AuthForward](../assets/img/middleware/authforward.png)
+![AuthForward](../../assets/img/middleware/authforward.png)

-The ForwardAuth middleware delegate the authentication to an external service.
-If the service response code is 2XX, access is granted and the original request is performed.
+The ForwardAuth middleware delegates authentication to an external service.
+If the service answers with a 2XX code, access is granted, and the original request is performed.
 Otherwise, the response from the authentication server is returned.

 ## Configuration Examples
@@ -45,13 +45,6 @@ labels:
  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```

-```toml tab="File (TOML)"
-# Forward authentication to example.com
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-```
-
 ```yaml tab="File (YAML)"
 # Forward authentication to example.com
 http:
@@ -61,6 +54,25 @@ http:
        address: "https://example.com/auth"
 ```

+```toml tab="File (TOML)"
+# Forward authentication to example.com
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+```
+
+## Forward-Request Headers
+
+The following request properties are provided to the forward-auth target endpoint as `X-Forwarded-` headers.
+
+| Property          | Forward-Request Header |
+|-------------------|------------------------|
+| HTTP Method       | X-Forwarded-Method     |
+| Protocol          | X-Forwarded-Proto      |
+| Host              | X-Forwarded-Host       |
+| Request URI       | X-Forwarded-Uri        |
+| Source IP-Address | X-Forwarded-For        |
+
 ## Configuration Options

 ### `address`
@@ -79,7 +91,7 @@ metadata:
  name: test-auth
 spec:
  forwardAuth:
-    address: https://example.com/auth 
+    address: https://example.com/auth
 ```

 ```yaml tab="Consul Catalog"
@@ -97,12 +109,6 @@ labels:
  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -111,9 +117,15 @@ http:
        address: "https://example.com/auth"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+```
+
 ### `trustForwardHeader`

-Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
+Set the `trustForwardHeader` option to `true` to trust all `X-Forwarded-*` headers.

 ```yaml tab="Docker"
 labels:
@@ -146,13 +158,6 @@ labels:
  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    trustForwardHeader = true
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -162,9 +167,17 @@ http:
        trustForwardHeader: true
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    trustForwardHeader = true
+```
+
 ### `authResponseHeaders`

-The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
+The `authResponseHeaders` option is the list of headers to copy from the authentication server response and set on
+forwarded request, replacing any existing conflicting headers.

 ```yaml tab="Docker"
 labels:
@@ -199,13 +212,6 @@ labels:
  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    authResponseHeaders = ["X-Auth-User", "X-Secret"]
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -217,6 +223,124 @@ http:
          - "X-Secret"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    authResponseHeaders = ["X-Auth-User", "X-Secret"]
+```
+
+### `authResponseHeadersRegex`
+
+The `authResponseHeadersRegex` option is the regex to match headers to copy from the authentication server response and
+set on forwarded request, after stripping all headers that match the regex.
+It allows partial matching of the regular expression against the header key.
+The start of string (`^`) and end of string (`$`) anchors should be used to ensure a full match against the header key.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    authResponseHeadersRegex: ^X-
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex": "^X-"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        authResponseHeadersRegex: "^X-"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    authResponseHeadersRegex = "^X-"
+```
+
+### `authRequestHeaders`
+
+The `authRequestHeaders` option is the list of the headers to copy from the request to the authentication server.
+It allows filtering headers that should not be passed to the authentication server.
+If not set or empty then all request headers are passed.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    authRequestHeaders:
+      - "Accept"
+      - "X-CustomHeader"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders": "Accept,X-CustomHeader"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        authRequestHeaders:
+          - "Accept"
+          - "X-CustomHeader"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    authRequestHeaders = "Accept,X-CustomHeader"
+```
+
 ### `tls`

 The `tls` option is the TLS configuration from Traefik to the authentication server.
@@ -249,7 +373,8 @@ metadata:
  namespace: default

 data:
-  ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  # Must contain a certificate under either a `tls.ca` or a `ca.crt` key. 
+  tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
 ```

 ```yaml tab="Consul Catalog"
@@ -267,14 +392,6 @@ labels:
  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    [http.middlewares.test-auth.forwardAuth.tls]
-      ca = "path/to/local.crt"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -285,14 +402,25 @@ http:
          ca: "path/to/local.crt"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      ca = "path/to/local.crt"
+```
+
 #### `tls.caOptional`

-Policy used for the secured connection with TLS Client Authentication to the authentication server.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.

- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.

 ```yaml tab="Docker"
 labels:
@@ -326,14 +454,6 @@ labels:
  - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    [http.middlewares.test-auth.forwardAuth.tls]
-      caOptional = true
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -344,9 +464,17 @@ http:
          caOptional: true
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      caOptional = true
+```
+
 #### `tls.cert`

-Public certificate used for the secured connection to the authentication server.
+The public certificate used for the secure connection to the authentication server.

 ```yaml tab="Docker"
 labels:
@@ -395,15 +523,6 @@ labels:
  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    [http.middlewares.test-auth.forwardAuth.tls]
-      cert = "path/to/foo.cert"
-      key = "path/to/foo.key"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -415,12 +534,22 @@ http:
          key: "path/to/foo.key"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
 !!! info
-    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

 #### `tls.key`

-Private certificate used for the secure connection to the authentication server.
+The private certificate used for the secure connection to the authentication server.

 ```yaml tab="Docker"
 labels:
@@ -469,15 +598,6 @@ labels:
  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    [http.middlewares.test-auth.forwardAuth.tls]
-      cert = "path/to/foo.cert"
-      key = "path/to/foo.key"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -489,12 +609,22 @@ http:
          key: "path/to/foo.key"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
 !!! info
-    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

 #### `tls.insecureSkipVerify`

-If `insecureSkipVerify` is `true`, TLS for the connection to authentication server accepts any certificate presented by the server and any host name in that certificate.
+If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.

 ```yaml tab="Docker"
 labels:
@@ -528,14 +658,6 @@ labels:
  - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    [http.middlewares.test-auth.forwardAuth.tls]
-      insecureSkipVerify: true
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -545,3 +667,11 @@ http:
        tls:
          insecureSkipVerify: true
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      insecureSkipVerify: true
+```
--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@@ -1,17 +1,17 @@
-# Headers 
+# Headers

-Adding Headers to the Request / Response
+Managing Request/Response headers
 {: .subtitle }

-![Headers](../assets/img/middleware/headers.png)
+![Headers](../../assets/img/middleware/headers.png)

-The Headers middleware can manage the requests/responses headers.
+The Headers middleware manages the headers of requests and responses.

 ## Configuration Examples

 ### Adding Headers to the Request and the Response

-Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` to the response
+The following example adds the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` header to the response

 ```yaml tab="Docker"
 labels:
@@ -23,7 +23,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
  headers:
    customRequestHeaders:
@@ -50,15 +50,6 @@ labels:
  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.testHeader.headers]
-    [http.middlewares.testHeader.headers.customRequestHeaders]
-        X-Script-Name = "test"
-    [http.middlewares.testHeader.headers.customResponseHeaders]
-        X-Custom-Response-Header = "value"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -70,23 +61,32 @@ http:
          X-Custom-Response-Header: "value"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    [http.middlewares.testHeader.headers.customRequestHeaders]
+        X-Script-Name = "test"
+    [http.middlewares.testHeader.headers.customResponseHeaders]
+        X-Custom-Response-Header = "value"
+```
+
 ### Adding and Removing Headers

-`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request,
-and the `X-Custom-Response-Header` header removed from the response.
-
-Please note that it is not possible to remove headers through the use of labels (Docker, Rancher, Marathon, ...) for now.
+In the following example, requests are proxied with an extra `X-Script-Name` header while their `X-Custom-Request-Header` header gets stripped,
+and responses are stripped of their `X-Custom-Response-Header` header.

 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
 ```

 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
  headers:
    customRequestHeaders:
@@ -98,27 +98,23 @@ spec:

 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
+- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
 ```

 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header": "",
+  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "",
 }
 ```

 ```yaml tab="Rancher"
 labels:
  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.testHeader.headers]
-    [http.middlewares.testHeader.headers.customRequestHeaders]
-        X-Script-Name = "test" # Adds
-        X-Custom-Request-Header = "" # Removes
-    [http.middlewares.testHeader.headers.customResponseHeaders]
-        X-Custom-Response-Header = "" # Removes
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
 ```

 ```yaml tab="File (YAML)"
@@ -133,60 +129,70 @@ http:
          X-Custom-Response-Header: "" # Removes
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    [http.middlewares.testHeader.headers.customRequestHeaders]
+        X-Script-Name = "test" # Adds
+        X-Custom-Request-Header = "" # Removes
+    [http.middlewares.testHeader.headers.customResponseHeaders]
+        X-Custom-Response-Header = "" # Removes
+```
+
 ### Using Security Headers

-Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured in a manner similar to the custom headers above.
-This functionality allows for some easy security features to quickly be set.
+Security-related headers (HSTS headers, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
+This functionality makes it possible to easily use security features by adding headers.

 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testHeader.headers.framedeny=true"
-  - "traefik.http.middlewares.testHeader.headers.sslredirect=true"
+  - "traefik.http.middlewares.testHeader.headers.browserxssfilter=true"
 ```

 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
  headers:
    frameDeny: true
-    sslRedirect: true
+    browserxssfilter: true
 ```

 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.testheader.headers.framedeny=true"
- "traefik.http.middlewares.testheader.headers.sslredirect=true"
+- "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
 ```

 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.testheader.headers.framedeny": "true",
-  "traefik.http.middlewares.testheader.headers.sslredirect": "true"
+  "traefik.http.middlewares.testheader.headers.browserxssfilter": "true"
 }
 ```

 ```yaml tab="Rancher"
 labels:
  - "traefik.http.middlewares.testheader.headers.framedeny=true"
-  - "traefik.http.middlewares.testheader.headers.sslredirect=true"
+  - "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
 ```

-```toml tab="File (TOML)"    
-[http.middlewares]
-  [http.middlewares.testHeader.headers]
-    frameDeny = true
-    sslRedirect = true
-```
-
-```yaml tab="File (YAML)"  
+```yaml tab="File (YAML)"
 http:
  middlewares:
    testHeader:
      headers:
        frameDeny: true
-        sslRedirect: true
+        browserxssfilter: true
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    frameDeny = true
+    browserxssfilter = true
 ```

 ### CORS Headers
@@ -206,7 +212,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
  headers:
    accessControlAllowMethods:
@@ -244,15 +250,6 @@ labels:
  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```

-```toml tab="File (TOML)"    
-[http.middlewares]
-  [http.middlewares.testHeader.headers]
-    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
-    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
-    accessControlMaxAge = 100
-    addVaryHeader = true
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -269,23 +266,34 @@ http:
        addVaryHeader: true
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
+    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
+    accessControlMaxAge = 100
+    addVaryHeader = true
+```
+
 ## Configuration Options

 ### General

 !!! warning
-    If the custom header name is the same as one header name of the request or response, it will be replaced.
+
+    Custom headers will overwrite existing headers if they have identical names.

 !!! note ""
-    The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
+
+    The detailed documentation for security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).

 ### `customRequestHeaders`

-The `customRequestHeaders` option lists the Header names and values to apply to the request.
+The `customRequestHeaders` option lists the header names and values to apply to the request.

 ### `customResponseHeaders`

-The `customResponseHeaders` option lists the Header names and values to apply to the response.
+The `customResponseHeaders` option lists the header names and values to apply to the response.

 ### `accessControlAllowCredentials`

@@ -303,18 +311,27 @@ The  `accessControlAllowMethods` indicates which methods can be used during requ

 The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.

-A wildcard origin `*` can also be configured, and will match all requests.
-If this value is set by a backend server, it will be overwritten by Traefik
+A wildcard origin `*` can also be configured, and matches all requests.
+If this value is set by a backend service, it will be overwritten by Traefik.

-This value can contains a list of allowed origins.
+This value can contain a list of allowed origins.

-More information including how to use the settings can be found on:
+More information including how to use the settings can be found at:

 - [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
 - [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
 - [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)

-Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
+Traefik no longer supports the `null` value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
+
+### `accessControlAllowOriginListRegex`
+
+The `accessControlAllowOriginListRegex` option is the counterpart of the `accessControlAllowOriginList` option with regular expressions instead of origin values.
+It allows all origins that contain any match of a regular expression in the `accessControlAllowOriginList`.
+
+!!! tip
+
+    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).

 ### `accessControlExposeHeaders`

@@ -322,66 +339,82 @@ The `accessControlExposeHeaders` indicates which headers are safe to expose to t

 ### `accessControlMaxAge`

-The `accessControlMaxAge` indicates how long (in seconds) a preflight request can be cached.
+The `accessControlMaxAge` indicates how many seconds a preflight request can be cached for.

 ### `addVaryHeader`

-The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
+The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the `Vary` header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.

-### `allowedHosts` 
+### `allowedHosts`

 The `allowedHosts` option lists fully qualified domain names that are allowed.

-### `hostsProxyHeaders` 
+### `hostsProxyHeaders`

 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.

-### `sslRedirect` 
+### `sslRedirect`

-The `sslRedirect` is set to true, then only allow https requests.
+!!! warning
+
+    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
+
+The `sslRedirect` only allow HTTPS requests when set to `true`.

 ### `sslTemporaryRedirect`
-                    
-Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).

-### `sslHost` 
+!!! warning

-The `sslHost` option is the host name that is used to redirect http requests to https.
+    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).

-### `sslProxyHeaders` 
+Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).

-The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request.
-Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
+### `sslHost`

-### `sslForceHost` 
+!!! warning

-Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
+    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).

-### `stsSeconds` 
+The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.

-The `stsSeconds` is the max-age of the Strict-Transport-Security header.
-If set to 0, would NOT include the header.
+### `sslProxyHeaders`

-### `stsIncludeSubdomains` 
+The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
+It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).

-The `stsIncludeSubdomains` is set to true, the `includeSubDomains` directive will be appended to the Strict-Transport-Security header.
+### `sslForceHost`

-### `stsPreload` 
+!!! warning

-Set `stsPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
+    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
+
+Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.
+
+### `stsSeconds`
+
+The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
+If set to `0`, the header is not set.
+
+### `stsIncludeSubdomains`
+
+If the `stsIncludeSubdomains` is set to `true`, the `includeSubDomains` directive is appended to the `Strict-Transport-Security` header.
+
+### `stsPreload`
+
+Set `stsPreload` to `true` to have the `preload` flag appended to the `Strict-Transport-Security` header.

 ### `forceSTSHeader`

-Set `forceSTSHeader` to true, to add the STS header even when the connection is HTTP.
+Set `forceSTSHeader` to `true` to add the STS header even when the connection is HTTP.

-### `frameDeny` 
+### `frameDeny`

-Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
- 
-### `customFrameOptionsValue` 
+Set `frameDeny` to `true` to add the `X-Frame-Options` header with the value of `DENY`.
+
+### `customFrameOptionsValue`

 The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value.
-This overrides the FrameDeny option.
+This overrides the `FrameDeny` option.

 ### `contentTypeNosniff`

@@ -394,7 +427,7 @@ Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the val
 ### `customBrowserXSSValue`

 The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value.
-This overrides the BrowserXssFilter option.
+This overrides the `BrowserXssFilter` option.

 ### `contentSecurityPolicy`

@@ -402,19 +435,26 @@ The `contentSecurityPolicy` option allows the `Content-Security-Policy` header v

 ### `publicKey`

-The `publicKey` implements HPKP to prevent MITM attacks with forged certificates. 
+The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.

 ### `referrerPolicy`

-The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
+The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.

 ### `featurePolicy`

+!!! warning
+
+    Deprecated in favor of `permissionsPolicy`
+
 The `featurePolicy` allows sites to control browser features.

+### `permissionsPolicy`
+
+The `permissionsPolicy` allows sites to control browser features.
+
 ### `isDevelopment`

-Set `isDevelopment` to true when developing.
-The AllowedHosts, SSL, and STS options can cause some unwanted effects.
-Usually testing happens on http, not https, and on localhost, not your production domain.  
-If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.
+Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options.
+Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
+If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.
--- a/docs/content/middlewares/http/inflightreq.md
+++ b/docs/content/middlewares/http/inflightreq.md
@@ -3,9 +3,9 @@
 Limiting the Number of Simultaneous In-Flight Requests
 {: .subtitle }

-![InFlightReq](../assets/img/middleware/inflightreq.png)
+![InFlightReq](../../assets/img/middleware/inflightreq.png)

-To proactively prevent services from being overwhelmed with high load, a limit on the number of simultaneous in-flight requests can be applied.
+To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous in-flight requests can be limited.

 ## Configuration Examples

@@ -41,20 +41,20 @@ labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```

-```toml tab="File (TOML)"
-# Limiting to 10 simultaneous connections
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inFlightReq]
-    amount = 10 
-```
-
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
  middlewares:
    test-inflightreq:
      inFlightReq:
-        amount: 10 
+        amount: 10
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inFlightReq]
+    amount = 10
 ```

 ## Configuration Options
@@ -62,7 +62,7 @@ http:
 ### `amount`

 The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
-The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
+The middleware responds with `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).

 ```yaml tab="Docker"
 labels:
@@ -96,42 +96,42 @@ labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```

-```toml tab="File (TOML)"
-# Limiting to 10 simultaneous connections
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inFlightReq]
-    amount = 10 
-```
-
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
  middlewares:
    test-inflightreq:
      inFlightReq:
-        amount: 10 
+        amount: 10
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inFlightReq]
+    amount = 10
 ```

 ### `sourceCriterion`
- 
-SourceCriterion defines what criterion is used to group requests as originating from a common source.
+
+The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
 The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
 If none are set, the default is to use the `requestHost`.

 #### `sourceCriterion.ipStrategy`

-The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.

 ##### `ipStrategy.depth`

-The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
+
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
+- `depth` is ignored if its value is less than or equal to 0.

- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is lesser than or equal to 0.
-    
 !!! example "Example of Depth & X-Forwarded-For"

-    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).

    | `X-Forwarded-For`                       | `depth` | clientIP     |
    |-----------------------------------------|---------|--------------|
@@ -171,13 +171,6 @@ labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inflightreq]
-    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
-      depth = 2
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -188,9 +181,16 @@ http:
            depth: 2
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
+      depth = 2
+```
+
 ##### `ipStrategy.excludedIPs`

-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
+`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.

 !!! important "If `depth` is specified, `excludedIPs` is ignored."

@@ -238,13 +238,6 @@ labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inflightreq]
-    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
-      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -257,9 +250,16 @@ http:
              - "192.168.1.7"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
+
 #### `sourceCriterion.requestHeaderName`

-Requests having the same value for the given header are grouped as coming from the same source.
+Name of the header used to group incoming requests.

 ```yaml tab="Docker"
 labels:
@@ -292,13 +292,6 @@ labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inflightreq]
-    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
-      requestHeaderName = "username"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -308,6 +301,13 @@ http:
          requestHeaderName: username
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
+      requestHeaderName = "username"
+```
+
 #### `sourceCriterion.requestHost`

 Whether to consider the request host as the source.
@@ -343,13 +343,6 @@ labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inflightreq]
-    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
-      requestHost = true
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -358,3 +351,10 @@ http:
        sourceCriterion:
          requestHost: true
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
+      requestHost = true
+```
--- a/docs/content/middlewares/http/ipwhitelist.md
+++ b/docs/content/middlewares/http/ipwhitelist.md
@@ -3,7 +3,7 @@
 Limiting Clients to Specific IPs
 {: .subtitle }

-![IpWhiteList](../assets/img/middleware/ipwhitelist.png)
+![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)

 IPWhitelist accepts / refuses requests based on the client IP.

@@ -44,13 +44,6 @@ labels:
  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

-```toml tab="File (TOML)"
-# Accepts request from defined IP
-[http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
-    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-```
-
 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
@@ -62,6 +55,13 @@ http:
          - "192.168.1.7"
 ```

+```toml tab="File (TOML)"
+# Accepts request from defined IP
+[http.middlewares]
+  [http.middlewares.test-ipwhitelist.ipWhiteList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+```
+
 ## Configuration Options

 ### `sourceRange`
@@ -70,95 +70,105 @@ The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using

 ### `ipStrategy`

-The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.

 #### `ipStrategy.depth`

 The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).

+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
+- `depth` is ignored if its value is less than or equal to 0.
+
 !!! example "Examples of Depth & X-Forwarded-For"

-    ```yaml tab="Docker"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    labels:
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-    ```
-    
-    ```yaml tab="Kubernetes"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    apiVersion: traefik.containo.us/v1alpha1
-    kind: Middleware
-    metadata:
-      name: testIPwhitelist
-    spec:
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
+
+    | `X-Forwarded-For`                       | `depth` | clientIP     |
+    |-----------------------------------------|---------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+
+```yaml tab="Docker"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+```
+
+```yaml tab="Kubernetes"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipwhitelist
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 127.0.0.1/32
+      - 192.168.1.7
+    ipStrategy:
+      depth: 2
+```
+
+```yaml tab="Consul Catalog"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+```
+
+```yaml tab="File (YAML)"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+http:
+  middlewares:
+    test-ipwhitelist:
      ipWhiteList:
        sourceRange:
-          - 127.0.0.1/32
-          - 192.168.1.7
+          - "127.0.0.1/32"
+          - "192.168.1.7"
        ipStrategy:
          depth: 2
-    ```
-    
-    ```yaml tab="Consul Catalog"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-    ```
-    
-    ```json tab="Marathon"
-    "labels": {
-      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
-    }
-    ```
-    
-    ```yaml tab="Rancher"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    labels:
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-    ```
-    
-    ```toml tab="File (TOML)"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    [http.middlewares]
-      [http.middlewares.test-ipwhitelist.ipWhiteList]
-        sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-        [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
-          depth = 2
-    ```
-    
-    ```yaml tab="File (YAML)"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    http:
-      middlewares:
-        test-ipwhitelist:
-          ipWhiteList:
-            sourceRange:
-              - "127.0.0.1/32"
-              - "192.168.1.7"
-            ipStrategy:
-              depth: 2
-    ```
-    
-    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
-    
-    ??? example "More examples"
-    
-        | `X-Forwarded-For`                       | `depth` | clientIP     |
-        |-----------------------------------------|---------|--------------|
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+```

-!!! info
-
-    - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
-    - `depth` is ignored if its value is lesser than or equal to 0.
+```toml tab="File (TOML)"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+[http.middlewares]
+  [http.middlewares.test-ipwhitelist.ipWhiteList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+      depth = 2
+```

 #### `ipStrategy.excludedIPs`

+`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Example of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
@@ -196,14 +206,6 @@ labels:
  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

-```toml tab="File (TOML)"
-# Exclude from `X-Forwarded-For`
-[http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
-    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
-      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-```
-
 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:
@@ -216,16 +218,10 @@ http:
            - "192.168.1.7"
 ```

-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
-
-!!! important "If `depth` is specified, `excludedIPs` is ignored."
-
-!!! example "Examples of ExcludedIPs & X-Forwarded-For"
-
-    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
-    |-----------------------------------------|-----------------------|--------------|
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+```toml tab="File (TOML)"
+# Exclude from `X-Forwarded-For`
+[http.middlewares]
+  [http.middlewares.test-ipwhitelist.ipWhiteList]
+    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -0,0 +1,149 @@
+# HTTP Middlewares
+
+Controlling connections
+{: .subtitle }
+
+![Overview](../../assets/img/middleware/overview.png)
+
+## Configuration Example
+
+```yaml tab="Docker"
+# As a Docker Label
+whoami:
+  #  A container that exposes an API to show its IP address
+  image: traefik/whoami
+  labels:
+    # Create a middleware named `foo-add-prefix`
+    - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+    # Apply the middleware named `foo-add-prefix` to the router named `router1`
+    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
+```
+
+```yaml tab="Kubernetes IngressRoute"
+# As a Kubernetes Traefik IngressRoute
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: Middleware
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: stripprefix
+spec:
+  stripPrefix:
+    prefixes:
+      - /stripit
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ingressroute
+spec:
+# more fields...
+  routes:
+    # more fields...
+    middlewares:
+      - name: stripprefix
+```
+
+```yaml tab="Consul Catalog"
+# Create a middleware named `foo-add-prefix`
+- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+# Apply the middleware named `foo-add-prefix` to the router named `router1`
+- "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
+  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
+}
+```
+
+```yaml tab="Rancher"
+# As a Rancher Label
+labels:
+  # Create a middleware named `foo-add-prefix`
+  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+  # Apply the middleware named `foo-add-prefix` to the router named `router1`
+  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
+```
+
+```toml tab="File (TOML)"
+# As TOML Configuration File
+[http.routers]
+  [http.routers.router1]
+    service = "myService"
+    middlewares = ["foo-add-prefix"]
+    rule = "Host(`example.com`)"
+
+[http.middlewares]
+  [http.middlewares.foo-add-prefix.addPrefix]
+    prefix = "/foo"
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://127.0.0.1:80"
+```
+
+```yaml tab="File (YAML)"
+# As YAML Configuration File
+http:
+  routers:
+    router1:
+      service: myService
+      middlewares:
+        - "foo-add-prefix"
+      rule: "Host(`example.com`)"
+
+  middlewares:
+    foo-add-prefix:
+      addPrefix:
+        prefix: "/foo"
+
+  services:
+    service1:
+      loadBalancer:
+        servers:
+          - url: "http://127.0.0.1:80"
+```
+
+## Available HTTP Middlewares
+
+| Middleware                                | Purpose                                           | Area                        |
+|-------------------------------------------|---------------------------------------------------|-----------------------------|
+| [AddPrefix](addprefix.md)                 | Add a Path Prefix                                 | Path Modifier               |
+| [BasicAuth](basicauth.md)                 | Basic auth mechanism                              | Security, Authentication    |
+| [Buffering](buffering.md)                 | Buffers the request/response                      | Request Lifecycle           |
+| [Chain](chain.md)                         | Combine multiple pieces of middleware             | Middleware tool             |
+| [CircuitBreaker](circuitbreaker.md)       | Stop calling unhealthy services                   | Request Lifecycle           |
+| [Compress](compress.md)                   | Compress the response                             | Content Modifier            |
+| [DigestAuth](digestauth.md)               | Adds Digest Authentication                        | Security, Authentication    |
+| [Errors](errorpages.md)                   | Define custom error pages                         | Request Lifecycle           |
+| [ForwardAuth](forwardauth.md)             | Authentication delegation                         | Security, Authentication    |
+| [Headers](headers.md)                     | Add / Update headers                              | Security                    |
+| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs                      | Security, Request lifecycle |
+| [InFlightReq](inflightreq.md)             | Limit the number of simultaneous connections      | Security, Request lifecycle |
+| [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header            | Security                    |
+| [RateLimit](ratelimit.md)                 | Limit the call frequency                          | Security, Request lifecycle |
+| [RedirectScheme](redirectscheme.md)       | Redirect easily the client elsewhere              | Request lifecycle           |
+| [RedirectRegex](redirectregex.md)         | Redirect the client elsewhere                     | Request lifecycle           |
+| [ReplacePath](replacepath.md)             | Change the path of the request                    | Path Modifier               |
+| [ReplacePathRegex](replacepathregex.md)   | Change the path of the request                    | Path Modifier               |
+| [Retry](retry.md)                         | Automatically retry the request in case of errors | Request lifecycle           |
+| [StripPrefix](stripprefix.md)             | Change the path of the request                    | Path Modifier               |
+| [StripPrefixRegex](stripprefixregex.md)   | Change the path of the request                    | Path Modifier               |
--- a/docs/content/middlewares/http/passtlsclientcert.md
+++ b/docs/content/middlewares/http/passtlsclientcert.md
@@ -7,7 +7,7 @@ Adding Client Certificates in a Header
 TODO: add schema
 -->

-PassTLSClientCert adds in header the selected data from the passed client tls certificate.
+PassTLSClientCert adds the selected data from the passed client TLS certificate to a header.

 ## Configuration Examples

@@ -46,13 +46,6 @@ labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```

-```toml tab="File (TOML)"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
-[http.middlewares]
-  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
-    pem = true
-```
-
 ```yaml tab="File (YAML)"
 # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 http:
@@ -62,6 +55,13 @@ http:
        pem: true
 ```

+```toml tab="File (TOML)"
+# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+[http.middlewares]
+  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
+    pem = true
+```
+
 ??? example "Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"

    ```yaml tab="Docker"
@@ -86,7 +86,7 @@ http:
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
    ```
-    
+
    ```yaml tab="Kubernetes"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    apiVersion: traefik.containo.us/v1alpha1
@@ -116,7 +116,7 @@ http:
            serialNumber: true
            domainComponent: true
    ```
-    
+
    ```yaml tab="Consul Catalog"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
@@ -137,7 +137,7 @@ http:
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
    ```
-        
+
    ```json tab="Marathon"
    "labels": {
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
@@ -159,7 +159,7 @@ http:
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
    }
    ```
-    
+
    ```yaml tab="Rancher"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    labels:
@@ -182,32 +182,6 @@ http:
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
    ```

-    ```toml tab="File (TOML)"
-    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
-    [http.middlewares]
-      [http.middlewares.test-passtlsclientcert.passTLSClientCert]
-        [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
-          notAfter = true
-          notBefore = true
-          sans = true
-          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
-            country = true
-            province = true
-            locality = true
-            organization = true
-            commonName = true
-            serialNumber = true
-            domainComponent = true
-          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
-            country = true
-            province = true
-            locality = true
-            organization = true
-            commonName = true
-            serialNumber = true
-            domainComponent = true
-    ```
-
    ```yaml tab="File (YAML)"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    http:
@@ -236,11 +210,37 @@ http:
                domainComponent: true
    ```

+    ```toml tab="File (TOML)"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    [http.middlewares]
+      [http.middlewares.test-passtlsclientcert.passTLSClientCert]
+        [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
+          notAfter = true
+          notBefore = true
+          sans = true
+          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
+            country = true
+            province = true
+            locality = true
+            organization = true
+            commonName = true
+            serialNumber = true
+            domainComponent = true
+          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
+            country = true
+            province = true
+            locality = true
+            organization = true
+            commonName = true
+            serialNumber = true
+            domainComponent = true
+    ```
+
 ## Configuration Options

 ### General

-PassTLSClientCert can add two headers to the request: 
+PassTLSClientCert can add two headers to the request:

 - `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
 - `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
@@ -248,12 +248,12 @@ PassTLSClientCert can add two headers to the request:
 !!! info

    * The headers are filled with escaped string so it can be safely placed inside a URL query.
-    * These options only work accordingly to the [MutualTLS configuration](../https/tls.md#client-authentication-mtls).
+    * These options only work accordingly to the [MutualTLS configuration](../../https/tls.md#client-authentication-mtls).
    That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.

-In the following example, you can see a complete certificate. We will use each part of it to explain the middleware options.
+The following example shows a complete certificate and explains each of the middleware options.

-??? example "A complete client tls certificate"
+??? example "A complete client TLS certificate"

    ```
    Certificate:
@@ -292,16 +292,16 @@ In the following example, you can see a complete certificate. We will use each p
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
-                X509v3 Basic Constraints: 
+                X509v3 Basic Constraints:
                    CA:FALSE
-                X509v3 Extended Key Usage: 
+                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
-                X509v3 Subject Key Identifier: 
+                X509v3 Subject Key Identifier:
                    94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
-                X509v3 Authority Key Identifier: 
+                X509v3 Authority Key Identifier:
                    keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
-    
-                X509v3 Subject Alternative Name: 
+
+                X509v3 Subject Alternative Name:
                    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
        Signature Algorithm: sha1WithRSAEncryption
             76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
@@ -359,9 +359,9 @@ In the following example, you can see a complete certificate. We will use each p

 ### `pem`

-The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
+The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escaped certificate.

-In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
+In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters:

 ??? example "The data used by the pem option"

@@ -403,23 +403,24 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
    ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
    -----END CERTIFICATE-----
    ```
-    
+
 !!! info "Extracted data"
-    
-    The delimiters and `\n` will be removed.  
+
+    The delimiters and `\n` will be removed.
    If there are more than one certificate, they are separated by a "`,`".

 !!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"

-    The header size limit of web servers is commonly between 4kb and 8kb.  
+    The header size limit of web servers is commonly between 4kb and 8kb.
    You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).

 ### `info`

-The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
-The value of the header will be an escaped concatenation of all the selected certificate details.
+The `info` option selects the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.

-The following example shows an unescaped result that uses all the available fields: 
+The value of the header is an escaped concatenation of all the selected certificate details.
+
+The following example shows an unescaped result that uses all the available fields:

 ```text
 Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
@@ -433,14 +434,14 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO

 Set the `info.notAfter` option to `true` to add the `Not After` information from the `Validity` part.

-The data are taken from the following certificate part:      
+The data is taken from the following certificate part:

 ```text
    Validity
-        Not After : Dec  5 11:10:16 2020 GMT            
+        Not After : Dec  5 11:10:16 2020 GMT
 ```

-The escape `notAfter` info part will be like:
+The escaped `notAfter` info part is formatted as below:

 ```text
 NA="1607166616"
@@ -450,14 +451,14 @@ NA="1607166616"

 Set the `info.notBefore` option to `true` to add the `Not Before` information from the `Validity` part.

-The data are taken from the following certificate part:
+The data is taken from the following certificate part:

 ```text
 Validity
    Not Before: Dec  6 11:10:16 2018 GMT
 ```

-The escape `notBefore` info part will be like:
+The escaped `notBefore` info part is formatted as below:

 ```text
 NB="1544094616"
@@ -467,28 +468,28 @@ NB="1544094616"

 Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.

-The data are taken from the following certificate part:
+The data is taken from the following certificate part:

 ```text
- X509v3 Subject Alternative Name: 
+ X509v3 Subject Alternative Name:
    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
 ```

-The escape SANs info part will be like:
+The escape SANs info part is formatted as below:

 ```text
 SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```

-!!! info "multiple values"
+!!! info "Multiple values"

-    All the SANs data are separated by a `,`.
+    The SANs are separated by a `,`.

 #### `info.subject`

-The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
+The `info.subject` selects the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.

-The data are taken from the following certificate part :
+The data is taken from the following certificate part:

 ```text
 Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
@@ -496,9 +497,11 @@ Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=

 ##### `info.subject.country`

-Set the `info.subject.country` option to true to add the `country` information into the subject.  
-The data are taken from the subject part with the `C` key. 
-The escape country info in the subject part will be like :
+Set the `info.subject.country` option to `true` to add the `country` information into the subject.
+
+The data is taken from the subject part with the `C` key.
+
+The escape country info in the subject part is formatted as below:

 ```text
 C=FR,C=US
@@ -506,11 +509,11 @@ C=FR,C=US

 ##### `info.subject.province`

-Set the `info.subject.province` option to true to add the `province` information into the subject.
-  
-The data are taken from the subject part with the `ST` key.
+Set the `info.subject.province` option to `true` to add the `province` information into the subject.

-The escape province info in the subject part will be like :
+The data is taken from the subject part with the `ST` key.
+
+The escape province info in the subject part is formatted as below:

 ```text
 ST=Cheese org state,ST=Cheese com state
@@ -518,11 +521,11 @@ ST=Cheese org state,ST=Cheese com state

 ##### `info.subject.locality`

-Set the `info.subject.locality` option to true to add the `locality` information into the subject.
-  
-The data are taken from the subject part with the `L` key.
+Set the `info.subject.locality` option to `true` to add the `locality` information into the subject.

-The escape locality info in the subject part will be like :
+The data is taken from the subject part with the `L` key.
+
+The escape locality info in the subject part is formatted as below:

 ```text
 L=TOULOUSE,L=LYON
@@ -530,11 +533,11 @@ L=TOULOUSE,L=LYON

 ##### `info.subject.organization`

-Set the `info.subject.organization` option to true to add the `organization` information into the subject.
-  
-The data are taken from the subject part with the `O` key.
+Set the `info.subject.organization` option to `true` to add the `organization` information into the subject.

-The escape organization info in the subject part will be like :
+The data is taken from the subject part with the `O` key.
+
+The escape organization info in the subject part is formatted as below:

 ```text
 O=Cheese,O=Cheese 2
@@ -542,11 +545,11 @@ O=Cheese,O=Cheese 2

 ##### `info.subject.commonName`

-Set the `info.subject.commonName` option to true to add the `commonName` information into the subject.
-  
-The data are taken from the subject part with the `CN` key.
+Set the `info.subject.commonName` option to `true` to add the `commonName` information into the subject.

-The escape common name info in the subject part will be like :
+The data is taken from the subject part with the `CN` key.
+
+The escape common name info in the subject part is formatted as below:

 ```text
 CN=*.example.com
@@ -554,11 +557,11 @@ CN=*.example.com

 ##### `info.subject.serialNumber`

-Set the `info.subject.serialNumber` option to true to add the `serialNumber` information into the subject.
-  
-The data are taken from the subject part with the `SN` key.
+Set the `info.subject.serialNumber` option to `true` to add the `serialNumber` information into the subject.

-The escape serial number info in the subject part will be like :
+The data is taken from the subject part with the `SN` key.
+
+The escape serial number info in the subject part is formatted as below:

 ```text
 SN=1234567890
@@ -566,11 +569,11 @@ SN=1234567890

 ##### `info.subject.domainComponent`

-Set the `info.subject.domainComponent` option to true to add the `domainComponent` information into the subject.
-  
-The data are taken from the subject part with the `DC` key.
+Set the `info.subject.domainComponent` option to `true` to add the `domainComponent` information into the subject.

-The escape domaincomponent info in the subject part will be like :
+The data is taken from the subject part with the `DC` key.
+
+The escape domain component info in the subject part is formatted as below:

 ```text
 DC=org,DC=cheese
@@ -578,9 +581,9 @@ DC=org,DC=cheese

 #### `info.issuer`

-The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
+The `info.issuer` selects the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.

-The data are taken from the following certificate part :
+The data is taken from the following certificate part:

 ```text
 Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
@@ -588,9 +591,11 @@ Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=S

 ##### `info.issuer.country`

-Set the `info.issuer.country` option to true to add the `country` information into the issuer.  
-The data are taken from the issuer part with the `C` key. 
-The escape country info in the issuer part will be like :
+Set the `info.issuer.country` option to `true` to add the `country` information into the issuer.
+
+The data is taken from the issuer part with the `C` key.
+
+The escape country info in the issuer part is formatted as below:

 ```text
 C=FR,C=US
@@ -598,11 +603,11 @@ C=FR,C=US

 ##### `info.issuer.province`

-Set the `info.issuer.province` option to true to add the `province` information into the issuer.
-  
-The data are taken from the issuer part with the `ST` key.
+Set the `info.issuer.province` option to `true` to add the `province` information into the issuer.

-The escape province info in the issuer part will be like :
+The data is taken from the issuer part with the `ST` key.
+
+The escape province info in the issuer part is formatted as below:

 ```text
 ST=Signing State,ST=Signing State 2
@@ -610,11 +615,11 @@ ST=Signing State,ST=Signing State 2

 ##### `info.issuer.locality`

-Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
-  
-The data are taken from the issuer part with the `L` key.
+Set the `info.issuer.locality` option to `true` to add the `locality` information into the issuer.

-The escape locality info in the issuer part will be like :
+The data is taken from the issuer part with the `L` key.
+
+The escape locality info in the issuer part is formatted as below:

 ```text
 L=TOULOUSE,L=LYON
@@ -622,11 +627,11 @@ L=TOULOUSE,L=LYON

 ##### `info.issuer.organization`

-Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
-  
-The data are taken from the issuer part with the `O` key.
+Set the `info.issuer.organization` option to `true` to add the `organization` information into the issuer.

-The escape organization info in the issuer part will be like :
+The data is taken from the issuer part with the `O` key.
+
+The escape organization info in the issuer part is formatted as below:

 ```text
 O=Cheese,O=Cheese 2
@@ -634,11 +639,11 @@ O=Cheese,O=Cheese 2

 ##### `info.issuer.commonName`

-Set the `info.issuer.commonName` option to true to add the `commonName` information into the issuer.
-  
-The data are taken from the issuer part with the `CN` key.
+Set the `info.issuer.commonName` option to `true` to add the `commonName` information into the issuer.

-The escape common name info in the issuer part will be like :
+The data is taken from the issuer part with the `CN` key.
+
+The escape common name info in the issuer part is formatted as below:

 ```text
 CN=Simple Signing CA 2
@@ -646,11 +651,11 @@ CN=Simple Signing CA 2

 ##### `info.issuer.serialNumber`

-Set the `info.issuer.serialNumber` option to true to add the `serialNumber` information into the issuer.
-  
-The data are taken from the issuer part with the `SN` key.
+Set the `info.issuer.serialNumber` option to `true` to add the `serialNumber` information into the issuer.

-The escape serial number info in the issuer part will be like :
+The data is taken from the issuer part with the `SN` key.
+
+The escape serial number info in the issuer part is formatted as below:

 ```text
 SN=1234567890
@@ -658,11 +663,11 @@ SN=1234567890

 ##### `info.issuer.domainComponent`

-Set the `info.issuer.domainComponent` option to true to add the `domainComponent` information into the issuer.
-  
-The data are taken from the issuer part with the `DC` key.
+Set the `info.issuer.domainComponent` option to `true` to add the `domainComponent` information into the issuer.

-The escape domain component info in the issuer part will be like :
+The data is taken from the issuer part with the `DC` key.
+
+The escape domain component info in the issuer part is formatted as below:

 ```text
 DC=org,DC=cheese
--- a/docs/content/middlewares/http/ratelimit.md
+++ b/docs/content/middlewares/http/ratelimit.md
@@ -3,7 +3,7 @@
 To Control the Number of Requests Going to a Service
 {: .subtitle }

-The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows one to define what fair is.
+The RateLimit middleware ensures that services will receive a _fair_ amount of requests, and allows one to define what fair is.

 ## Configuration Example

@@ -50,15 +50,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```

-```toml tab="File (TOML)"
-# Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 50 requests is allowed.
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    average = 100
-    burst = 50
-```
-
 ```yaml tab="File (YAML)"
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 50 requests is allowed.
@@ -70,11 +61,20 @@ http:
        burst: 50
 ```

+```toml tab="File (TOML)"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 100
+    burst = 50
+```
+
 ## Configuration Options

 ### `average`

-`average` is the maximum rate, by default in requests by second, allowed for the given source.
+`average` is the maximum rate, by default in requests per second, allowed from a given source.

 It defaults to `0`, which means no rate limiting.

@@ -114,13 +114,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```

-```toml tab="File (TOML)"
-# 100 reqs/s
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    average = 100
-```
-
 ```yaml tab="File (YAML)"
 # 100 reqs/s
 http:
@@ -130,6 +123,13 @@ http:
        average: 100
 ```

+```toml tab="File (TOML)"
+# 100 reqs/s
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 100
+```
+
 ### `period`

 `period`, in combination with `average`, defines the actual maximum rate, such as:
@@ -179,14 +179,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
 ```

-```toml tab="File (TOML)"
-# 6 reqs/minute
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    average = 6
-    period = 1m
-```
-
 ```yaml tab="File (YAML)"
 # 6 reqs/minute
 http:
@@ -197,6 +189,14 @@ http:
        period: 1m
 ```

+```toml tab="File (TOML)"
+# 6 reqs/minute
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 6
+    period = "1m"
+```
+
 ### `burst`

 `burst` is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
@@ -219,7 +219,7 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```

 ```json tab="Marathon"
@@ -230,13 +230,7 @@ spec:

 ```yaml tab="Rancher"
 labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    burst = 100
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```

 ```yaml tab="File (YAML)"
@@ -247,26 +241,32 @@ http:
        burst: 100
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    burst = 100
+```
+
 ### `sourceCriterion`
- 
-SourceCriterion defines what criterion is used to group requests as originating from a common source.
+
+The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
 The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
 If none are set, the default is to use the request's remote address field (as an `ipStrategy`).

 #### `sourceCriterion.ipStrategy`

-The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.

 ##### `ipStrategy.depth`

-The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).

- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is lesser than or equal to 0.
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
+- `depth` is ignored if its value is less than or equal to 0.

 !!! example "Example of Depth & X-Forwarded-For"

-    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).

    | `X-Forwarded-For`                       | `depth` | clientIP     |
    |-----------------------------------------|---------|--------------|
@@ -274,8 +274,98 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |

+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    sourceCriterion:
+      ipStrategy:
+        depth: 2
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        sourceCriterion:
+          ipStrategy:
+            depth: 2
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
+      depth = 2
+```
+
 ##### `ipStrategy.excludedIPs`

+!!! important "Contrary to what the name might suggest, this option is _not_ about excluding an IP from the rate limiter, and therefore cannot be used to deactivate rate limiting for some IPs."
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+`excludedIPs` is meant to address two classes of somewhat distinct use-cases:
+
+1. Distinguish IPs which are behind the same (set of) reverse-proxies so that each of them contributes, independently to the others,
+   to its own rate-limit "bucket" (cf the [leaky bucket analogy](https://wikipedia.org/wiki/Leaky_bucket)).
+   In this case, `excludedIPs` should be set to match the list of `X-Forwarded-For IPs` that are to be excluded,
+   in order to find the actual clientIP.
+
+    !!! example "Each IP as a distinct source"
+
+        | X-Forwarded-For                | excludedIPs           | clientIP     |
+        |--------------------------------|-----------------------|--------------|
+        | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
+        | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
+
+2. Group together a set of IPs (also behind a common set of reverse-proxies) so that they are considered the same source,
+   and all contribute to the same rate-limit bucket.
+
+    !!! example "Group IPs together as same source"
+
+        |  X-Forwarded-For               |  excludedIPs | clientIP     |
+        |--------------------------------|--------------|--------------|
+        | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
+        | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
+        | `"10.0.0.3,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
+
+For completeness, below are additional examples to illustrate how the matching works.
+For a given request the list of `X-Forwarded-For` IPs is checked from most recent to most distant against the `excludedIPs` pool,
+and the first IP that is _not_ in the pool (if any) is returned.
+
+!!! example "Matching for clientIP"
+
+    |  X-Forwarded-For               |  excludedIPs          | clientIP     |
+    |--------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"11.0.0.1"`          | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`          | `"10.0.0.1,11.0.0.1"` | `""`         |
+
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
@@ -310,13 +400,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
-      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -329,23 +412,16 @@ http:
              - "192.168.1.7"
 ```

-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
-
-!!! important "If `depth` is specified, `excludedIPs` is ignored."
-
-!!! example "Example of ExcludedIPs & X-Forwarded-For"
-
-    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
-    |-----------------------------------------|-----------------------|--------------|
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```

 #### `sourceCriterion.requestHeaderName`

-Requests having the same value for the given header are grouped as coming from the same source.
+Name of the header used to group incoming requests.

 ```yaml tab="Docker"
 labels:
@@ -378,13 +454,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
-      requestHeaderName = "username"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -394,6 +463,13 @@ http:
          requestHeaderName: username
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
+      requestHeaderName = "username"
+```
+
 #### `sourceCriterion.requestHost`

 Whether to consider the request host as the source.
@@ -429,13 +505,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
-      requestHost = true
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -444,3 +513,10 @@ http:
        sourceCriterion:
          requestHost: true
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
+      requestHost = true
+```
--- a/docs/content/middlewares/http/redirectregex.md
+++ b/docs/content/middlewares/http/redirectregex.md
@@ -7,7 +7,7 @@ Redirecting the Client to a Different Location
 TODO: add schema
 -->

-RegexRedirect redirect a request from an url to another with regex matching and replacement.
+The RedirectRegex redirects a request using regex matching and replacement.

 ## Configuration Examples

@@ -53,14 +53,6 @@ labels:
  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```

-```toml tab="File (TOML)"
-# Redirect with domain replacement
-[http.middlewares]
-  [http.middlewares.test-redirectregex.redirectRegex]
-    regex = "^http://localhost/(.*)"
-    replacement = "http://mydomain/${1}"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect with domain replacement
 http:
@@ -71,8 +63,20 @@ http:
        replacement: "http://mydomain/${1}"
 ```

+```toml tab="File (TOML)"
+# Redirect with domain replacement
+[http.middlewares]
+  [http.middlewares.test-redirectregex.redirectRegex]
+    regex = "^http://localhost/(.*)"
+    replacement = "http://mydomain/${1}"
+```
+
 ## Configuration Options

+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
 ### `permanent`

 Set the `permanent` option to `true` to apply a permanent redirection.
@@ -81,14 +85,10 @@ Set the `permanent` option to `true` to apply a permanent redirection.

 The `regex` option is the regular expression to match and capture elements from the request URL.

-!!! warning
-
-    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
-
-!!! tip
-
-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-    
 ### `replacement`

 The `replacement` option defines how to modify the URL to have the new target URL.
+
+!!! warning
+
+    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
--- a/docs/content/middlewares/http/redirectscheme.md
+++ b/docs/content/middlewares/http/redirectscheme.md
@@ -7,7 +7,7 @@ Redirecting the Client to a Different Scheme/Port
 TODO: add schema
 -->

-RedirectScheme redirect request from a scheme to another.
+RedirectScheme redirects requests from a scheme/port to another.

 ## Configuration Examples

@@ -51,14 +51,6 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```

-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
-  [http.middlewares.test-redirectscheme.redirectScheme]
-    scheme = "https"
-    permanent = true
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -69,6 +61,14 @@ http:
        permanent: true
 ```

+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+    permanent = true
+```
+
 ## Configuration Options

 ### `permanent`
@@ -115,14 +115,6 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```

-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
-  [http.middlewares.test-redirectscheme.redirectScheme]
-    # ...
-    permanent = true
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -133,9 +125,17 @@ http:
        permanent: true
 ```

+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    permanent = true
+```
+
 ### `scheme`

-The `scheme` option defines the scheme of the new url.
+The `scheme` option defines the scheme of the new URL.

 ```yaml tab="Docker"
 # Redirect to https
@@ -172,13 +172,6 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```

-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
-  [http.middlewares.test-redirectscheme.redirectScheme]
-    scheme = "https"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -188,9 +181,16 @@ http:
        scheme: https
 ```

+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+```
+
 ### `port`

-The `port` option defines the port of the new url.
+The `port` option defines the port of the new URL.

 ```yaml tab="Docker"
 # Redirect to https
@@ -232,14 +232,6 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
 ```

-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
-  [http.middlewares.test-redirectscheme.redirectScheme]
-    # ...
-    port = 443
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -250,4 +242,12 @@ http:
        port: "443"
 ```

+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    port = 443
+```
+
 !!! info "Port in this configuration is a string, not a numeric value."
--- a/docs/content/middlewares/http/replacepath.md
+++ b/docs/content/middlewares/http/replacepath.md
@@ -7,18 +7,18 @@ Updating the Path Before Forwarding the Request
 TODO: add schema
 -->

-Replace the path of the request url.
+Replace the path of the request URL.

 ## Configuration Examples

 ```yaml tab="Docker"
-# Replace the path by /foo
+# Replace the path with /foo
 labels:
  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```

 ```yaml tab="Kubernetes"
-# Replace the path by /foo
+# Replace the path with /foo
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
@@ -29,7 +29,7 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Replace the path by /foo
+# Replace the path with /foo
 - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```

@@ -40,20 +40,13 @@ spec:
 ```

 ```yaml tab="Rancher"
-# Replace the path by /foo
+# Replace the path with /foo
 labels:
  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```

-```toml tab="File (TOML)"
-# Replace the path by /foo
-[http.middlewares]
-  [http.middlewares.test-replacepath.replacePath]
-    path = "/foo"
-```
-
 ```yaml tab="File (YAML)"
-# Replace the path by /foo
+# Replace the path with /foo
 http:
  middlewares:
    test-replacepath:
@@ -61,15 +54,22 @@ http:
        path: "/foo"
 ```

+```toml tab="File (TOML)"
+# Replace the path with /foo
+[http.middlewares]
+  [http.middlewares.test-replacepath.replacePath]
+    path = "/foo"
+```
+
 ## Configuration Options

 ### General

 The ReplacePath middleware will:

- replace the actual path by the specified one.
+- replace the actual path with the specified one.
 - store the original path in a `X-Replaced-Path` header.

 ### `path`

-The `path` option defines the path to use as replacement in the request url.
+The `path` option defines the path to use as replacement in the request URL.
--- a/docs/content/middlewares/http/replacepathregex.md
+++ b/docs/content/middlewares/http/replacepathregex.md
@@ -7,7 +7,7 @@ Updating the Path Before Forwarding the Request (Using a Regex)
 TODO: add schema
 -->

-The ReplaceRegex replace a path from an url to another with regex matching and replacement.
+The ReplaceRegex replaces the path of a URL using regex matching and replacement.

 ## Configuration Examples

@@ -50,16 +50,8 @@ labels:
  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```

-```toml tab="File (TOML)"
-# Redirect with domain replacement
-[http.middlewares]
-  [http.middlewares.test-replacepathregex.replacePathRegex]
-    regex = "^/foo/(.*)"
-    replacement = "/bar/$1"
-```
-
 ```yaml tab="File (YAML)"
-# Redirect with domain replacement
+# Replace path with regex
 http:
  middlewares:
    test-replacepathregex:
@@ -68,27 +60,35 @@ http:
        replacement: "/bar/$1"
 ```

+```toml tab="File (TOML)"
+# Replace path with regex
+[http.middlewares]
+  [http.middlewares.test-replacepathregex.replacePathRegex]
+    regex = "^/foo/(.*)"
+    replacement = "/bar/$1"
+```
+
 ## Configuration Options

 ### General

 The ReplacePathRegex middleware will:

- replace the matching path by the specified one.
+- replace the matching path with the specified one.
 - store the original path in a `X-Replaced-Path` header.

+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or [Regex101](https://regex101.com/r/58sIgx/2).
+
 ### `regex`

 The `regex` option is the regular expression to match and capture the path from the request URL.

+### `replacement`
+
+The `replacement` option defines the replacement path format, which can include captured variables.
+
 !!! warning

    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
-
-!!! tip
-
-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-    
-### `replacement`
-
-The `replacement` option defines how to modify the path to have the new target path.
--- a/Show More
+++ b/Show More