Prepare release v2.2.4

* fix: allow domain fronting by default

* review: typo.

* review: doc.

Co-authored-by: Fernandez Ludovic <ludovic@containo.us>

.golangci.toml

@@ -49,6 +49,11 @@
     "wsl", # Too strict
     "gomnd", # Too strict
     "stylecheck", # skip because report issues related to some generated files.
+    "testpackage", # Too strict
+    "goerr113", # Too strict
+    "nestif", # Too many false-positive.
+    "noctx", # Too strict
+    "exhaustive", # Too strict
   ]
 
 [issues]
@@ -62,7 +67,7 @@
   ]
  [[issues.exclude-rules]]
     path = "(.+)_test.go"
-    linters = ["goconst", "funlen"]
+    linters = ["goconst", "funlen", "godot"]
  [[issues.exclude-rules]]
     path = "integration/.+_test.go"
     text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
@@ -105,3 +110,6 @@
  [[issues.exclude-rules]]
     path = "pkg/tracing/tracing.go"
     text = "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
+ [[issues.exclude-rules]]
+    path = "pkg/log/deprecated.go"
+    linters = ["godot"]

CHANGELOG.md

@@ -1,3 +1,61 @@
+## [v2.2.4](https://github.com/containous/traefik/tree/v2.2.4) (2020-07-10)
+[All Commits](https://github.com/containous/traefik/compare/v2.2.3...v2.2.4)
+
+**Bug fixes:**
+- **[tls]** Change the default value of insecureSNI ([#7027](https://github.com/containous/traefik/pull/7027) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+## [v2.2.3](https://github.com/containous/traefik/tree/v2.2.3) (2020-07-09)
+[All Commits](https://github.com/containous/traefik/compare/v2.2.2...v2.2.3)
+
+**Bug fixes:**
+- **[middleware]** Fix panic when using chain middleware. ([#7016](https://github.com/containous/traefik/pull/7016) by [juliens](https://github.com/juliens))
+
+## [v2.2.2](https://github.com/containous/traefik/tree/v2.2.2) (2020-07-08)
+[All Commits](https://github.com/containous/traefik/compare/v2.2.1...v2.2.2)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v3.8.0 ([#6988](https://github.com/containous/traefik/pull/6988) by [ldez](https://github.com/ldez))
+- **[acme]** Fix triggering multiple concurrent requests to ACME ([#6939](https://github.com/containous/traefik/pull/6939) by [ddtmachado](https://github.com/ddtmachado))
+- **[acme]** Update go-acme/lego to v3.7.0 ([#6792](https://github.com/containous/traefik/pull/6792) by [ldez](https://github.com/ldez))
+- **[acme]** added required quotes to domains config ([#6867](https://github.com/containous/traefik/pull/6867) by [tompson](https://github.com/tompson))
+- **[authentication,logs,middleware]** Provide username in log data on auth failure ([#6827](https://github.com/containous/traefik/pull/6827) by [rtribotte](https://github.com/rtribotte))
+- **[docker]** Use specified network for "container" network mode ([#6763](https://github.com/containous/traefik/pull/6763) by [bjeanes](https://github.com/bjeanes))
+- **[k8s,k8s/crd]** Remove checkStringQuoteValidity in loadIngressRouteConf ([#6775](https://github.com/containous/traefik/pull/6775) by [fefe982](https://github.com/fefe982))
+- **[middleware,websocket]** Fix wss in x-forwarded-proto ([#6752](https://github.com/containous/traefik/pull/6752) by [juliens](https://github.com/juliens))
+- **[middleware]** internal handlers: support for response modifiers ([#6750](https://github.com/containous/traefik/pull/6750) by [mpl](https://github.com/mpl))
+- **[middleware]** Fix ipv6 handling in redirect middleware ([#6902](https://github.com/containous/traefik/pull/6902) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** refactor X-Forwarded-Proto ([#6863](https://github.com/containous/traefik/pull/6863) by [jcgruenhage](https://github.com/jcgruenhage))
+- **[provider]** Fix race condition issues with provided dynamic configuration ([#6979](https://github.com/containous/traefik/pull/6979) by [kevinpollet](https://github.com/kevinpollet))
+- **[rules,server,tls]** Disable domain fronting ([#7008](https://github.com/containous/traefik/pull/7008) by [rtribotte](https://github.com/rtribotte))
+- **[udp]** Fix mem leak on UDP connections ([#6815](https://github.com/containous/traefik/pull/6815) by [ddtmachado](https://github.com/ddtmachado))
+- **[udp]** Avoid overwriting already received UDP messages ([#6797](https://github.com/containous/traefik/pull/6797) by [cbachert](https://github.com/cbachert))
+- **[webui]** Add missing accessControlAllowOrigin list to middleware view ([#6747](https://github.com/containous/traefik/pull/6747) by [barthez](https://github.com/barthez))
+
+**Documentation:**
+- **[acme]** Fix doc url for Aurora DNS provider ([#6899](https://github.com/containous/traefik/pull/6899) by [rtribotte](https://github.com/rtribotte))
+- **[acme]** Fix acme.md typo ([#6817](https://github.com/containous/traefik/pull/6817) by [juliocc](https://github.com/juliocc))
+- **[acme]** fix certResolver typo ([#6983](https://github.com/containous/traefik/pull/6983) by [DavidBadura](https://github.com/DavidBadura))
+- **[acme]** Fix statement about lego _FILE env var ([#6964](https://github.com/containous/traefik/pull/6964) by [solvaholic](https://github.com/solvaholic))
+- **[acme]** Improve acme CLI options in Let's Encrypt documentation  ([#6762](https://github.com/containous/traefik/pull/6762) by [netoax](https://github.com/netoax))
+- **[docker]** fix a broken link on Docker plugins documentation ([#6908](https://github.com/containous/traefik/pull/6908) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[docker]** Fix healthcheck.interval in docs ([#6847](https://github.com/containous/traefik/pull/6847) by [OndrejIT](https://github.com/OndrejIT))
+- **[k8s,k8s/ingress]** Remove redundant paragraph in Kubernetes ingress documentation ([#6806](https://github.com/containous/traefik/pull/6806) by [lpfann](https://github.com/lpfann))
+- **[k8s,k8s/ingress]** Fix sticky cookie ingress annotation doc ([#6938](https://github.com/containous/traefik/pull/6938) by [rtribotte](https://github.com/rtribotte))
+- **[k8s]** fixing typo in Provider KubernetesIngress at Routing documentation ([#6845](https://github.com/containous/traefik/pull/6845) by [sw360cab](https://github.com/sw360cab))
+- **[k8s]** Update kubernetes-crd.md ([#6878](https://github.com/containous/traefik/pull/6878) by [rherrick](https://github.com/rherrick))
+- **[logs]** Fixed incorrect logging parameter in documentation ([#6819](https://github.com/containous/traefik/pull/6819) by [cplewnia](https://github.com/cplewnia))
+- **[logs]** Use "headers" instead of "header" in access log docs ([#6836](https://github.com/containous/traefik/pull/6836) by [bradjones1](https://github.com/bradjones1))
+- **[middleware,k8s/crd]** Fix Headers middleware documentation, usage of proper bool ([#6928](https://github.com/containous/traefik/pull/6928) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Improve redirectScheme documentation ([#6769](https://github.com/containous/traefik/pull/6769) by [dtomcej](https://github.com/dtomcej))
+- **[middleware]** Update basicauth.md ([#6967](https://github.com/containous/traefik/pull/6967) by [vitalets](https://github.com/vitalets))
+- Update Dashboard examples and move it after 'Router Rule' section ([#6874](https://github.com/containous/traefik/pull/6874) by [ddtmachado](https://github.com/ddtmachado))
+- Fix log field names in documentation ([#6952](https://github.com/containous/traefik/pull/6952) by [gysel](https://github.com/gysel))
+- Minor fix to Go templating documentation ([#6977](https://github.com/containous/traefik/pull/6977) by [PCM2](https://github.com/PCM2))
+- Add rtribotte to maintainers ([#6936](https://github.com/containous/traefik/pull/6936) by [emilevauge](https://github.com/emilevauge))
+- Update Copyright ([#6795](https://github.com/containous/traefik/pull/6795) by [mmatur](https://github.com/mmatur))
+- fix: dead link. ([#6876](https://github.com/containous/traefik/pull/6876) by [ldez](https://github.com/ldez))
+- Fix v1-> v2 migration: unify domain name in documentation example ([#6904](https://github.com/containous/traefik/pull/6904) by [sinacek](https://github.com/sinacek))
+
 ## [v2.2.1](https://github.com/containous/traefik/tree/v2.2.1) (2020-04-29)
 [All Commits](https://github.com/containous/traefik/compare/v2.2.0...v2.2.1)
 

Makefile

@@ -32,7 +32,7 @@ TRAEFIK_ENVS := \
 TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/containous/traefik/$(BIND_DIR)"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
 DOCKER_NON_INTERACTIVE ?= false
-DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK := docker run --add-host=host.docker.internal:127.0.0.1 $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
 DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)
 
 PRE_TARGET ?= build-dev-image

build.Dockerfile

@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.23.8
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.28.0
 
 # Download misspell binary to bin folder in $GOPATH
 RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4

cmd/context.go

@@ -7,7 +7,7 @@ import (
 	"syscall"
 )
 
-// ContextWithSignal creates a context canceled when SIGINT or SIGTERM are notified
+// ContextWithSignal creates a context canceled when SIGINT or SIGTERM are notified.
 func ContextWithSignal(ctx context.Context) context.Context {
 	newCtx, cancel := context.WithCancel(ctx)
 	signals := make(chan os.Signal)

cmd/healthcheck/healthcheck.go

@@ -45,7 +45,7 @@ func runCmd(traefikConfiguration *static.Configuration) func(_ []string) error {
 	}
 }
 
-// Do try to do a healthcheck
+// Do try to do a healthcheck.
 func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 	if staticConfiguration.Ping == nil {
 		return nil, errors.New("please enable `ping` to use health check")

cmd/traefik/traefik.go

@@ -25,6 +25,7 @@ import (
 	"github.com/containous/traefik/v2/pkg/provider/acme"
 	"github.com/containous/traefik/v2/pkg/provider/aggregator"
 	"github.com/containous/traefik/v2/pkg/provider/traefik"
+	"github.com/containous/traefik/v2/pkg/rules"
 	"github.com/containous/traefik/v2/pkg/safe"
 	"github.com/containous/traefik/v2/pkg/server"
 	"github.com/containous/traefik/v2/pkg/server/middleware"
@@ -161,6 +162,8 @@ func runCmd(staticConfiguration *static.Configuration) error {
 }
 
 func setupServer(staticConfiguration *static.Configuration) (*server.Server, error) {
+	rules.EnableDomainFronting(staticConfiguration.Global.InsecureSNI)
+
 	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
 
 	// adds internal provider
@@ -274,7 +277,7 @@ func switchRouter(routerFactory *server.RouterFactory, acmeProviders []*acme.Pro
 	}
 }
 
-// initACMEProvider creates an acme provider from the ACME part of globalConfiguration
+// initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
 	challengeStore := acme.NewLocalChallengeStore()
 	localStores := map[string]*acme.LocalStore{}
@@ -403,7 +406,7 @@ func configureLogging(staticConfiguration *static.Configuration) {
 	if len(logFile) > 0 {
 		dir := filepath.Dir(logFile)
 
-		if err := os.MkdirAll(dir, 0755); err != nil {
+		if err := os.MkdirAll(dir, 0o755); err != nil {
 			log.WithoutContext().Errorf("Failed to create log path %s: %s", dir, err)
 		}
 

cmd/version/version.go

@@ -17,7 +17,7 @@ Go version:   {{.GoVersion}}
 Built:        {{.BuildTime}}
 OS/Arch:      {{.Os}}/{{.Arch}}`
 
-// NewCmd builds a new Version command
+// NewCmd builds a new Version command.
 func NewCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "version",
@@ -33,7 +33,7 @@ func NewCmd() *cli.Command {
 	}
 }
 
-// GetPrint write Printable version
+// GetPrint write Printable version.
 func GetPrint(wr io.Writer) error {
 	tmpl, err := template.New("").Parse(versionTemplate)
 	if err != nil {

docs/content/contributing/maintainers.md

@@ -16,6 +16,7 @@
 * Gérald Croës [@geraldcroes](https://github.com/geraldcroes)
 * Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou)
 * Mathieu Lonjaret [@mpl](https://github.com/mpl)
+* Romain Tribotté [@rtribotte](https://github.com/rtribotte)
 
 ## Contributions Daily Meeting
 

docs/content/getting-started/install-traefik.md

@@ -83,7 +83,7 @@ helm install traefik traefik/traefik
     
     ```bash tab="Using Helm CLI"
     helm install --namespace=traefik-v2 \
-        --set="additionalArguments={--logs.level=DEBUG}" \
+        --set="additionalArguments={--log.level=DEBUG}" \
         traefik traefik/traefik
     ```
     

docs/content/https/acme.md

@@ -105,13 +105,13 @@ Please check the [configuration examples below](#configuration-examples) for mor
     ```
     
     ```bash tab="CLI"
-    --entryPoints.web.address=:80
-    --entryPoints.websecure.address=:443
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
     # ...
-    --certificatesResolvers.myresolver.acme.email=your-email@example.com
-    --certificatesResolvers.myresolver.acme.storage=acme.json
+    --certificatesresolvers.myresolver.acme.email=your-email@example.com
+    --certificatesresolvers.myresolver.acme.storage=acme.json
     # used during the challenge
-    --certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
+    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
     ```
 
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
@@ -181,7 +181,7 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.myresolver.acme.tlsChallenge=true
+    --certificatesresolvers.myresolver.acme.tlschallenge=true
     ```
 
 ### `httpChallenge`
@@ -189,7 +189,7 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
 
 As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `certificatesResolvers.myresolver.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
+when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpchallenge.entrypoint` must be reachable by Let's Encrypt through port 80.
 
 ??? example "Using an EntryPoint Called web for the `httpChallenge`"
 
@@ -224,10 +224,10 @@ when using the `HTTP-01` challenge, `certificatesResolvers.myresolver.acme.httpC
     ```
     
     ```bash tab="CLI"
-    --entryPoints.web.address=:80
-    --entryPoints.websecure.address=:443
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
     # ...
-    --certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
+    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
     ```
 
 !!! info ""
@@ -261,8 +261,8 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.myresolver.acme.dnsChallenge.provider=digitalocean
-    --certificatesResolvers.myresolver.acme.dnsChallenge.delayBeforeCheck=0
+    --certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
+    --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
     # ...
     ```
 
@@ -275,14 +275,17 @@ Here is a list of supported `providers`, that can automate the DNS verification,
 along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
 Do not hesitate to complete it.
 
-Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
+Many lego environment variables can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
 For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
 
+For complete details, refer to your provider's _Additional configuration_ link.
+
 | Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       |                                                                             |
 |-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
 | [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
 | [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
-| [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
+| [ArvanCloud](https://arvancloud.com)                        | `arvancloud`   | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)   |
+| [Auroradns](https://www.pcextreme.com/dns-health-checks)    | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
 | [Autodns](https://www.internetx.com/domains/autodns/)       | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
 | [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
@@ -294,6 +297,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
 | [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
 | [Constellix](https://constellix.com)                        | `constellix`   | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)   |
+| [deSEC](https://desec.io)                                   | `desec`        | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)        |
 | [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
 | [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
 | [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
@@ -312,6 +316,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)       |
 | [GoDaddy](https://godaddy.com/)                             | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)      |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)       |
+| [Hetzner](https://hetzner.com)                              | `hetzner`      | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)      |
 | [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
 | HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
@@ -321,12 +326,15 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
 | [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4)     |
 | [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
+| [LuaDNS](https://luadns.com)                                | `luadns`       | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)       |
 | manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
+| [Mythic Beasts](https://www.mythic-beasts.com)              | `mythicbeasts` | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts) |
 | [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
 | [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
 | [Namesilo](https://www.namesilo.com/)                       | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)     |
 | [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
+| [Netlify](https://www.netlify.com)                          | `netlify`      | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)      |
 | [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
 | [Ns1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
 | [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
@@ -349,6 +357,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
 | [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)       |
 | [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)        |
+| [Yandex](https://yandex.com)                                | `yandex`       | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)       |
 | [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
 | [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
 
@@ -389,7 +398,7 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.myresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
+--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```
 
 #### Wildcard Domains
@@ -428,7 +437,7 @@ The CA server to use:
 
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.myresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+    --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
     # ...
     ```
 
@@ -456,7 +465,7 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.myresolver.acme.storage=acme.json
+--certificatesresolvers.myresolver.acme.storage=acme.json
 # ...
 ```
 
@@ -473,7 +482,7 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 ```
 
 !!! warning
-    For concurrency reason, this file cannot be shared across multiple instances of Traefik.
+    For concurrency reasons, this file cannot be shared across multiple instances of Traefik.
 
 ## Fallback
 

docs/content/https/include-acme-multiple-domains-example.md

@@ -40,7 +40,7 @@ spec:
     domains:
     - main: example.org
       sans:
-      - *.example.org
+      - '*.example.org'
 ```
 
 ```json tab="Marathon"

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -32,7 +32,7 @@ spec:
     - name: blog
       port: 8080
   tls:
-    certresolver: myresolver
+    certResolver: myresolver
 ```
 
 ```json tab="Marathon"

docs/content/https/include-acme-single-domain-example.md

@@ -32,7 +32,7 @@ spec:
     - name: blog
       port: 8080
   tls:
-    certresolver: myresolver
+    certResolver: myresolver
 ```
 
 ```json tab="Marathon"

docs/content/https/ref-acme.txt

@@ -4,13 +4,13 @@
 #
 # Required
 #
---certificatesResolvers.myresolver.acme.email=test@example.com
+--certificatesresolvers.myresolver.acme.email=test@example.com
 
 # File or key used for certificates storage.
 #
 # Required
 #
---certificatesResolvers.myresolver.acme.storage=acme.json
+--certificatesresolvers.myresolver.acme.storage=acme.json
 
 # CA server to use.
 # Uncomment the line to use Let's Encrypt's staging server,
@@ -19,7 +19,7 @@
 # Optional
 # Default: "https://acme-v02.api.letsencrypt.org/directory"
 #
---certificatesResolvers.myresolver.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
 
 # KeyType to use.
 #
@@ -28,38 +28,38 @@
 #
 # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
 #
---certificatesResolvers.myresolver.acme.keyType=RSA4096
+--certificatesresolvers.myresolver.acme.keytype=RSA4096
 
 # Use a TLS-ALPN-01 ACME challenge.
 #
 # Optional (but recommended)
 #
---certificatesResolvers.myresolver.acme.tlsChallenge=true
+--certificatesresolvers.myresolver.acme.tlschallenge=true
 
 # Use a HTTP-01 ACME challenge.
 #
 # Optional
 #
---certificatesResolvers.myresolver.acme.httpChallenge=true
+--certificatesresolvers.myresolver.acme.httpchallenge=true
 
 # EntryPoint to use for the HTTP-01 challenges.
 #
 # Required
 #
---certificatesResolvers.myresolver.acme.httpChallenge.entryPoint=web
+--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
 
 # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
 # Note: mandatory for wildcard certificate generation.
 #
 # Optional
 #
---certificatesResolvers.myresolver.acme.dnsChallenge=true
+--certificatesresolvers.myresolver.acme.dnschallenge=true
 
 # DNS provider used.
 #
 # Required
 #
---certificatesResolvers.myresolver.acme.dnsChallenge.provider=digitalocean
+--certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
 
 # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
 # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
@@ -68,14 +68,14 @@
 # Optional
 # Default: 0
 #
---certificatesResolvers.myresolver.acme.dnsChallenge.delayBeforeCheck=0
+--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
 
 # Use following DNS servers to resolve the FQDN authority.
 #
 # Optional
 # Default: empty
 #
---certificatesResolvers.myresolver.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
+--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 
 # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
 #
@@ -85,4 +85,4 @@
 # Optional
 # Default: false
 #
---certificatesResolvers.myresolver.acme.dnsChallenge.disablePropagationCheck=true
+--certificatesresolvers.myresolver.acme.dnschallenge.disablepropagationcheck=true

docs/content/https/tls.md

@@ -130,6 +130,20 @@ tls:
 
 If no default certificate is provided, Traefik generates and uses a self-signed certificate.
 
+## Domain fronting
+
+Basically, [domain fronting](https://en.wikipedia.org/wiki/Domain_fronting) is a technique that allows to open a 
+connection with a specific domain name, thanks to the 
+[Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication), then access a service with another 
+domain set in the HTTP `Host` header.
+
+Since the `v2.2.4`, Traefik has the option to avoid domain fronting thanks to the `insecureSNI` global flag.
+As it is valid for advanced use cases, the `HostHeader` and `HostSNI` [rules](../routing/routers/index.md#rule) allow 
+to fine tune the routing with the `Server Name Indication` and `Host header` value.
+
+If you encounter routing issues with a previously working configuration, please refer to the 
+[migration guide](../migration/v2.md) to update your configuration.
+
 ## TLS Options
 
 The TLS options allow one to configure some parameters of the TLS connection.
@@ -317,7 +331,7 @@ spec:
 ### Strict SNI Checking
 
 With strict SNI checking, Traefik won't allow connections from clients connections
-that do not specify a server_name extension.
+that do not specify a server_name extension or don't match any certificate configured on the tlsOption.
 
 ```toml tab="File (TOML)"
 # Dynamic configuration

docs/content/middlewares/basicauth.md

@@ -12,9 +12,11 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
 ```yaml tab="Docker"
 # Declaring the user list
 #
-# Note: all dollar signs in the hash need to be doubled for escaping.
+# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
 # To create user:password pair, it's possible to use this command:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+#
+# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```

docs/content/middlewares/headers.md

@@ -151,8 +151,8 @@ metadata:
   name: testHeader
 spec:
   headers:
-    frameDeny: "true"
-    sslRedirect: "true"
+    frameDeny: true
+    sslRedirect: true
 ```
 
 ```yaml tab="Consul Catalog"
@@ -217,7 +217,7 @@ spec:
       - "https://foo.bar.org"
       - "https://example.org"
     accessControlMaxAge: 100
-    addVaryHeader: "true"
+    addVaryHeader: true
 ```
 
 ```yaml tab="Consul Catalog"
@@ -311,7 +311,7 @@ This value can contains a list of allowed origins.
 More information including how to use the settings can be found on:
 
 - [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
-- [w3](https://www.w3.org/TR/cors/#access-control-allow-origin-response-header)
+- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
 - [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
 
 Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).

docs/content/middlewares/redirectscheme.md

@@ -208,7 +208,7 @@ metadata:
 spec:
   redirectScheme:
     # ...
-    port: 443
+    port: "443"
 ```
 
 ```yaml tab="Consul Catalog"
@@ -247,5 +247,7 @@ http:
     test-redirectscheme:
       redirectScheme:
         # ...
-        port: 443
+        port: "443"
 ```
+
+!!! info "Port in this configuration is a string, not a numeric value."

docs/content/migration/v1-to-v2.md

@@ -97,7 +97,7 @@ Then any router can refer to an instance of the wanted middleware.
 
     ```yaml tab="Docker"
     labels:
-      - "traefik.http.routers.router0.rule=Host(`example.com`) && PathPrefix(`/test`)"
+      - "traefik.http.routers.router0.rule=Host(`test.localhost`) && PathPrefix(`/test`)"
       - "traefik.http.routers.router0.middlewares=auth"
       - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
     ```

docs/content/migration/v2.md

@@ -1,5 +1,38 @@
 # Migration: Steps needed between the versions
 
+## v2.x to v2.2.2
+
+### Domain fronting
+
+In `v2.2.2` we introduced the ability to avoid [Domain fronting](https://en.wikipedia.org/wiki/Domain_fronting) for [https routers](../routing/routers/index.md#rule) configured with ```Host(`something`)``` but we disabled it for compatibility reasons by default.
+
+Nothing special is required to keep the previous behavior.
+
+However, a new flag is available as a global option to disable domain fronting.
+
+!!! example "Disabling Domain Fronting for All Routers"
+    
+    ```toml tab="File (TOML)"
+    # Static configuration
+    [global]
+      # Disabling domain fronting
+      insecureSNI = false
+    ```
+    
+    ```yaml tab="File (YAML)"
+    # Static configuration
+    global:
+      # Disabling domain fronting
+      insecureSNI: false
+    ```
+    
+    ```bash tab="CLI"
+    # Disabling domain fronting
+    --global.insecureSNI=false
+    ```
+
+To fine tune the HTTPS routing with Domain Fronting disabled, two new HTTP rules `HostSNI` and `HostHeader` are available. 
+
 ## v2.0 to v2.1
 
 ### Kubernetes CRD

docs/content/observability/access-logs.md

@@ -111,9 +111,9 @@ accessLog:
 --accesslog.filters.minduration=10ms
 ```
 
-### Limiting the Fields
+### Limiting the Fields/Including Headers
 
-You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.header` options
+You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.headers` options.
 
 Each field can be set to:
 
@@ -121,7 +121,7 @@ Each field can be set to:
 - `drop` to drop the value
 - `redact` to replace the value with "redacted"
 
-The `defaultMode` for `fields.header` is `drop`.
+The `defaultMode` for `fields.headers` is `drop`.
 
 ```toml tab="File (TOML)"
 # Limiting the Logs to Specific Fields
@@ -181,10 +181,10 @@ accessLog:
     | `StartUTC`              | The time at which request processing started.                                                                                                                       |
     | `StartLocal`            | The local time at which request processing started.                                                                                                                 |
     | `Duration`              | The total time taken (in nanoseconds) by processing the response, including the origin server's time but not the log writing time.                                  |
-    | `FrontendName`          | The name of the Traefik frontend.                                                                                                                                   |
-    | `BackendName`           | The name of the Traefik backend.                                                                                                                                    |
-    | `BackendURL`            | The URL of the Traefik backend.                                                                                                                                     |
-    | `BackendAddr`           | The IP:port of the Traefik backend (extracted from `BackendURL`)                                                                                                    |
+    | `RouterName`            | The name of the Traefik  router.                                                                                                                                    |
+    | `ServiceName`           | The name of the Traefik backend.                                                                                                                                    |
+    | `ServiceURL`            | The URL of the Traefik backend.                                                                                                                                     |
+    | `ServiceAddr`           | The IP:port of the Traefik backend (extracted from `ServiceURL`)                                                                                                    |
     | `ClientAddr`            | The remote address in its original form (usually IP:port).                                                                                                          |
     | `ClientHost`            | The remote IP address from which the client request was received.                                                                                                   |
     | `ClientPort`            | The remote TCP port from which the client request was received.                                                                                                     |

docs/content/operations/dashboard.md

@@ -72,9 +72,6 @@ to allow defining:
 - A [router rule](#dashboard-router-rule) for accessing the dashboard,
   through Traefik itself (sometimes referred as "Traefik-ception").
 
-??? example "Dashboard Dynamic Configuration Examples"
-    --8<-- "content/operations/include-api-examples.md"
-
 ### Dashboard Router Rule
 
 As underlined in the [documentation for the `api.dashboard` option](./api.md#dashboard),
@@ -99,6 +96,9 @@ rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
 rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
 ```
 
+??? example "Dashboard Dynamic Configuration Examples"
+    --8<-- "content/operations/include-dashboard-examples.md"
+
 ## Insecure Mode
 
 This mode is not recommended because it does not allow the use of security features.

docs/content/operations/include-dashboard-examples.md

@@ -0,0 +1,101 @@
+```yaml tab="Docker"
+# Dynamic Configuration
+labels:
+  - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+  - "traefik.http.routers.dashboard.service=api@internal"
+  - "traefik.http.routers.dashboard.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="Docker (Swarm)"
+# Dynamic Configuration
+deploy:
+  labels:
+    - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+    - "traefik.http.routers.dashboard.service=api@internal"
+    - "traefik.http.routers.dashboard.middlewares=auth"
+    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+    # Dummy service for Swarm port detection. The port can be any valid integer value.
+    - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
+```
+
+```yaml tab="Kubernetes CRD"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+spec:
+  routes:
+  - match: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+    middlewares:
+      - name: auth
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+spec:
+  basicAuth:
+    secret: secretName # Kubernetes secret named "secretName"
+```
+
+```yaml tab="Consul Catalog"
+# Dynamic Configuration
+- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+- "traefik.http.routers.dashboard.service=api@internal"
+- "traefik.http.routers.dashboard.middlewares=auth"
+- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.routers.dashboard.rule": "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))",
+  "traefik.http.routers.dashboard.service": "api@internal",
+  "traefik.http.routers.dashboard.middlewares": "auth",
+  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Dynamic Configuration
+labels:
+  - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+  - "traefik.http.routers.dashboard.service=api@internal"
+  - "traefik.http.routers.dashboard.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Dynamic Configuration
+[http.routers.my-api]
+  rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+  service = "api@internal"
+  middlewares = ["auth"]
+
+[http.middlewares.auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```
+
+```yaml tab="File (YAML)"
+# Dynamic Configuration
+http:
+  routers:
+    dashboard:
+      rule: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
+      service: api@internal
+      middlewares:
+        - auth
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```

docs/content/providers/docker.md

@@ -154,7 +154,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
 
         - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
         - Authorize and filter requests to restrict possible actions with [the TecnativaDocker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy).
-        - Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
+        - Authorization with the [Docker Authorization Plugin Mechanism](https://web.archive.org/web/20190920092526/https://docs.docker.com/engine/extend/plugins_authorization/)
         - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
         - Accounting at container level, by exposing the socket on a another container than Traefik's.
           With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.

docs/content/providers/file.md

@@ -191,14 +191,14 @@ providers:
 ### Go Templating
 
 !!! warning
-    Go Templating only works along with dedicated dynamic configuration files.
+    Go Templating only works with dedicated dynamic configuration files.
     Templating does not work in the Traefik main static configuration file.
 
-Traefik allows using Go templating,
-it must be a valid [Go template](https://golang.org/pkg/text/template/),
-augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
+Traefik supports using Go templating to automatically generate repetitive portions of configuration files.
+These sections must be valid [Go templates](https://golang.org/pkg/text/template/),
+augmented with the [Sprig template functions](http://masterminds.github.io/sprig/).
 
-Thus, it's possible to define easily lot of routers, services and TLS certificates as described in the following examples:
+To illustrate, it's possible to easily define multiple routers, services, and TLS certificates as described in the following examples:
 
 ??? example "Configuring Using Templating"
     

docs/content/providers/kubernetes-ingress.md

@@ -358,17 +358,3 @@ providers:
 
 If one wants to know more about the various aspects of the Ingress spec that Traefik supports,
 many examples of Ingresses definitions are located in the tests [data](https://github.com/containous/traefik/tree/v2.2/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
-
-## LetsEncrypt Support with the Ingress Provider
-
-By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
-For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
-
-When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
-Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
-Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
-
-If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
-
-If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
-When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).

docs/content/reference/static-configuration/cli-ref.md

@@ -162,6 +162,9 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
 `--global.checknewversion`:  
 Periodically check if a new version has been released. (Default: ```false```)
 
+`--global.insecuresni`:  
+Allow domain fronting. If the option is not specified, it will be enabled by default. (Default: ```true```)
+
 `--global.sendanonymoususage`:  
 Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)
 

docs/content/reference/static-configuration/env-ref.md

@@ -162,6 +162,9 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
 `TRAEFIK_GLOBAL_CHECKNEWVERSION`:  
 Periodically check if a new version has been released. (Default: ```false```)
 
+`TRAEFIK_GLOBAL_INSECURESNI`:  
+Allow domain fronting. If the option is not specified, it will be enabled by default. (Default: ```true```)
+
 `TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE`:  
 Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)
 

docs/content/reference/static-configuration/file.toml

@@ -1,6 +1,7 @@
 [global]
   checkNewVersion = true
   sendAnonymousUsage = true
+  insecureSNI = false
 
 [serversTransport]
   insecureSkipVerify = true

docs/content/reference/static-configuration/file.yaml

@@ -1,6 +1,8 @@
 global:
   checkNewVersion: true
   sendAnonymousUsage: true
+  insecureSNI: false
+
 serversTransport:
   insecureSkipVerify: true
   rootCAs:

docs/content/routing/providers/docker.md

@@ -291,7 +291,7 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     See [health check](../services/index.md#health-check) for more information.
 
     ```yaml
-    - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10"
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10s"
     ```
 
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"

docs/content/routing/providers/kubernetes-crd.md

@@ -108,24 +108,24 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
       name: myingressroute
       namespace: default
     
-    spec:
-      entryPoints:
-        - web
+      spec:
+        entryPoints:
+          - web
     
-      routes:
-      - match: Host(`foo`) && PathPrefix(`/bar`)
-        kind: Rule
-        services:
-        - name: whoami
-          port: 80
+        routes:
+          - match: Host(`foo`) && PathPrefix(`/bar`)
+            kind: Rule
+            services:
+            - name: whoami
+              port: 80
     
     ---
     apiVersion: traefik.containo.us/v1alpha1
-      kind: IngressRouteTCP
-      metadata:
-        name: ingressroute.tcp
+    kind: IngressRouteTCP
+    metadata:
+      name: ingressroute.tcp
       namespace: default
-      
+    
       spec:
         entryPoints:
           - tcpep
@@ -135,22 +135,22 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
             services:
               - name: whoamitcp
                 port: 8080
-        
+    
     ---
     apiVersion: traefik.containo.us/v1alpha1
-       kind: IngressRouteUDP
-       metadata:
-         name: ingressroute.udp
-         namespace: default
-         
-       spec:
-         entryPoints:
-           - fooudp
-         routes:
-           - kind: Rule
-             services:
-               - name: whoamiudp
-                 port: 8080
+    kind: IngressRouteUDP
+    metadata:
+      name: ingressroute.udp
+      namespace: default
+    
+      spec:
+        entryPoints:
+          - fooudp
+        routes:
+          - kind: Rule
+            services:
+              - name: whoamiudp
+                port: 8080
     ```
     
     ```yaml tab="Whoami"

docs/content/routing/providers/kubernetes-ingress.md

@@ -202,7 +202,7 @@ which in turn will create the resulting routers, services, handlers, etc.
     See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information.
 
     ```yaml
-    traefik.ingress.kubernetes.io/router.middlewares: auth@file,prefix@kuberntescrd,cb@file
+    traefik.ingress.kubernetes.io/router.middlewares: auth@file,prefix@kubernetescrd,cb@file
     ```
 
 ??? info "`traefik.ingress.kubernetes.io/router.priority`"
@@ -282,12 +282,12 @@ which in turn will create the resulting routers, services, handlers, etc.
     traefik.ingress.kubernetes.io/service.passhostheader: "true"
     ```
 
-??? info "`traefik.ingress.kubernetes.io/service.sticky`"
+??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie`"
 
     See [sticky sessions](../services/index.md#sticky-sessions) for more information.
 
     ```yaml
-    traefik.ingress.kubernetes.io/service.sticky: "true"
+    traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
     ```
 
 ??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.name`"

docs/content/routing/routers/index.md

@@ -228,16 +228,18 @@ If the rule is verified, the router becomes active, calls middlewares, and then
 
 The table below lists all the available matchers:
 
-| Rule                                                                   | Description                                                                                                    |
-|------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
-| ```Headers(`key`, `value`)```                                          | Check if there is a key `key`defined in the headers, with the value `value`                                    |
-| ```HeadersRegexp(`key`, `regexp`)```                                   | Check if there is a key `key`defined in the headers, with a value that matches the regular expression `regexp` |
-| ```Host(`example.com`, ...)```                                         | Check if the request domain targets one of the given `domains`.                                                |
-| ```HostRegexp(`example.com`, `{subdomain:[a-z]+}.example.com`, ...)``` | Check if the request domain matches the given `regexp`.                                                        |
-| ```Method(`GET`, ...)```                                               | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`)            |
-| ```Path(`/path`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`, ...)```         | Match exact request path. It accepts a sequence of literal and regular expression paths.                       |
-| ```PathPrefix(`/products/`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`)```   | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths.               |
-| ```Query(`foo=bar`, `bar=baz`)```                                      | Match Query String parameters. It accepts a sequence of key=value pairs.                                       |
+| Rule                                                                   | Description                                                                                                                                                                                                     |
+|------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| ```Headers(`key`, `value`)```                                          | Check if there is a key `key`defined in the headers, with the value `value`                                                                                                                                     |
+| ```HeadersRegexp(`key`, `regexp`)```                                   | Check if there is a key `key`defined in the headers, with a value that matches the regular expression `regexp`                                                                                                  |
+| ```Host(`example.com`, ...)```                                         | By default, is equivalent to `HostHeader` **AND** `HostSNI` rules. See [Domain Fronting](../../https/tls.md#domain-fronting) and the [migration guide](../../migration/v2.md#domain-fronting) for more details. |
+| ```HostHeader(`example.com`, ...)```                                   | Check if the request domain (host header value) targets one of the given `domains`.                                                                                                                             |
+| ```HostSNI(`example.com`, ...)```                                      | Check if the [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication) corresponds to the given `domains`.                                                                                 |
+| ```HostRegexp(`example.com`, `{subdomain:[a-z]+}.example.com`, ...)``` | Check if the request domain matches the given `regexp`.                                                                                                                                                         |
+| ```Method(`GET`, ...)```                                               | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`)                                                                                                             |
+| ```Path(`/path`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`, ...)```         | Match exact request path. It accepts a sequence of literal and regular expression paths.                                                                                                                        |
+| ```PathPrefix(`/products/`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`)```   | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths.                                                                                                                |
+| ```Query(`foo=bar`, `bar=baz`)```                                      | Match Query String parameters. It accepts a sequence of key=value pairs.                                                                                                                                        | 
 
 !!! important "Regexp Syntax"
 

docs/mkdocs.yml

@@ -26,11 +26,7 @@ theme:
     prev: 'Previous'
     next: 'Next'
 
-copyright: "Copyright © 2016-2019 Containous"
-
-google_analytics:
-  - 'UA-51880359-3'
-  - 'docs.traefik.io'
+copyright: "Copyright © 2016-2020 Containous"
 
 extra_css:
   - assets/styles/extra.css # Our custom styles

docs/theme/main.html

@@ -1,5 +1,15 @@
 {% extends "base.html" %}
 
+{% block analytics %}
+<!-- Google Tag Manager -->
+<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+      new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+    j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+    'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+  })(window,document,'script','dataLayer','GTM-NMWC63S');</script>
+<!-- End Google Tag Manager -->
+{% endblock %}
+
 {% block footer %}
 
 {% import "partials/language.html" as lang with context %}

go.mod

@@ -36,7 +36,7 @@ require (
 	github.com/fatih/structs v1.1.0
 	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
 	github.com/gambol99/go-marathon v0.0.0-20180614232016-99a156b96fb2
-	github.com/go-acme/lego/v3 v3.6.0
+	github.com/go-acme/lego/v3 v3.8.0
 	github.com/go-check/check v0.0.0-00010101000000-000000000000
 	github.com/go-kit/kit v0.9.0
 	github.com/gogo/protobuf v1.3.0 // indirect

go.sum

@@ -117,8 +117,8 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/aws/aws-sdk-go v1.16.23/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.23.0 h1:ilfJN/vJtFo1XDFxB2YMBYGeOvGZl6Qow17oyD4+Z9A=
-github.com/aws/aws-sdk-go v1.23.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/aws/aws-sdk-go v1.30.20 h1:ktsy2vodSZxz/arYqo7DlpkIeNohHL+4Rmjdo7YGtrE=
+github.com/aws/aws-sdk-go v1.30.20/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0 h1:HWo1m869IqiPhD389kmkxeTalrjNbbJTC8LXupb+sl0=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -126,6 +126,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/c0va23/go-proxyprotocol v0.9.1 h1:5BCkp0fDJOhzzH1lhjUgHhmZz9VvRMMif1U2D31hb34=
 github.com/c0va23/go-proxyprotocol v0.9.1/go.mod h1:TNjUV+llvk8TvWJxlPYAeAYZgSzT/iicNr3nWBWX320=
 github.com/cenkalti/backoff/v4 v4.0.0 h1:6VeaLF9aI+MAUQ95106HwWzYZgJJpZ4stumjj6RFYAU=
@@ -194,8 +196,8 @@ github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TR
 github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
 github.com/dnaeon/go-vcr v0.0.0-20180814043457-aafff18a5cc2 h1:G9/PqfhOrt8JXnw0DGTfVoOkKHDhOlEZqhE/cu+NvQM=
 github.com/dnaeon/go-vcr v0.0.0-20180814043457-aafff18a5cc2/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
-github.com/dnsimple/dnsimple-go v0.30.0 h1:IBIrn9jMKRMwporIRwdFyKdnHXVmwy6obnguB+ZMDIY=
-github.com/dnsimple/dnsimple-go v0.30.0/go.mod h1:O5TJ0/U6r7AfT8niYNlmohpLbCSG+c71tQlGr9SeGrg=
+github.com/dnsimple/dnsimple-go v0.60.0 h1:N+q+ML1CZGf+5r4udu9Opy7WJNtOaFT9aM86Af9gLhk=
+github.com/dnsimple/dnsimple-go v0.60.0/go.mod h1:O5TJ0/U6r7AfT8niYNlmohpLbCSG+c71tQlGr9SeGrg=
 github.com/docker/cli v0.0.0-20200221155518-740919cc7fc0 h1:hlGHcYGaaHs/yffSubcUKlp8TyV1v7qhcZZ5nGNQ2Fw=
 github.com/docker/cli v0.0.0-20200221155518-740919cc7fc0/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
@@ -259,8 +261,8 @@ github.com/gambol99/go-marathon v0.0.0-20180614232016-99a156b96fb2/go.mod h1:GLy
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-acme/lego/v3 v3.6.0 h1:Rv0MrX3DpVp9Xg77yR7x+PCksLLph3Ut/69/9Kim8ac=
-github.com/go-acme/lego/v3 v3.6.0/go.mod h1:sB/T7hfyz0HYIBvPmz/C8jIaxF6scbbiGKTzbQ22V6A=
+github.com/go-acme/lego/v3 v3.8.0 h1:9OOEn54eZvEPRRdM7xiC5f7EBW0MlEeChr+kzlIhdN8=
+github.com/go-acme/lego/v3 v3.8.0/go.mod h1:kYiHYgSRzb1l2NQPWvWvkVG5etNCusGFsZc2MTak3m0=
 github.com/go-cmd/cmd v1.0.5/go.mod h1:y8q8qlK5wQibcw63djSl/ntiHUHXHGdCkPk0j4QeW4s=
 github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
@@ -289,6 +291,7 @@ github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dp
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
@@ -403,6 +406,8 @@ github.com/hashicorp/go-cleanhttp v0.5.0 h1:wvCrVc9TjDls6+YGAF2hAifE1E5U1+b4tH6K
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-hclog v0.9.2 h1:CG6TE5H9/JXsFWJCfoIVpKFIkFe6ysEuHirp4DxCsHI=
+github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
 github.com/hashicorp/go-immutable-radix v1.0.0 h1:AKDB1HM5PWEA7i4nhcpwOrO2byshxBjXVn/J/3+z5/0=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
@@ -412,6 +417,8 @@ github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:
 github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
+github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM=
+github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-rootcerts v1.0.0 h1:Rqb66Oo1X/eSV1x66xbDccZjhJigjg0+e82kpwzSwCI=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
 github.com/hashicorp/go-sockaddr v1.0.0 h1:GeH6tui99pF4NJgfnhp+L6+FfobzVW3Ah46sLo0ICXs=
@@ -451,6 +458,8 @@ github.com/jcmturner/gofork v0.0.0-20190328161633-dc7c13fece03/go.mod h1:MK8+TM0
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jmespath/go-jmespath v0.3.0 h1:OS12ieG61fsCg5+qLJ+SsW9NicxNkg3b25OyT2yCeUc=
+github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
 github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 h1:rp+c0RAYOWj8l6qbCUTSiRLG/iKnW3K3/QfPPuSsBt4=
 github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901/go.mod h1:Z86h9688Y0wesXCyonoVr47MasHilkuLMqGhRZ4Hpak=
 github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo=
@@ -471,8 +480,8 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kolo/xmlrpc v0.0.0-20190717152603-07c4ee3fd181 h1:TrxPzApUukas24OMMVDUMlCs1XCExJtnGaDEiIAR4oQ=
-github.com/kolo/xmlrpc v0.0.0-20190717152603-07c4ee3fd181/go.mod h1:o03bZfuBwAXHetKXuInt4S7omeXUu62/A845kiycsSQ=
+github.com/kolo/xmlrpc v0.0.0-20200310150728-e0350524596b h1:DzHy0GlWeF0KAglaTMY7Q+khIFoG8toHP+wLFBVBQJc=
+github.com/kolo/xmlrpc v0.0.0-20200310150728-e0350524596b/go.mod h1:o03bZfuBwAXHetKXuInt4S7omeXUu62/A845kiycsSQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -538,6 +547,8 @@ github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0Qu
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/mapstructure v1.3.1 h1:cCBH2gTD2K0OtLlv/Y5H01VQCqmlDxz30kS5Y5bqfLA=
+github.com/mitchellh/mapstructure v1.3.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.0 h1:9D+8oIskB4VJBN5SFlmc27fSlIBZaov1Wpk/IfikLNY=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -560,8 +571,8 @@ github.com/nrdcg/auroradns v1.0.1 h1:m/kBq83Xvy3cU261MOknd8BdnOk12q4lAWM+kOdsC2Y
 github.com/nrdcg/auroradns v1.0.1/go.mod h1:y4pc0i9QXYlFCWrhWrUSIETnZgrf4KuwjDIWmmXo3JI=
 github.com/nrdcg/dnspod-go v0.4.0 h1:c/jn1mLZNKF3/osJ6mz3QPxTudvPArXTjpkmYj0uK6U=
 github.com/nrdcg/dnspod-go v0.4.0/go.mod h1:vZSoFSFeQVm2gWLMkyX61LZ8HI3BaqtHZWgPTGKr6KQ=
-github.com/nrdcg/goinwx v0.6.1 h1:AJnjoWPELyCtofhGcmzzcEMFd9YdF2JB/LgutWsWt/s=
-github.com/nrdcg/goinwx v0.6.1/go.mod h1:XPiut7enlbEdntAqalBIqcYcTEVhpv/dKWgDCX2SwKQ=
+github.com/nrdcg/goinwx v0.7.0 h1:j6JlOp0nNwtvaP09TvKqc9pktjH81nOad0+Gx9S1t9U=
+github.com/nrdcg/goinwx v0.7.0/go.mod h1:4tKJOCi/1lTxuw9/yB2Ez0aojwtUCSkckjc22eALpqE=
 github.com/nrdcg/namesilo v0.2.1 h1:kLjCjsufdW/IlC+iSfAqj0iQGgKjlbUUeDJio5Y6eMg=
 github.com/nrdcg/namesilo v0.2.1/go.mod h1:lwMvfQTyYq+BbjJd30ylEG4GPSS6PII0Tia4rRpRiyw=
 github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
@@ -620,11 +631,15 @@ github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA=
 github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok=
+github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
@@ -732,8 +747,8 @@ github.com/vulcand/oxy v1.1.0 h1:DbBijGo1+6cFqR9jarkMxasdj0lgWwrrFtue6ijek4Q=
 github.com/vulcand/oxy v1.1.0/go.mod h1:ADiMYHi8gkGl2987yQIzDRoXZilANF4WtKaQ92OppKY=
 github.com/vulcand/predicate v1.1.0 h1:Gq/uWopa4rx/tnZu2opOSBqHK63Yqlou/SzrbwdJiNg=
 github.com/vulcand/predicate v1.1.0/go.mod h1:mlccC5IRBoc2cIFmCB8ZM62I3VDb6p2GXESMHa3CnZg=
-github.com/vultr/govultr v0.1.4 h1:UnNMixYFVO0p80itc8PcweoVENyo1PasfvwKhoasR9U=
-github.com/vultr/govultr v0.1.4/go.mod h1:9H008Uxr/C4vFNGLqKx232C206GL0PBHzOP0809bGNA=
+github.com/vultr/govultr v0.4.2 h1:9i8xKZ+xp6vwZ9raqHoBLzhB4wCnMj7nOQTj5YIRLWY=
+github.com/vultr/govultr v0.4.2/go.mod h1:TUuUizMOFc7z+PNMssb6iGjKjQfpw5arIaOLfocVudQ=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
 github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=

integration/access_log_test.go

@@ -24,7 +24,7 @@ const (
 	traefikTestAccessLogFile = "access.log"
 )
 
-// AccessLogSuite
+// AccessLogSuite tests suite.
 type AccessLogSuite struct{ BaseSuite }
 
 type accessLogValue struct {
@@ -111,6 +111,20 @@ func (s *AccessLogSuite) TestAccessLogAuthFrontend(c *check.C) {
 			routerName: "rt-authFrontend",
 			serviceURL: "-",
 		},
+		{
+			formatOnly: false,
+			code:       "401",
+			user:       "test",
+			routerName: "rt-authFrontend",
+			serviceURL: "-",
+		},
+		{
+			formatOnly: false,
+			code:       "200",
+			user:       "test",
+			routerName: "rt-authFrontend",
+			serviceURL: "http://172.17.0",
+		},
 	}
 
 	// Start Traefik
@@ -130,7 +144,7 @@ func (s *AccessLogSuite) TestAccessLogAuthFrontend(c *check.C) {
 	// Verify Traefik started OK
 	checkTraefikStarted(c)
 
-	// Test auth frontend
+	// Test auth entrypoint
 	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8006/", nil)
 	c.Assert(err, checker.IsNil)
 	req.Host = "frontend.auth.docker.local"
@@ -138,6 +152,16 @@ func (s *AccessLogSuite) TestAccessLogAuthFrontend(c *check.C) {
 	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusUnauthorized), try.HasBody())
 	c.Assert(err, checker.IsNil)
 
+	req.SetBasicAuth("test", "")
+
+	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusUnauthorized), try.HasBody())
+	c.Assert(err, checker.IsNil)
+
+	req.SetBasicAuth("test", "test")
+
+	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	c.Assert(err, checker.IsNil)
+
 	// Verify access.log output as expected
 	count := checkAccessLogExactValuesOutput(c, expected)
 
@@ -158,6 +182,13 @@ func (s *AccessLogSuite) TestAccessLogDigestAuthMiddleware(c *check.C) {
 			routerName: "rt-digestAuthMiddleware",
 			serviceURL: "-",
 		},
+		{
+			formatOnly: false,
+			code:       "401",
+			user:       "test",
+			routerName: "rt-digestAuthMiddleware",
+			serviceURL: "-",
+		},
 		{
 			formatOnly: false,
 			code:       "200",
@@ -192,15 +223,22 @@ func (s *AccessLogSuite) TestAccessLogDigestAuthMiddleware(c *check.C) {
 	resp, err := try.ResponseUntilStatusCode(req, 500*time.Millisecond, http.StatusUnauthorized)
 	c.Assert(err, checker.IsNil)
 
-	digestParts := digestParts(resp)
-	digestParts["uri"] = "/"
-	digestParts["method"] = http.MethodGet
-	digestParts["username"] = "test"
-	digestParts["password"] = "test"
+	digest := digestParts(resp)
+	digest["uri"] = "/"
+	digest["method"] = http.MethodGet
+	digest["username"] = "test"
+	digest["password"] = "wrong"
 
-	req.Header.Set("Authorization", getDigestAuthorization(digestParts))
+	req.Header.Set("Authorization", getDigestAuthorization(digest))
 	req.Header.Set("Content-Type", "application/json")
 
+	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusUnauthorized), try.HasBody())
+	c.Assert(err, checker.IsNil)
+
+	digest["password"] = "test"
+
+	req.Header.Set("Authorization", getDigestAuthorization(digest))
+
 	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasBody())
 	c.Assert(err, checker.IsNil)
 
@@ -562,7 +600,7 @@ func extractLines(c *check.C) []string {
 func checkStatsForLogFile(c *check.C) {
 	err := try.Do(1*time.Second, func() error {
 		if _, errStat := os.Stat(traefikTestLogFile); errStat != nil {
-			return fmt.Errorf("could not get stats for log file: %s", errStat)
+			return fmt.Errorf("could not get stats for log file: %w", errStat)
 		}
 		return nil
 	})

integration/acme_test.go

@@ -20,7 +20,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// ACME test suites (using libcompose)
+// ACME test suites (using libcompose).
 type AcmeSuite struct {
 	BaseSuite
 	pebbleIP      string
@@ -74,7 +74,7 @@ func setupPebbleRootCA() (*http.Transport, error) {
 
 	certPool := x509.NewCertPool()
 	if ok := certPool.AppendCertsFromPEM(customCAs); !ok {
-		return nil, fmt.Errorf("error creating x509 cert pool from %q: %v", path, err)
+		return nil, fmt.Errorf("error creating x509 cert pool from %q: %w", path, err)
 	}
 
 	return &http.Transport{
@@ -394,7 +394,7 @@ func (s *AcmeSuite) TestTLSALPN01DomainsInSAN(c *check.C) {
 	s.retrieveAcmeCertificate(c, testCase)
 }
 
-// Test Let's encrypt down
+// Test Let's encrypt down.
 func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
 	file := s.adaptFile(c, "fixtures/acme/acme_base.toml", templateModel{
 		Acme: map[string]static.CertificateResolver{
@@ -417,7 +417,7 @@ func (s *AcmeSuite) TestNoValidLetsEncryptServer(c *check.C) {
 	c.Assert(err, checker.IsNil)
 }
 
-// Doing an HTTPS request and test the response certificate
+// Doing an HTTPS request and test the response certificate.
 func (s *AcmeSuite) retrieveAcmeCertificate(c *check.C, testCase acmeTestCase) {
 	if len(testCase.template.PortHTTP) == 0 {
 		testCase.template.PortHTTP = ":5002"

integration/consul_catalog_test.go

@@ -47,7 +47,7 @@ func (s *ConsulCatalogSuite) waitToElectConsulLeader() error {
 		leader, err := s.consulClient.Status().Leader()
 
 		if err != nil || len(leader) == 0 {
-			return fmt.Errorf("leader not found. %v", err)
+			return fmt.Errorf("leader not found. %w", err)
 		}
 
 		return nil

integration/consul_test.go

@@ -19,7 +19,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// Consul test suites (using libcompose)
+// Consul test suites (using libcompose).
 type ConsulSuite struct {
 	BaseSuite
 	kvClient store.Store
@@ -138,7 +138,7 @@ func (s *ConsulSuite) TestSimpleConfiguration(c *check.C) {
 	expectedJSON := filepath.FromSlash("testdata/rawdata-consul.json")
 
 	if *updateExpected {
-		err = ioutil.WriteFile(expectedJSON, got, 0666)
+		err = ioutil.WriteFile(expectedJSON, got, 0o666)
 		c.Assert(err, checker.IsNil)
 	}
 

integration/docker_compose_test.go

@@ -18,7 +18,7 @@ const (
 	composeProject = "minimal"
 )
 
-// Docker test suites
+// Docker tests suite.
 type DockerComposeSuite struct {
 	BaseSuite
 }
@@ -36,8 +36,8 @@ func (s *DockerComposeSuite) TearDownSuite(c *check.C) {
 }
 
 func (s *DockerComposeSuite) TestComposeScale(c *check.C) {
-	var serviceCount = 2
-	var composeService = "whoami1"
+	serviceCount := 2
+	composeService := "whoami1"
 
 	s.composeProject.Scale(c, composeService, serviceCount)
 

integration/docker_test.go

@@ -17,14 +17,14 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// Images to have or pull before the build in order to make it work
-// FIXME handle this offline but loading them before build
+// Images to have or pull before the build in order to make it work.
+// FIXME handle this offline but loading them before build.
 var RequiredImages = map[string]string{
 	"swarm":             "1.0.0",
 	"containous/whoami": "latest",
 }
 
-// Docker test suites
+// Docker tests suite.
 type DockerSuite struct {
 	BaseSuite
 	project *docker.Project
@@ -43,7 +43,7 @@ func (s *DockerSuite) startContainerWithLabels(c *check.C, image string, labels
 	})
 }
 
-func (s *DockerSuite) startContainerWithNameAndLabels(c *check.C, name string, image string, labels map[string]string, args ...string) string {
+func (s *DockerSuite) startContainerWithNameAndLabels(c *check.C, name, image string, labels map[string]string, args ...string) string {
 	return s.startContainerWithConfig(c, image, d.ContainerConfig{
 		Name:   name,
 		Cmd:    args,

integration/error_pages_test.go

@@ -10,7 +10,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// ErrorPagesSuite test suites (using libcompose)
+// ErrorPagesSuite test suites (using libcompose).
 type ErrorPagesSuite struct {
 	BaseSuite
 	ErrorPageIP string

integration/etcd_test.go

@@ -19,7 +19,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// etcd test suites (using libcompose)
+// etcd test suites (using libcompose).
 type EtcdSuite struct {
 	BaseSuite
 	kvClient store.Store
@@ -138,7 +138,7 @@ func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
 	expectedJSON := filepath.FromSlash("testdata/rawdata-etcd.json")
 
 	if *updateExpected {
-		err = ioutil.WriteFile(expectedJSON, got, 0666)
+		err = ioutil.WriteFile(expectedJSON, got, 0o666)
 		c.Assert(err, checker.IsNil)
 	}
 

integration/file_test.go

@@ -10,7 +10,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// File test suites
+// File tests suite.
 type FileSuite struct{ BaseSuite }
 
 func (s *FileSuite) SetUpSuite(c *check.C) {
@@ -32,7 +32,7 @@ func (s *FileSuite) TestSimpleConfiguration(c *check.C) {
 	c.Assert(err, checker.IsNil)
 }
 
-// #56 regression test, make sure it does not fail
+// #56 regression test, make sure it does not fail?
 func (s *FileSuite) TestSimpleConfigurationNoPanic(c *check.C) {
 	cmd, display := s.traefikCmd(withConfigFile("fixtures/file/56-simple-panic.toml"))
 	defer display(c)

integration/fixtures/grpc/config.toml

@@ -22,7 +22,7 @@
 
 [http.routers]
   [http.routers.router1]
-    rule = "Host(`127.0.0.1`)"
+    rule = "Host(`localhost`)"
     service = "service1"
     [http.routers.router1.tls]
 

integration/fixtures/grpc/config_h2c_termination.toml

@@ -19,7 +19,7 @@
 
 [http.routers]
   [http.routers.router1]
-    rule = "Host(`127.0.0.1`)"
+    rule = "Host(`localhost`)"
     service = "service1"
     [http.routers.router1.tls]
 

integration/fixtures/grpc/config_insecure.toml

@@ -22,7 +22,7 @@
 
 [http.routers]
   [http.routers.router1]
-    rule = "Host(`127.0.0.1`)"
+    rule = "Host(`localhost`)"
     service = "service1"
     [http.routers.router1.tls]
 

integration/fixtures/grpc/config_retry.toml

@@ -22,7 +22,7 @@
 
 [http.routers]
   [http.routers.router1]
-    rule = "Host(`127.0.0.1`)"
+    rule = "Host(`localhost`)"
     service = "service1"
     middlewares = ["retryer"]
     [http.routers.router1.tls]

integration/fixtures/headers/secure.toml

@@ -2,6 +2,9 @@
   checkNewVersion = false
   sendAnonymousUsage = false
 
+[api]
+  insecure = true
+
 [log]
   level = "DEBUG"
 
@@ -24,6 +27,11 @@
     rule = "Host(`test2.localhost`)"
     service = "service1"
 
+  [http.routers.router3]
+    rule = "Host(`internal.localhost`)"
+    middlewares = ["secure"]
+    service = "api@internal"
+
 [http.middlewares]
   [http.middlewares.secure.headers]
     featurePolicy = "vibrate 'none';"

integration/grpc_test.go

@@ -19,12 +19,14 @@ import (
 	"google.golang.org/grpc/credentials"
 )
 
-var LocalhostCert []byte
-var LocalhostKey []byte
+var (
+	LocalhostCert []byte
+	LocalhostKey  []byte
+)
 
 const randCharset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
 
-// GRPCSuite
+// GRPCSuite tests suite.
 type GRPCSuite struct{ BaseSuite }
 
 type myserver struct {
@@ -84,7 +86,7 @@ func starth2cGRPCServer(lis net.Listener, server *myserver) error {
 func getHelloClientGRPC() (helloworld.GreeterClient, func() error, error) {
 	roots := x509.NewCertPool()
 	roots.AppendCertsFromPEM(LocalhostCert)
-	credsClient := credentials.NewClientTLSFromCert(roots, "")
+	credsClient := credentials.NewClientTLSFromCert(roots, "localhost")
 	conn, err := grpc.Dial("127.0.0.1:4443", grpc.WithTransportCredentials(credsClient))
 	if err != nil {
 		return nil, func() error { return nil }, err
@@ -165,7 +167,7 @@ func (s *GRPCSuite) TestGRPC(c *check.C) {
 	defer cmd.Process.Kill()
 
 	// wait for Traefik
-	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`localhost`)"))
 	c.Assert(err, check.IsNil)
 
 	var response string
@@ -245,7 +247,7 @@ func (s *GRPCSuite) TestGRPCh2cTermination(c *check.C) {
 	defer cmd.Process.Kill()
 
 	// wait for Traefik
-	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`localhost`)"))
 	c.Assert(err, check.IsNil)
 
 	var response string
@@ -287,7 +289,7 @@ func (s *GRPCSuite) TestGRPCInsecure(c *check.C) {
 	defer cmd.Process.Kill()
 
 	// wait for Traefik
-	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`localhost`)"))
 	c.Assert(err, check.IsNil)
 
 	var response string
@@ -334,7 +336,7 @@ func (s *GRPCSuite) TestGRPCBuffer(c *check.C) {
 	defer cmd.Process.Kill()
 
 	// wait for Traefik
-	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`localhost`)"))
 	c.Assert(err, check.IsNil)
 	var client helloworld.Greeter_StreamExampleClient
 	client, closer, err := callStreamExampleClientGRPC()
@@ -393,7 +395,7 @@ func (s *GRPCSuite) TestGRPCBufferWithFlushInterval(c *check.C) {
 	defer cmd.Process.Kill()
 
 	// wait for Traefik
-	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`localhost`)"))
 	c.Assert(err, check.IsNil)
 
 	var client helloworld.Greeter_StreamExampleClient
@@ -451,7 +453,7 @@ func (s *GRPCSuite) TestGRPCWithRetry(c *check.C) {
 	defer cmd.Process.Kill()
 
 	// wait for Traefik
-	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`127.0.0.1`)"))
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("Host(`localhost`)"))
 	c.Assert(err, check.IsNil)
 
 	var response string

integration/headers_test.go

@@ -10,7 +10,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// Headers test suites
+// Headers tests suite.
 type HeadersSuite struct{ BaseSuite }
 
 func (s *HeadersSuite) TestSimpleConfiguration(c *check.C) {
@@ -131,16 +131,18 @@ func (s *HeadersSuite) TestSecureHeadersResponses(c *check.C) {
 	c.Assert(err, checker.IsNil)
 
 	testCase := []struct {
-		desc     string
-		expected http.Header
-		reqHost  string
+		desc            string
+		expected        http.Header
+		reqHost         string
+		internalReqHost string
 	}{
 		{
 			desc: "Feature-Policy Set",
 			expected: http.Header{
 				"Feature-Policy": {"vibrate 'none';"},
 			},
-			reqHost: "test.localhost",
+			reqHost:         "test.localhost",
+			internalReqHost: "internal.localhost",
 		},
 	}
 
@@ -149,7 +151,14 @@ func (s *HeadersSuite) TestSecureHeadersResponses(c *check.C) {
 		c.Assert(err, checker.IsNil)
 		req.Host = test.reqHost
 
-		err = try.Request(req, 500*time.Millisecond, try.HasHeaderStruct(test.expected))
+		err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasHeaderStruct(test.expected))
+		c.Assert(err, checker.IsNil)
+
+		req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/api/rawdata", nil)
+		c.Assert(err, checker.IsNil)
+		req.Host = test.internalReqHost
+
+		err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK), try.HasHeaderStruct(test.expected))
 		c.Assert(err, checker.IsNil)
 	}
 }

integration/healthcheck_test.go

@@ -11,7 +11,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// HealthCheck test suites (using libcompose)
+// HealthCheck test suites (using libcompose).
 type HealthCheckSuite struct {
 	BaseSuite
 	whoami1IP string
@@ -206,7 +206,7 @@ func (s *HealthCheckSuite) TestPortOverload(c *check.C) {
 	c.Assert(err, checker.IsNil)
 }
 
-// Checks if all the loadbalancers created will correctly update the server status
+// Checks if all the loadbalancers created will correctly update the server status.
 func (s *HealthCheckSuite) TestMultipleRoutersOnSameService(c *check.C) {
 	file := s.adaptFile(c, "fixtures/healthcheck/multiple-routers-one-same-service.toml", struct {
 		Server1 string

integration/helloworld/helloworld.pb.go

@@ -15,9 +15,11 @@ It has these top-level messages:
 */
 package helloworld
 
-import proto "github.com/golang/protobuf/proto"
-import fmt "fmt"
-import math "math"
+import (
+	proto "github.com/golang/protobuf/proto"
+	fmt "fmt"
+	math "math"
+)
 
 import (
 	context "context"
@@ -26,9 +28,11 @@ import (
 )
 
 // Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
+var (
+	_ = proto.Marshal
+	_ = fmt.Errorf
+	_ = math.Inf
+)
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the proto package it is being compiled against.
@@ -102,8 +106,10 @@ func init() {
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
-var _ context.Context
-var _ grpc.ClientConn
+var (
+	_ context.Context
+	_ grpc.ClientConn
+)
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.

integration/https_test.go

@@ -18,7 +18,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// HTTPSSuite
+// HTTPSSuite tests suite.
 type HTTPSSuite struct{ BaseSuite }
 
 // TestWithSNIConfigHandshake involves a client sending a SNI hostname of
@@ -441,7 +441,7 @@ func (s *HTTPSSuite) TestWithOverlappingDynamicCertificate(c *check.C) {
 }
 
 // TestWithClientCertificateAuthentication
-// The client can send a certificate signed by a CA trusted by the server but it's optional
+// The client can send a certificate signed by a CA trusted by the server but it's optional.
 func (s *HTTPSSuite) TestWithClientCertificateAuthentication(c *check.C) {
 	file := s.adaptFile(c, "fixtures/https/clientca/https_1ca1config.toml", struct{}{})
 	defer os.Remove(file)
@@ -499,7 +499,7 @@ func (s *HTTPSSuite) TestWithClientCertificateAuthentication(c *check.C) {
 }
 
 // TestWithClientCertificateAuthentication
-// Use two CA:s and test that clients with client signed by either of them can connect
+// Use two CA:s and test that clients with client signed by either of them can connect.
 func (s *HTTPSSuite) TestWithClientCertificateAuthenticationMultipleCAs(c *check.C) {
 	server1 := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) { _, _ = rw.Write([]byte("server1")) }))
 	server2 := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) { _, _ = rw.Write([]byte("server2")) }))
@@ -596,7 +596,7 @@ func (s *HTTPSSuite) TestWithClientCertificateAuthenticationMultipleCAs(c *check
 }
 
 // TestWithClientCertificateAuthentication
-// Use two CA:s in two different files and test that clients with client signed by either of them can connect
+// Use two CA:s in two different files and test that clients with client signed by either of them can connect.
 func (s *HTTPSSuite) TestWithClientCertificateAuthenticationMultipleCAsMultipleFiles(c *check.C) {
 	server1 := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) { _, _ = rw.Write([]byte("server1")) }))
 	server2 := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) { _, _ = rw.Write([]byte("server2")) }))
@@ -956,11 +956,13 @@ func modifyCertificateConfFileContent(c *check.C, certFileName, confFileName str
 	if len(certFileName) > 0 {
 		tlsConf := dynamic.Configuration{
 			TLS: &dynamic.TLSConfiguration{
-				Certificates: []*traefiktls.CertAndStores{{
-					Certificate: traefiktls.Certificate{
-						CertFile: traefiktls.FileOrContent("fixtures/https/" + certFileName + ".cert"),
-						KeyFile:  traefiktls.FileOrContent("fixtures/https/" + certFileName + ".key"),
-					}},
+				Certificates: []*traefiktls.CertAndStores{
+					{
+						Certificate: traefiktls.Certificate{
+							CertFile: traefiktls.FileOrContent("fixtures/https/" + certFileName + ".cert"),
+							KeyFile:  traefiktls.FileOrContent("fixtures/https/" + certFileName + ".key"),
+						},
+					},
 				},
 			},
 		}

integration/integration_test.go

@@ -21,10 +21,12 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-var integration = flag.Bool("integration", false, "run integration tests")
-var container = flag.Bool("container", false, "run container integration tests")
-var host = flag.Bool("host", false, "run host integration tests")
-var showLog = flag.Bool("tlog", false, "always show Traefik logs")
+var (
+	integration = flag.Bool("integration", false, "run integration tests")
+	container   = flag.Bool("container", false, "run container integration tests")
+	host        = flag.Bool("host", false, "run host integration tests")
+	showLog     = flag.Bool("tlog", false, "always show Traefik logs")
+)
 
 func Test(t *testing.T) {
 	if !*integration {

integration/k8s_test.go

@@ -24,7 +24,7 @@ import (
 
 var updateExpected = flag.Bool("update_expected", false, "Update expected files in testdata")
 
-// K8sSuite
+// K8sSuite tests suite.
 type K8sSuite struct{ BaseSuite }
 
 func (s *K8sSuite) SetUpSuite(c *check.C) {
@@ -119,7 +119,7 @@ func testConfiguration(c *check.C, path, apiPort string) {
 	newJSON, err := json.MarshalIndent(rtRepr, "", "\t")
 	c.Assert(err, checker.IsNil)
 
-	err = ioutil.WriteFile(expectedJSON, newJSON, 0644)
+	err = ioutil.WriteFile(expectedJSON, newJSON, 0o644)
 	c.Assert(err, checker.IsNil)
 	c.Errorf("We do not want a passing test in file update mode")
 }
@@ -128,7 +128,7 @@ func matchesConfig(wantConfig string, buf *bytes.Buffer) try.ResponseCondition {
 	return func(res *http.Response) error {
 		body, err := ioutil.ReadAll(res.Body)
 		if err != nil {
-			return fmt.Errorf("failed to read response body: %s", err)
+			return fmt.Errorf("failed to read response body: %w", err)
 		}
 
 		if err := res.Body.Close(); err != nil {

integration/log_rotation_test.go

@@ -16,7 +16,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// Log rotation integration test suite
+// Log rotation integration test suite.
 type LogRotationSuite struct{ BaseSuite }
 
 func (s *LogRotationSuite) SetUpSuite(c *check.C) {

integration/marathon15_test.go

@@ -12,7 +12,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// Marathon test suites (using libcompose)
+// Marathon test suites (using libcompose).
 type MarathonSuite15 struct {
 	BaseSuite
 	marathonURL string
@@ -55,7 +55,7 @@ func (s *MarathonSuite15) extendDockerHostsFile(host, ipAddr string) error {
 	// (See also https://groups.google.com/d/topic/docker-user/JOGE7AnJ3Gw/discussion.)
 	if os.Getenv("CONTAINER") == "DOCKER" {
 		// We are running inside a container -- extend the hosts file.
-		file, err := os.OpenFile(hostsFile, os.O_APPEND|os.O_WRONLY, 0600)
+		file, err := os.OpenFile(hostsFile, os.O_APPEND|os.O_WRONLY, 0o600)
 		if err != nil {
 			return err
 		}

integration/marathon_test.go

@@ -17,7 +17,7 @@ const (
 	containerNameMarathon   = "marathon"
 )
 
-// Marathon test suites (using libcompose)
+// Marathon test suites (using libcompose).
 type MarathonSuite struct {
 	BaseSuite
 	marathonURL string
@@ -60,7 +60,7 @@ func (s *MarathonSuite) extendDockerHostsFile(host, ipAddr string) error {
 	// (See also https://groups.google.com/d/topic/docker-user/JOGE7AnJ3Gw/discussion.)
 	if os.Getenv("CONTAINER") == "DOCKER" {
 		// We are running inside a container -- extend the hosts file.
-		file, err := os.OpenFile(hostsFile, os.O_APPEND|os.O_WRONLY, 0600)
+		file, err := os.OpenFile(hostsFile, os.O_APPEND|os.O_WRONLY, 0o600)
 		if err != nil {
 			return err
 		}

integration/redis_test.go

@@ -19,7 +19,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// Redis test suites (using libcompose)
+// Redis test suites (using libcompose).
 type RedisSuite struct {
 	BaseSuite
 	kvClient store.Store
@@ -138,7 +138,7 @@ func (s *RedisSuite) TestSimpleConfiguration(c *check.C) {
 	expectedJSON := filepath.FromSlash("testdata/rawdata-redis.json")
 
 	if *updateExpected {
-		err = ioutil.WriteFile(expectedJSON, got, 0666)
+		err = ioutil.WriteFile(expectedJSON, got, 0o666)
 		c.Assert(err, checker.IsNil)
 	}
 

integration/simple_test.go

@@ -20,7 +20,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// SimpleSuite
+// SimpleSuite tests suite.
 type SimpleSuite struct{ BaseSuite }
 
 func (s *SimpleSuite) TestInvalidConfigShouldFail(c *check.C) {

integration/testdata/rawdata-consul.json

@@ -86,7 +86,7 @@
     },
     "dashboard_redirect@internal": {
       "redirectRegex": {
-        "regex": "^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$",
+        "regex": "^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$",
         "replacement": "${1}/dashboard/",
         "permanent": true
       },

integration/testdata/rawdata-etcd.json

@@ -86,7 +86,7 @@
     },
     "dashboard_redirect@internal": {
       "redirectRegex": {
-        "regex": "^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$",
+        "regex": "^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$",
         "replacement": "${1}/dashboard/",
         "permanent": true
       },

integration/testdata/rawdata-ingress.json

@@ -54,7 +54,7 @@
 	"middlewares": {
 		"dashboard_redirect@internal": {
 			"redirectRegex": {
-				"regex": "^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$",
+				"regex": "^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$",
 				"replacement": "${1}/dashboard/",
 				"permanent": true
 			},

integration/testdata/rawdata-redis.json

@@ -86,7 +86,7 @@
     },
     "dashboard_redirect@internal": {
       "redirectRegex": {
-        "regex": "^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$",
+        "regex": "^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$",
         "replacement": "${1}/dashboard/",
         "permanent": true
       },

integration/testdata/rawdata-zk.json

@@ -86,7 +86,7 @@
     },
     "dashboard_redirect@internal": {
       "redirectRegex": {
-        "regex": "^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$",
+        "regex": "^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$",
         "replacement": "${1}/dashboard/",
         "permanent": true
       },

integration/try/condition.go

@@ -12,18 +12,16 @@ import (
 )
 
 // ResponseCondition is a retry condition function.
-// It receives a response, and returns an error
-// if the response failed the condition.
+// It receives a response, and returns an error if the response failed the condition.
 type ResponseCondition func(*http.Response) error
 
 // BodyContains returns a retry condition function.
-// The condition returns an error if the request body does not contain all the given
-// strings.
+// The condition returns an error if the request body does not contain all the given strings.
 func BodyContains(values ...string) ResponseCondition {
 	return func(res *http.Response) error {
 		body, err := ioutil.ReadAll(res.Body)
 		if err != nil {
-			return fmt.Errorf("failed to read response body: %s", err)
+			return fmt.Errorf("failed to read response body: %w", err)
 		}
 
 		for _, value := range values {
@@ -36,13 +34,12 @@ func BodyContains(values ...string) ResponseCondition {
 }
 
 // BodyNotContains returns a retry condition function.
-// The condition returns an error if the request body  contain one of the given
-// strings.
+// The condition returns an error if the request body  contain one of the given strings.
 func BodyNotContains(values ...string) ResponseCondition {
 	return func(res *http.Response) error {
 		body, err := ioutil.ReadAll(res.Body)
 		if err != nil {
-			return fmt.Errorf("failed to read response body: %s", err)
+			return fmt.Errorf("failed to read response body: %w", err)
 		}
 
 		for _, value := range values {
@@ -55,13 +52,12 @@ func BodyNotContains(values ...string) ResponseCondition {
 }
 
 // BodyContainsOr returns a retry condition function.
-// The condition returns an error if the request body does not contain one of the given
-// strings.
+// The condition returns an error if the request body does not contain one of the given strings.
 func BodyContainsOr(values ...string) ResponseCondition {
 	return func(res *http.Response) error {
 		body, err := ioutil.ReadAll(res.Body)
 		if err != nil {
-			return fmt.Errorf("failed to read response body: %s", err)
+			return fmt.Errorf("failed to read response body: %w", err)
 		}
 
 		for _, value := range values {
@@ -79,7 +75,7 @@ func HasBody() ResponseCondition {
 	return func(res *http.Response) error {
 		body, err := ioutil.ReadAll(res.Body)
 		if err != nil {
-			return fmt.Errorf("failed to read response body: %s", err)
+			return fmt.Errorf("failed to read response body: %w", err)
 		}
 
 		if len(body) == 0 {
@@ -182,11 +178,11 @@ func HasHeaderStruct(header http.Header) ResponseCondition {
 }
 
 // DoCondition is a retry condition function.
-// It returns an error
+// It returns an error.
 type DoCondition func() error
 
 // KVExists is a retry condition function.
-// Verify if a Key exists in the store
+// Verify if a Key exists in the store.
 func KVExists(kv store.Store, key string) DoCondition {
 	return func() error {
 		_, err := kv.Exists(key, nil)

integration/try/try.go

@@ -115,7 +115,7 @@ func Do(timeout time.Duration, operation DoCondition) error {
 		select {
 		case <-stopTimer.C:
 			fmt.Println("-")
-			return fmt.Errorf("try operation failed: %s", err)
+			return fmt.Errorf("try operation failed: %w", err)
 		case <-retryTick.C:
 			fmt.Print("*")
 			if err = operation(); err == nil {

integration/websocket_test.go

@@ -18,11 +18,11 @@ import (
 	"golang.org/x/net/websocket"
 )
 
-// WebsocketSuite
+// WebsocketSuite tests suite.
 type WebsocketSuite struct{ BaseSuite }
 
 func (s *WebsocketSuite) TestBase(c *check.C) {
-	var upgrader = gorillawebsocket.Upgrader{} // use default options
+	upgrader := gorillawebsocket.Upgrader{} // use default options
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		c, err := upgrader.Upgrade(w, r, nil)
@@ -72,7 +72,7 @@ func (s *WebsocketSuite) TestBase(c *check.C) {
 }
 
 func (s *WebsocketSuite) TestWrongOrigin(c *check.C) {
-	var upgrader = gorillawebsocket.Upgrader{} // use default options
+	upgrader := gorillawebsocket.Upgrader{} // use default options
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		c, err := upgrader.Upgrade(w, r, nil)
@@ -122,7 +122,7 @@ func (s *WebsocketSuite) TestWrongOrigin(c *check.C) {
 
 func (s *WebsocketSuite) TestOrigin(c *check.C) {
 	// use default options
-	var upgrader = gorillawebsocket.Upgrader{}
+	upgrader := gorillawebsocket.Upgrader{}
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		c, err := upgrader.Upgrade(w, r, nil)
@@ -180,7 +180,7 @@ func (s *WebsocketSuite) TestOrigin(c *check.C) {
 }
 
 func (s *WebsocketSuite) TestWrongOriginIgnoredByServer(c *check.C) {
-	var upgrader = gorillawebsocket.Upgrader{CheckOrigin: func(r *http.Request) bool {
+	upgrader := gorillawebsocket.Upgrader{CheckOrigin: func(r *http.Request) bool {
 		return true
 	}}
 
@@ -240,7 +240,7 @@ func (s *WebsocketSuite) TestWrongOriginIgnoredByServer(c *check.C) {
 }
 
 func (s *WebsocketSuite) TestSSLTermination(c *check.C) {
-	var upgrader = gorillawebsocket.Upgrader{} // use default options
+	upgrader := gorillawebsocket.Upgrader{} // use default options
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		c, err := upgrader.Upgrade(w, r, nil)
@@ -297,11 +297,10 @@ func (s *WebsocketSuite) TestSSLTermination(c *check.C) {
 }
 
 func (s *WebsocketSuite) TestBasicAuth(c *check.C) {
-	var upgrader = gorillawebsocket.Upgrader{} // use default options
+	upgrader := gorillawebsocket.Upgrader{} // use default options
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		conn, err := upgrader.Upgrade(w, r, nil)
-
 		if err != nil {
 			return
 		}
@@ -390,7 +389,7 @@ func (s *WebsocketSuite) TestSpecificResponseFromBackend(c *check.C) {
 }
 
 func (s *WebsocketSuite) TestURLWithURLEncodedChar(c *check.C) {
-	var upgrader = gorillawebsocket.Upgrader{} // use default options
+	upgrader := gorillawebsocket.Upgrader{} // use default options
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		c.Assert(r.URL.EscapedPath(), check.Equals, "/ws/http%3A%2F%2Ftest")
@@ -441,7 +440,7 @@ func (s *WebsocketSuite) TestURLWithURLEncodedChar(c *check.C) {
 }
 
 func (s *WebsocketSuite) TestSSLhttp2(c *check.C) {
-	var upgrader = gorillawebsocket.Upgrader{} // use default options
+	upgrader := gorillawebsocket.Upgrader{} // use default options
 
 	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		c, err := upgrader.Upgrade(w, r, nil)
@@ -504,7 +503,7 @@ func (s *WebsocketSuite) TestSSLhttp2(c *check.C) {
 }
 
 func (s *WebsocketSuite) TestHeaderAreForwared(c *check.C) {
-	var upgrader = gorillawebsocket.Upgrader{} // use default options
+	upgrader := gorillawebsocket.Upgrader{} // use default options
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		c.Assert(r.Header.Get("X-Token"), check.Equals, "my-token")

integration/zk_test.go

@@ -19,7 +19,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// Zk test suites (using libcompose)
+// Zk test suites (using libcompose).
 type ZookeeperSuite struct {
 	BaseSuite
 	kvClient store.Store
@@ -138,7 +138,7 @@ func (s *ZookeeperSuite) TestSimpleConfiguration(c *check.C) {
 	expectedJSON := filepath.FromSlash("testdata/rawdata-zk.json")
 
 	if *updateExpected {
-		err = ioutil.WriteFile(expectedJSON, got, 0666)
+		err = ioutil.WriteFile(expectedJSON, got, 0o666)
 		c.Assert(err, checker.IsNil)
 	}
 

internal/gendoc.go

@@ -24,7 +24,7 @@ func main() {
 	genKVDynConfDoc("./docs/content/reference/dynamic-configuration/kv-ref.md")
 }
 
-func genStaticConfDoc(outputFile string, prefix string, encodeFn func(interface{}) ([]parser.Flat, error)) {
+func genStaticConfDoc(outputFile, prefix string, encodeFn func(interface{}) ([]parser.Flat, error)) {
 	logger := log.WithoutContext().WithField("file", outputFile)
 
 	element := &static.Configuration{}
@@ -41,7 +41,7 @@ func genStaticConfDoc(outputFile string, prefix string, encodeFn func(interface{
 		logger.Fatal(err)
 	}
 
-	file, err := os.OpenFile(outputFile, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0666)
+	file, err := os.OpenFile(outputFile, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o666)
 	if err != nil {
 		logger.Fatal(err)
 	}

pkg/anonymize/anonymize.go

@@ -15,7 +15,7 @@ const (
 	maskLarge = maskShort + maskShort + maskShort + maskShort + maskShort + maskShort + maskShort + maskShort
 )
 
-// Do configuration.
+// Do sends configuration.
 func Do(baseConfig interface{}, indent bool) (string, error) {
 	anomConfig, err := copystructure.Copy(baseConfig)
 	if err != nil {
@@ -120,7 +120,7 @@ func reset(field reflect.Value, name string) error {
 	return nil
 }
 
-// isExported return true is a struct field is exported, else false
+// isExported return true is a struct field is exported, else false.
 func isExported(f reflect.StructField) bool {
 	if f.PkgPath != "" && !f.Anonymous {
 		return false

pkg/anonymize/anonymize_doOnStruct_test.go

@@ -11,6 +11,7 @@ type Courgette struct {
 	Ji string
 	Ho string
 }
+
 type Tomate struct {
 	Ji string
 	Ho string

pkg/api/dashboard.go

@@ -8,12 +8,12 @@ import (
 	"github.com/gorilla/mux"
 )
 
-// DashboardHandler expose dashboard routes
+// DashboardHandler expose dashboard routes.
 type DashboardHandler struct {
 	Assets *assetfs.AssetFS
 }
 
-// Append add dashboard routes on a router
+// Append add dashboard routes on a router.
 func (g DashboardHandler) Append(router *mux.Router) {
 	if g.Assets == nil {
 		log.WithoutContext().Error("No assets for dashboard")

pkg/api/debug.go

@@ -19,10 +19,10 @@ func goroutines() interface{} {
 	return runtime.NumGoroutine()
 }
 
-// DebugHandler expose debug routes
+// DebugHandler expose debug routes.
 type DebugHandler struct{}
 
-// Append add debug routes on a router
+// Append add debug routes on a router.
 func (g DebugHandler) Append(router *mux.Router) {
 	router.Methods(http.MethodGet).Path("/debug/vars").
 		HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {

pkg/api/handler.go

@@ -55,7 +55,7 @@ type Handler struct {
 	runtimeConfiguration *runtime.Configuration
 }
 
-// NewBuilder returns a http.Handler builder based on runtime.Configuration
+// NewBuilder returns a http.Handler builder based on runtime.Configuration.
 func NewBuilder(staticConfig static.Configuration) func(*runtime.Configuration) http.Handler {
 	return func(configuration *runtime.Configuration) http.Handler {
 		return New(staticConfig, configuration).createRouter()

pkg/api/handler_entrypoint_test.go

@@ -226,7 +226,7 @@ func TestHandler_EntryPoints(t *testing.T) {
 				newJSON, err := json.MarshalIndent(results, "", "\t")
 				require.NoError(t, err)
 
-				err = ioutil.WriteFile(test.expected.jsonFile, newJSON, 0644)
+				err = ioutil.WriteFile(test.expected.jsonFile, newJSON, 0o644)
 				require.NoError(t, err)
 			}
 

pkg/api/handler_http_test.go

@@ -840,7 +840,7 @@ func TestHandler_HTTP(t *testing.T) {
 				newJSON, err := json.MarshalIndent(results, "", "\t")
 				require.NoError(t, err)
 
-				err = ioutil.WriteFile(test.expected.jsonFile, newJSON, 0644)
+				err = ioutil.WriteFile(test.expected.jsonFile, newJSON, 0o644)
 				require.NoError(t, err)
 			}
 

pkg/api/handler_overview_test.go

@@ -277,7 +277,7 @@ func TestHandler_Overview(t *testing.T) {
 				newJSON, err := json.MarshalIndent(results, "", "\t")
 				require.NoError(t, err)
 
-				err = ioutil.WriteFile(test.expected.jsonFile, newJSON, 0644)
+				err = ioutil.WriteFile(test.expected.jsonFile, newJSON, 0o644)
 				require.NoError(t, err)
 			}
 

pkg/api/handler_tcp_test.go

@@ -548,7 +548,7 @@ func TestHandler_TCP(t *testing.T) {
 				newJSON, err := json.MarshalIndent(results, "", "\t")
 				require.NoError(t, err)
 
-				err = ioutil.WriteFile(test.expected.jsonFile, newJSON, 0644)
+				err = ioutil.WriteFile(test.expected.jsonFile, newJSON, 0o644)
 				require.NoError(t, err)
 			}
 

pkg/api/handler_test.go

@@ -161,7 +161,7 @@ func TestHandler_RawData(t *testing.T) {
 				newJSON, err := json.MarshalIndent(rtRepr, "", "\t")
 				require.NoError(t, err)
 
-				err = ioutil.WriteFile(test.expected.json, newJSON, 0644)
+				err = ioutil.WriteFile(test.expected.json, newJSON, 0o644)
 				require.NoError(t, err)
 			}
 

pkg/api/handler_udp_test.go

@@ -525,7 +525,7 @@ func TestHandler_UDP(t *testing.T) {
 				newJSON, err := json.MarshalIndent(results, "", "\t")
 				require.NoError(t, err)
 
-				err = ioutil.WriteFile(test.expected.jsonFile, newJSON, 0644)
+				err = ioutil.WriteFile(test.expected.jsonFile, newJSON, 0o644)
 				require.NoError(t, err)
 			}
 

pkg/cli/commands.go

@@ -55,7 +55,7 @@ func execute(cmd *Command, args []string, root bool) error {
 	// Calls command without args.
 	if len(args) == 1 {
 		if err := run(cmd, args[1:]); err != nil {
-			return fmt.Errorf("command %s error: %v", args[0], err)
+			return fmt.Errorf("command %s error: %w", args[0], err)
 		}
 		return nil
 	}
@@ -65,7 +65,7 @@ func execute(cmd *Command, args []string, root bool) error {
 	// then we run the top level command itself.
 	if root && cmd.Name != args[1] && !contains(cmd.subCommands, args[1]) {
 		if err := run(cmd, args[1:]); err != nil {
-			return fmt.Errorf("command %s error: %v", filepath.Base(args[0]), err)
+			return fmt.Errorf("command %s error: %w", filepath.Base(args[0]), err)
 		}
 		return nil
 	}
@@ -74,7 +74,7 @@ func execute(cmd *Command, args []string, root bool) error {
 	if len(args) >= 2 && cmd.Name == args[1] {
 		if len(args) < 3 || !contains(cmd.subCommands, args[2]) {
 			if err := run(cmd, args[2:]); err != nil {
-				return fmt.Errorf("command %s error: %v", cmd.Name, err)
+				return fmt.Errorf("command %s error: %w", cmd.Name, err)
 			}
 			return nil
 		}
@@ -83,7 +83,7 @@ func execute(cmd *Command, args []string, root bool) error {
 	// No sub-command, calls the current command.
 	if len(cmd.subCommands) == 0 {
 		if err := run(cmd, args[1:]); err != nil {
-			return fmt.Errorf("command %s error: %v", cmd.Name, err)
+			return fmt.Errorf("command %s error: %w", cmd.Name, err)
 		}
 		return nil
 	}

pkg/cli/loader_env.go

@@ -21,7 +21,7 @@ func (e *EnvLoader) Load(_ []string, cmd *Command) (bool, error) {
 
 	if err := env.Decode(vars, env.DefaultNamePrefix, cmd.Configuration); err != nil {
 		log.WithoutContext().Debug("environment variables", strings.Join(vars, ", "))
-		return false, fmt.Errorf("failed to decode configuration from environment variables: %v ", err)
+		return false, fmt.Errorf("failed to decode configuration from environment variables: %w ", err)
 	}
 
 	log.WithoutContext().Println("Configuration loaded from environment variables.")

pkg/cli/loader_flag.go

@@ -17,7 +17,7 @@ func (*FlagLoader) Load(args []string, cmd *Command) (bool, error) {
 	}
 
 	if err := flag.Decode(args, cmd.Configuration); err != nil {
-		return false, fmt.Errorf("failed to decode configuration from flags: %v", err)
+		return false, fmt.Errorf("failed to decode configuration from flags: %w", err)
 	}
 
 	log.WithoutContext().Println("Configuration loaded from flags.")

pkg/collector/collector.go

@@ -16,10 +16,10 @@ import (
 	"github.com/mitchellh/hashstructure"
 )
 
-// collectorURL URL where the stats are send
+// collectorURL URL where the stats are send.
 const collectorURL = "https://collect.traefik.io/9vxmmkcdmalbdi635d4jgc5p5rx0h7h8"
 
-// Collected data
+// Collected data.
 type data struct {
 	Version       string
 	Codename      string

pkg/config/dynamic/config.go

@@ -19,7 +19,7 @@ type Configurations map[string]*Configuration
 
 // +k8s:deepcopy-gen=true
 
-// Configuration is the root of the dynamic configuration
+// Configuration is the root of the dynamic configuration.
 type Configuration struct {
 	HTTP *HTTPConfiguration `json:"http,omitempty" toml:"http,omitempty" yaml:"http,omitempty"`
 	TCP  *TCPConfiguration  `json:"tcp,omitempty" toml:"tcp,omitempty" yaml:"tcp,omitempty"`

pkg/config/dynamic/http_config.go

@@ -47,7 +47,7 @@ type Router struct {
 
 // +k8s:deepcopy-gen=true
 
-// RouterTLSConfig holds the TLS configuration for a router
+// RouterTLSConfig holds the TLS configuration for a router.
 type RouterTLSConfig struct {
 	Options      string         `json:"options,omitempty" toml:"options,omitempty" yaml:"options,omitempty"`
 	CertResolver string         `json:"certResolver,omitempty" toml:"certResolver,omitempty" yaml:"certResolver,omitempty"`

pkg/config/dynamic/middlewares.go

@@ -95,7 +95,7 @@ type Buffering struct {
 
 // +k8s:deepcopy-gen=true
 
-// Chain holds a chain of middlewares
+// Chain holds a chain of middlewares.
 type Chain struct {
 	Middlewares []string `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty"`
 }
@@ -191,13 +191,13 @@ type Headers struct {
 	IsDevelopment           bool              `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty"`
 }
 
-// HasCustomHeadersDefined checks to see if any of the custom header elements have been set
+// HasCustomHeadersDefined checks to see if any of the custom header elements have been set.
 func (h *Headers) HasCustomHeadersDefined() bool {
 	return h != nil && (len(h.CustomResponseHeaders) != 0 ||
 		len(h.CustomRequestHeaders) != 0)
 }
 
-// HasCorsHeadersDefined checks to see if any of the cors header elements have been set
+// HasCorsHeadersDefined checks to see if any of the cors header elements have been set.
 func (h *Headers) HasCorsHeadersDefined() bool {
 	return h != nil && (h.AccessControlAllowCredentials ||
 		len(h.AccessControlAllowHeaders) != 0 ||
@@ -208,7 +208,7 @@ func (h *Headers) HasCorsHeadersDefined() bool {
 		h.AddVaryHeader)
 }
 
-// HasSecureHeadersDefined checks to see if any of the secure header elements have been set
+// HasSecureHeadersDefined checks to see if any of the secure header elements have been set.
 func (h *Headers) HasSecureHeadersDefined() bool {
 	return h != nil && (len(h.AllowedHosts) != 0 ||
 		len(h.HostsProxyHeaders) != 0 ||
@@ -245,7 +245,7 @@ type IPStrategy struct {
 // Get an IP selection strategy.
 // If nil return the RemoteAddr strategy
 // else return a strategy base on the configuration using the X-Forwarded-For Header.
-// Depth override the ExcludedIPs
+// Depth override the ExcludedIPs.
 func (s *IPStrategy) Get() (ip.Strategy, error) {
 	if s == nil {
 		return &ip.RemoteAddrStrategy{}, nil
@@ -420,7 +420,7 @@ type TLSCLientCertificateDNInfo struct {
 
 // +k8s:deepcopy-gen=true
 
-// Users holds a list of users
+// Users holds a list of users.
 type Users []string
 
 // +k8s:deepcopy-gen=true
@@ -449,7 +449,7 @@ func (c *ClientTLS) CreateTLSConfig() (*tls.Config, error) {
 		if _, errCA := os.Stat(c.CA); errCA == nil {
 			ca, err = ioutil.ReadFile(c.CA)
 			if err != nil {
-				return nil, fmt.Errorf("failed to read CA. %s", err)
+				return nil, fmt.Errorf("failed to read CA. %w", err)
 			}
 		} else {
 			ca = []byte(c.CA)
@@ -478,7 +478,7 @@ func (c *ClientTLS) CreateTLSConfig() (*tls.Config, error) {
 			if errKeyIsFile == nil {
 				cert, err = tls.LoadX509KeyPair(c.Cert, c.Key)
 				if err != nil {
-					return nil, fmt.Errorf("failed to load TLS keypair: %v", err)
+					return nil, fmt.Errorf("failed to load TLS keypair: %w", err)
 				}
 			} else {
 				return nil, fmt.Errorf("tls cert is a file, but tls key is not")
@@ -487,7 +487,7 @@ func (c *ClientTLS) CreateTLSConfig() (*tls.Config, error) {
 			if errKeyIsFile != nil {
 				cert, err = tls.X509KeyPair([]byte(c.Cert), []byte(c.Key))
 				if err != nil {
-					return nil, fmt.Errorf("failed to load TLS keypair: %v", err)
+					return nil, fmt.Errorf("failed to load TLS keypair: %w", err)
 				}
 			} else {
 				return nil, fmt.Errorf("TLS key is a file, but tls cert is not")

pkg/config/dynamic/tcp_config.go

@@ -55,7 +55,7 @@ type TCPRouter struct {
 
 // +k8s:deepcopy-gen=true
 
-// RouterTCPTLSConfig holds the TLS configuration for a router
+// RouterTCPTLSConfig holds the TLS configuration for a router.
 type RouterTCPTLSConfig struct {
 	Passthrough  bool           `json:"passthrough" toml:"passthrough" yaml:"passthrough"`
 	Options      string         `json:"options,omitempty" toml:"options,omitempty" yaml:"options,omitempty"`
@@ -76,7 +76,7 @@ type TCPServersLoadBalancer struct {
 	Servers          []TCPServer `json:"servers,omitempty" toml:"servers,omitempty" yaml:"servers,omitempty" label-slice-as-struct:"server"`
 }
 
-// SetDefaults Default values for a TCPServersLoadBalancer
+// SetDefaults Default values for a TCPServersLoadBalancer.
 func (l *TCPServersLoadBalancer) SetDefaults() {
 	defaultTerminationDelay := 100 // in milliseconds
 	l.TerminationDelay = &defaultTerminationDelay
@@ -101,7 +101,7 @@ func (l *TCPServersLoadBalancer) Mergeable(loadBalancer *TCPServersLoadBalancer)
 
 // +k8s:deepcopy-gen=true
 
-// TCPServer holds a TCP Server configuration
+// TCPServer holds a TCP Server configuration.
 type TCPServer struct {
 	Address string `json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty" label:"-"`
 	Port    string `toml:"-" json:"-" yaml:"-"`

pkg/config/env/env.go

@@ -17,7 +17,7 @@ const DefaultNamePrefix = "TRAEFIK_"
 // env vars -> map
 // map -> tree of untyped nodes
 // untyped nodes -> nodes augmented with metadata such as kind (inferred from element)
-// "typed" nodes -> typed element
+// "typed" nodes -> typed element.
 func Decode(environ []string, prefix string, element interface{}) error {
 	if err := checkPrefix(prefix); err != nil {
 		return err
@@ -40,7 +40,7 @@ func Decode(environ []string, prefix string, element interface{}) error {
 // The operation goes through three stages roughly summarized as:
 // typed configuration in element -> tree of untyped nodes
 // untyped nodes -> nodes augmented with metadata such as kind (inferred from element)
-// "typed" nodes -> environment variables with default values (determined by type/kind)
+// "typed" nodes -> environment variables with default values (determined by type/kind).
 func Encode(element interface{}) ([]parser.Flat, error) {
 	if element == nil {
 		return nil, nil

pkg/config/file/file.go

@@ -9,7 +9,7 @@ import (
 // The operation goes through three stages roughly summarized as:
 // file contents -> tree of untyped nodes
 // untyped nodes -> nodes augmented with metadata such as kind (inferred from element)
-// "typed" nodes -> typed element
+// "typed" nodes -> typed element.
 func Decode(filePath string, element interface{}) error {
 	if element == nil {
 		return nil

pkg/config/file/file_node_test.go

@@ -100,25 +100,34 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 						{Name: "defaultMode", Value: "foobar"},
 						{Name: "names", Children: []*parser.Node{
 							{Name: "name0", Value: "foobar"},
-							{Name: "name1", Value: "foobar"}}}}},
+							{Name: "name1", Value: "foobar"},
+						}},
+					}},
 					{Name: "names", Children: []*parser.Node{
 						{Name: "name0", Value: "foobar"},
-						{Name: "name1", Value: "foobar"}}}}},
+						{Name: "name1", Value: "foobar"},
+					}},
+				}},
 				{Name: "filePath", Value: "foobar"},
 				{Name: "filters", Children: []*parser.Node{
 					{Name: "minDuration", Value: "42"},
 					{Name: "retryAttempts", Value: "true"},
-					{Name: "statusCodes", Value: "foobar,foobar"}}},
-				{Name: "format", Value: "foobar"}}},
+					{Name: "statusCodes", Value: "foobar,foobar"},
+				}},
+				{Name: "format", Value: "foobar"},
+			}},
 			{Name: "api", Children: []*parser.Node{
 				{Name: "dashboard", Value: "true"},
 				{Name: "entryPoint", Value: "foobar"},
 				{Name: "middlewares", Value: "foobar,foobar"},
 				{Name: "statistics", Children: []*parser.Node{
-					{Name: "recentErrors", Value: "42"}}}}},
+					{Name: "recentErrors", Value: "42"},
+				}},
+			}},
 			{Name: "certificatesResolvers", Children: []*parser.Node{
 				{Name: "default", Children: []*parser.Node{
-					{Name: "acme",
+					{
+						Name: "acme",
 						Children: []*parser.Node{
 							{Name: "acmeLogging", Value: "true"},
 							{Name: "caServer", Value: "foobar"},
@@ -131,7 +140,8 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 							{Name: "email", Value: "foobar"},
 							{Name: "entryPoint", Value: "foobar"},
 							{Name: "httpChallenge", Children: []*parser.Node{
-								{Name: "entryPoint", Value: "foobar"}}},
+								{Name: "entryPoint", Value: "foobar"},
+							}},
 							{Name: "keyType", Value: "foobar"},
 							{Name: "storage", Value: "foobar"},
 							{Name: "tlsChallenge"},
@@ -144,33 +154,44 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 					{Name: "address", Value: "foobar"},
 					{Name: "forwardedHeaders", Children: []*parser.Node{
 						{Name: "insecure", Value: "true"},
-						{Name: "trustedIPs", Value: "foobar,foobar"}}},
+						{Name: "trustedIPs", Value: "foobar,foobar"},
+					}},
 					{Name: "proxyProtocol", Children: []*parser.Node{
 						{Name: "insecure", Value: "true"},
-						{Name: "trustedIPs", Value: "foobar,foobar"}}},
+						{Name: "trustedIPs", Value: "foobar,foobar"},
+					}},
 					{Name: "transport", Children: []*parser.Node{
 						{Name: "lifeCycle", Children: []*parser.Node{
 							{Name: "graceTimeOut", Value: "42"},
-							{Name: "requestAcceptGraceTimeout", Value: "42"}}},
+							{Name: "requestAcceptGraceTimeout", Value: "42"},
+						}},
 						{Name: "respondingTimeouts", Children: []*parser.Node{
 							{Name: "idleTimeout", Value: "42"},
 							{Name: "readTimeout", Value: "42"},
-							{Name: "writeTimeout", Value: "42"}}}}}}}}},
+							{Name: "writeTimeout", Value: "42"},
+						}},
+					}},
+				}},
+			}},
 			{Name: "global", Children: []*parser.Node{
 				{Name: "checkNewVersion", Value: "true"},
-				{Name: "sendAnonymousUsage", Value: "true"}}},
+				{Name: "sendAnonymousUsage", Value: "true"},
+			}},
 			{Name: "hostResolver", Children: []*parser.Node{
 				{Name: "cnameFlattening", Value: "true"},
 				{Name: "resolvConfig", Value: "foobar"},
-				{Name: "resolvDepth", Value: "42"}}},
+				{Name: "resolvDepth", Value: "42"},
+			}},
 			{Name: "log", Children: []*parser.Node{
 				{Name: "filePath", Value: "foobar"},
 				{Name: "format", Value: "foobar"},
-				{Name: "level", Value: "foobar"}}},
+				{Name: "level", Value: "foobar"},
+			}},
 			{Name: "metrics", Children: []*parser.Node{
 				{Name: "datadog", Children: []*parser.Node{
 					{Name: "address", Value: "foobar"},
-					{Name: "pushInterval", Value: "10s"}}},
+					{Name: "pushInterval", Value: "10s"},
+				}},
 				{Name: "influxDB", Children: []*parser.Node{
 					{Name: "address", Value: "foobar"},
 					{Name: "database", Value: "foobar"},
@@ -178,17 +199,22 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 					{Name: "protocol", Value: "foobar"},
 					{Name: "pushInterval", Value: "10s"},
 					{Name: "retentionPolicy", Value: "foobar"},
-					{Name: "username", Value: "foobar"}}},
+					{Name: "username", Value: "foobar"},
+				}},
 				{Name: "prometheus", Children: []*parser.Node{
 					{Name: "buckets", Value: "42,42"},
 					{Name: "entryPoint", Value: "foobar"},
-					{Name: "middlewares", Value: "foobar,foobar"}}},
+					{Name: "middlewares", Value: "foobar,foobar"},
+				}},
 				{Name: "statsD", Children: []*parser.Node{
 					{Name: "address", Value: "foobar"},
-					{Name: "pushInterval", Value: "10s"}}}}},
+					{Name: "pushInterval", Value: "10s"},
+				}},
+			}},
 			{Name: "ping", Children: []*parser.Node{
 				{Name: "entryPoint", Value: "foobar"},
-				{Name: "middlewares", Value: "foobar,foobar"}}},
+				{Name: "middlewares", Value: "foobar,foobar"},
+			}},
 			{Name: "providers", Children: []*parser.Node{
 				{Name: "docker", Children: []*parser.Node{
 					{Name: "constraints", Value: "foobar"},
@@ -203,15 +229,19 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 						{Name: "caOptional", Value: "true"},
 						{Name: "cert", Value: "foobar"},
 						{Name: "insecureSkipVerify", Value: "true"},
-						{Name: "key", Value: "foobar"}}},
+						{Name: "key", Value: "foobar"},
+					}},
 					{Name: "useBindPortIP", Value: "true"},
-					{Name: "watch", Value: "true"}}},
+					{Name: "watch", Value: "true"},
+				}},
 				{Name: "file", Children: []*parser.Node{
 					{Name: "debugLogGeneratedTemplate", Value: "true"},
 					{Name: "directory", Value: "foobar"},
 					{Name: "filename", Value: "foobar"},
-					{Name: "watch", Value: "true"}}},
-				{Name: "kubernetesCRD",
+					{Name: "watch", Value: "true"},
+				}},
+				{
+					Name: "kubernetesCRD",
 					Children: []*parser.Node{
 						{Name: "certAuthFilePath", Value: "foobar"},
 						{Name: "disablePassHostHeaders", Value: "true"},
@@ -219,7 +249,9 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 						{Name: "ingressClass", Value: "foobar"},
 						{Name: "labelSelector", Value: "foobar"},
 						{Name: "namespaces", Value: "foobar,foobar"},
-						{Name: "token", Value: "foobar"}}},
+						{Name: "token", Value: "foobar"},
+					},
+				},
 				{Name: "kubernetesIngress", Children: []*parser.Node{
 					{Name: "certAuthFilePath", Value: "foobar"},
 					{Name: "disablePassHostHeaders", Value: "true"},
@@ -228,14 +260,17 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 					{Name: "ingressEndpoint", Children: []*parser.Node{
 						{Name: "hostname", Value: "foobar"},
 						{Name: "ip", Value: "foobar"},
-						{Name: "publishedService", Value: "foobar"}}},
+						{Name: "publishedService", Value: "foobar"},
+					}},
 					{Name: "labelSelector", Value: "foobar"},
 					{Name: "namespaces", Value: "foobar,foobar"},
-					{Name: "token", Value: "foobar"}}},
+					{Name: "token", Value: "foobar"},
+				}},
 				{Name: "marathon", Children: []*parser.Node{
 					{Name: "basic", Children: []*parser.Node{
 						{Name: "httpBasicAuthUser", Value: "foobar"},
-						{Name: "httpBasicPassword", Value: "foobar"}}},
+						{Name: "httpBasicPassword", Value: "foobar"},
+					}},
 					{Name: "constraints", Value: "foobar"},
 					{Name: "dcosToken", Value: "foobar"},
 					{Name: "defaultRule", Value: "foobar"},
@@ -251,10 +286,12 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 						{Name: "caOptional", Value: "true"},
 						{Name: "cert", Value: "foobar"},
 						{Name: "insecureSkipVerify", Value: "true"},
-						{Name: "key", Value: "foobar"}}},
+						{Name: "key", Value: "foobar"},
+					}},
 					{Name: "tlsHandshakeTimeout", Value: "42"},
 					{Name: "trace", Value: "true"},
-					{Name: "watch", Value: "true"}}},
+					{Name: "watch", Value: "true"},
+				}},
 				{Name: "providersThrottleDuration", Value: "42"},
 				{Name: "rancher", Children: []*parser.Node{
 					{Name: "constraints", Value: "foobar"},
@@ -264,17 +301,22 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 					{Name: "intervalPoll", Value: "true"},
 					{Name: "prefix", Value: "foobar"},
 					{Name: "refreshSeconds", Value: "42"},
-					{Name: "watch", Value: "true"}}},
+					{Name: "watch", Value: "true"},
+				}},
 				{Name: "rest", Children: []*parser.Node{
-					{Name: "entryPoint", Value: "foobar"}}}}},
+					{Name: "entryPoint", Value: "foobar"},
+				}},
+			}},
 			{Name: "serversTransport", Children: []*parser.Node{
 				{Name: "forwardingTimeouts", Children: []*parser.Node{
 					{Name: "dialTimeout", Value: "42"},
 					{Name: "idleConnTimeout", Value: "42"},
-					{Name: "responseHeaderTimeout", Value: "42"}}},
+					{Name: "responseHeaderTimeout", Value: "42"},
+				}},
 				{Name: "insecureSkipVerify", Value: "true"},
 				{Name: "maxIdleConnsPerHost", Value: "42"},
-				{Name: "rootCAs", Value: "foobar,foobar"}}},
+				{Name: "rootCAs", Value: "foobar,foobar"},
+			}},
 			{Name: "tracing", Children: []*parser.Node{
 				{Name: "datadog", Children: []*parser.Node{
 					{Name: "bagagePrefixHeaderName", Value: "foobar"},
@@ -284,18 +326,21 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 					{Name: "parentIDHeaderName", Value: "foobar"},
 					{Name: "prioritySampling", Value: "true"},
 					{Name: "samplingPriorityHeaderName", Value: "foobar"},
-					{Name: "traceIDHeaderName", Value: "foobar"}}},
+					{Name: "traceIDHeaderName", Value: "foobar"},
+				}},
 				{Name: "haystack", Children: []*parser.Node{
 					{Name: "globalTag", Value: "foobar"},
 					{Name: "localAgentHost", Value: "foobar"},
 					{Name: "localAgentPort", Value: "42"},
 					{Name: "parentIDHeaderName", Value: "foobar"},
 					{Name: "spanIDHeaderName", Value: "foobar"},
-					{Name: "traceIDHeaderName", Value: "foobar"}}},
+					{Name: "traceIDHeaderName", Value: "foobar"},
+				}},
 				{Name: "instana", Children: []*parser.Node{
 					{Name: "localAgentHost", Value: "foobar"},
 					{Name: "localAgentPort", Value: "42"},
-					{Name: "logLevel", Value: "foobar"}}},
+					{Name: "logLevel", Value: "foobar"},
+				}},
 				{Name: "jaeger", Children: []*parser.Node{
 					{Name: "gen128Bit", Value: "true"},
 					{Name: "localAgentHostPort", Value: "foobar"},
@@ -303,14 +348,17 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 					{Name: "samplingParam", Value: "42"},
 					{Name: "samplingServerURL", Value: "foobar"},
 					{Name: "samplingType", Value: "foobar"},
-					{Name: "traceContextHeaderName", Value: "foobar"}}},
+					{Name: "traceContextHeaderName", Value: "foobar"},
+				}},
 				{Name: "serviceName", Value: "foobar"},
 				{Name: "spanNameLimit", Value: "42"},
 				{Name: "zipkin", Children: []*parser.Node{
 					{Name: "httpEndpoint", Value: "foobar"},
 					{Name: "id128Bit", Value: "true"},
 					{Name: "sameSpan", Value: "true"},
-					{Name: "sampleRate", Value: "42"}}}}},
+					{Name: "sampleRate", Value: "42"},
+				}},
+			}},
 		},
 	}
 
@@ -332,25 +380,34 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
 						{Name: "defaultMode", Value: "foobar"},
 						{Name: "names", Children: []*parser.Node{
 							{Name: "name0", Value: "foobar"},
-							{Name: "name1", Value: "foobar"}}}}},
+							{Name: "name1", Value: "foobar"},
+						}},
+					}},
 					{Name: "names", Children: []*parser.Node{
 						{Name: "name0", Value: "foobar"},
-						{Name: "name1", Value: "foobar"}}}}},
+						{Name: "name1", Value: "foobar"},
+					}},
+				}},
 				{Name: "filePath", Value: "foobar"},
 				{Name: "filters", Children: []*parser.Node{
 					{Name: "minDuration", Value: "42"},
 					{Name: "retryAttempts", Value: "true"},
-					{Name: "statusCodes", Value: "foobar,foobar"}}},
-				{Name: "format", Value: "foobar"}}},
+					{Name: "statusCodes", Value: "foobar,foobar"},
+				}},
+				{Name: "format", Value: "foobar"},
+			}},
 			{Name: "api", Children: []*parser.Node{
 				{Name: "dashboard", Value: "true"},
 				{Name: "entryPoint", Value: "foobar"},
 				{Name: "middlewares", Value: "foobar,foobar"},
 				{Name: "statistics", Children: []*parser.Node{
-					{Name: "recentErrors", Value: "42"}}}}},
+					{Name: "recentErrors", Value: "42"},
+				}},
+			}},
 			{Name: "certificatesResolvers", Children: []*parser.Node{
 				{Name: "default", Children: []*parser.Node{
-					{Name: "acme",
+					{
+						Name: "acme",
 						Children: []*parser.Node{
 							{Name: "acmeLogging", Value: "true"},
 							{Name: "caServer", Value: "foobar"},
@@ -363,7 +420,8 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
 							{Name: "email", Value: "foobar"},
 							{Name: "entryPoint", Value: "foobar"},
 							{Name: "httpChallenge", Children: []*parser.Node{
-								{Name: "entryPoint", Value: "foobar"}}},
+								{Name: "entryPoint", Value: "foobar"},
+							}},
 							{Name: "keyType", Value: "foobar"},
 							{Name: "storage", Value: "foobar"},
 							{Name: "tlsChallenge"},
@@ -376,33 +434,44 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
 					{Name: "address", Value: "foobar"},
 					{Name: "forwardedHeaders", Children: []*parser.Node{
 						{Name: "insecure", Value: "true"},
-						{Name: "trustedIPs", Value: "foobar,foobar"}}},
+						{Name: "trustedIPs", Value: "foobar,foobar"},
+					}},
 					{Name: "proxyProtocol", Children: []*parser.Node{
 						{Name: "insecure", Value: "true"},
-						{Name: "trustedIPs", Value: "foobar,foobar"}}},
+						{Name: "trustedIPs", Value: "foobar,foobar"},
+					}},
 					{Name: "transport", Children: []*parser.Node{
 						{Name: "lifeCycle", Children: []*parser.Node{
 							{Name: "graceTimeOut", Value: "42"},
-							{Name: "requestAcceptGraceTimeout", Value: "42"}}},
+							{Name: "requestAcceptGraceTimeout", Value: "42"},
+						}},
 						{Name: "respondingTimeouts", Children: []*parser.Node{
 							{Name: "idleTimeout", Value: "42"},
 							{Name: "readTimeout", Value: "42"},
-							{Name: "writeTimeout", Value: "42"}}}}}}}}},
+							{Name: "writeTimeout", Value: "42"},
+						}},
+					}},
+				}},
+			}},
 			{Name: "global", Children: []*parser.Node{
 				{Name: "checkNewVersion", Value: "true"},
-				{Name: "sendAnonymousUsage", Value: "true"}}},
+				{Name: "sendAnonymousUsage", Value: "true"},
+			}},
 			{Name: "hostResolver", Children: []*parser.Node{
 				{Name: "cnameFlattening", Value: "true"},
 				{Name: "resolvConfig", Value: "foobar"},
-				{Name: "resolvDepth", Value: "42"}}},
+				{Name: "resolvDepth", Value: "42"},
+			}},
 			{Name: "log", Children: []*parser.Node{
 				{Name: "filePath", Value: "foobar"},
 				{Name: "format", Value: "foobar"},
-				{Name: "level", Value: "foobar"}}},
+				{Name: "level", Value: "foobar"},
+			}},
 			{Name: "metrics", Children: []*parser.Node{
 				{Name: "datadog", Children: []*parser.Node{
 					{Name: "address", Value: "foobar"},
-					{Name: "pushInterval", Value: "10s"}}},
+					{Name: "pushInterval", Value: "10s"},
+				}},
 				{Name: "influxDB", Children: []*parser.Node{
 					{Name: "address", Value: "foobar"},
 					{Name: "database", Value: "foobar"},
@@ -410,17 +479,22 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
 					{Name: "protocol", Value: "foobar"},
 					{Name: "pushInterval", Value: "10s"},
 					{Name: "retentionPolicy", Value: "foobar"},
-					{Name: "username", Value: "foobar"}}},
+					{Name: "username", Value: "foobar"},
+				}},
 				{Name: "prometheus", Children: []*parser.Node{
 					{Name: "buckets", Value: "42,42"},
 					{Name: "entryPoint", Value: "foobar"},
-					{Name: "middlewares", Value: "foobar,foobar"}}},
+					{Name: "middlewares", Value: "foobar,foobar"},
+				}},
 				{Name: "statsD", Children: []*parser.Node{
 					{Name: "address", Value: "foobar"},
-					{Name: "pushInterval", Value: "10s"}}}}},
+					{Name: "pushInterval", Value: "10s"},
+				}},
+			}},
 			{Name: "ping", Children: []*parser.Node{
 				{Name: "entryPoint", Value: "foobar"},
-				{Name: "middlewares", Value: "foobar,foobar"}}},
+				{Name: "middlewares", Value: "foobar,foobar"},
+			}},
 			{Name: "providers", Children: []*parser.Node{
 				{Name: "docker", Children: []*parser.Node{
 					{Name: "constraints", Value: "foobar"},
@@ -435,15 +509,19 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
 						{Name: "caOptional", Value: "true"},
 						{Name: "cert", Value: "foobar"},
 						{Name: "insecureSkipVerify", Value: "true"},
-						{Name: "key", Value: "foobar"}}},
+						{Name: "key", Value: "foobar"},
+					}},
 					{Name: "useBindPortIP", Value: "true"},
-					{Name: "watch", Value: "true"}}},
+					{Name: "watch", Value: "true"},
+				}},
 				{Name: "file", Children: []*parser.Node{
 					{Name: "debugLogGeneratedTemplate", Value: "true"},
 					{Name: "directory", Value: "foobar"},
 					{Name: "filename", Value: "foobar"},
-					{Name: "watch", Value: "true"}}},
-				{Name: "kubernetesCRD",
+					{Name: "watch", Value: "true"},
+				}},
+				{
+					Name: "kubernetesCRD",
 					Children: []*parser.Node{
 						{Name: "certAuthFilePath", Value: "foobar"},
 						{Name: "disablePassHostHeaders", Value: "true"},
@@ -451,7 +529,9 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
 						{Name: "ingressClass", Value: "foobar"},
 						{Name: "labelSelector", Value: "foobar"},
 						{Name: "namespaces", Value: "foobar,foobar"},
-						{Name: "token", Value: "foobar"}}},
+						{Name: "token", Value: "foobar"},
+					},
+				},
 				{Name: "kubernetesIngress", Children: []*parser.Node{
 					{Name: "certAuthFilePath", Value: "foobar"},
 					{Name: "disablePassHostHeaders", Value: "true"},
@@ -460,14 +540,17 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
 					{Name: "ingressEndpoint", Children: []*parser.Node{
 						{Name: "hostname", Value: "foobar"},
 						{Name: "ip", Value: "foobar"},
-						{Name: "publishedService", Value: "foobar"}}},
+						{Name: "publishedService", Value: "foobar"},
+					}},
 					{Name: "labelSelector", Value: "foobar"},
 					{Name: "namespaces", Value: "foobar,foobar"},
-					{Name: "token", Value: "foobar"}}},
+					{Name: "token", Value: "foobar"},
+				}},
 				{Name: "marathon", Children: []*parser.Node{
 					{Name: "basic", Children: []*parser.Node{
 						{Name: "httpBasicAuthUser", Value: "foobar"},
-						{Name: "httpBasicPassword", Value: "foobar"}}},
+						{Name: "httpBasicPassword", Value: "foobar"},
+					}},
 					{Name: "constraints", Value: "foobar"},
 					{Name: "dcosToken", Value: "foobar"},
 					{Name: "defaultRule", Value: "foobar"},
@@ -483,10 +566,12 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
 						{Name: "caOptional", Value: "true"},
 						{Name: "cert", Value: "foobar"},
 						{Name: "insecureSkipVerify", Value: "true"},
-						{Name: "key", Value: "foobar"}}},
+						{Name: "key", Value: "foobar"},
+					}},
 					{Name: "tlsHandshakeTimeout", Value: "42"},
 					{Name: "trace", Value: "true"},
-					{Name: "watch", Value: "true"}}},
+					{Name: "watch", Value: "true"},
+				}},
 				{Name: "providersThrottleDuration", Value: "42"},
 				{Name: "rancher", Children: []*parser.Node{
 					{Name: "constraints", Value: "foobar"},
@@ -496,17 +581,22 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
 					{Name: "intervalPoll", Value: "true"},
 					{Name: "prefix", Value: "foobar"},
 					{Name: "refreshSeconds", Value: "42"},
-					{Name: "watch", Value: "true"}}},
+					{Name: "watch", Value: "true"},
+				}},
 				{Name: "rest", Children: []*parser.Node{
-					{Name: "entryPoint", Value: "foobar"}}}}},
+					{Name: "entryPoint", Value: "foobar"},
+				}},
+			}},
 			{Name: "serversTransport", Children: []*parser.Node{
 				{Name: "forwardingTimeouts", Children: []*parser.Node{
 					{Name: "dialTimeout", Value: "42"},
 					{Name: "idleConnTimeout", Value: "42"},
-					{Name: "responseHeaderTimeout", Value: "42"}}},
+					{Name: "responseHeaderTimeout", Value: "42"},
+				}},
 				{Name: "insecureSkipVerify", Value: "true"},
 				{Name: "maxIdleConnsPerHost", Value: "42"},
-				{Name: "rootCAs", Value: "foobar,foobar"}}},
+				{Name: "rootCAs", Value: "foobar,foobar"},
+			}},
 			{Name: "tracing", Children: []*parser.Node{
 				{Name: "datadog", Children: []*parser.Node{
 					{Name: "bagagePrefixHeaderName", Value: "foobar"},
@@ -516,18 +606,21 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
 					{Name: "parentIDHeaderName", Value: "foobar"},
 					{Name: "prioritySampling", Value: "true"},
 					{Name: "samplingPriorityHeaderName", Value: "foobar"},
-					{Name: "traceIDHeaderName", Value: "foobar"}}},
+					{Name: "traceIDHeaderName", Value: "foobar"},
+				}},
 				{Name: "haystack", Children: []*parser.Node{
 					{Name: "globalTag", Value: "foobar"},
 					{Name: "localAgentHost", Value: "foobar"},
 					{Name: "localAgentPort", Value: "42"},
 					{Name: "parentIDHeaderName", Value: "foobar"},
 					{Name: "spanIDHeaderName", Value: "foobar"},
-					{Name: "traceIDHeaderName", Value: "foobar"}}},
+					{Name: "traceIDHeaderName", Value: "foobar"},
+				}},
 				{Name: "instana", Children: []*parser.Node{
 					{Name: "localAgentHost", Value: "foobar"},
 					{Name: "localAgentPort", Value: "42"},
-					{Name: "logLevel", Value: "foobar"}}},
+					{Name: "logLevel", Value: "foobar"},
+				}},
 				{Name: "jaeger", Children: []*parser.Node{
 					{Name: "gen128Bit", Value: "true"},
 					{Name: "localAgentHostPort", Value: "foobar"},
@@ -535,14 +628,17 @@ func Test_decodeFileToNode_Yaml(t *testing.T) {
 					{Name: "samplingParam", Value: "42"},
 					{Name: "samplingServerURL", Value: "foobar"},
 					{Name: "samplingType", Value: "foobar"},
-					{Name: "traceContextHeaderName", Value: "foobar"}}},
+					{Name: "traceContextHeaderName", Value: "foobar"},
+				}},
 				{Name: "serviceName", Value: "foobar"},
 				{Name: "spanNameLimit", Value: "42"},
 				{Name: "zipkin", Children: []*parser.Node{
 					{Name: "httpEndpoint", Value: "foobar"},
 					{Name: "id128Bit", Value: "true"},
 					{Name: "sameSpan", Value: "true"},
-					{Name: "sampleRate", Value: "42"}}}}},
+					{Name: "sampleRate", Value: "42"},
+				}},
+			}},
 		},
 	}
 

pkg/config/flag/flag.go

@@ -10,7 +10,7 @@ import (
 // flag arguments -> parsed map of flags
 // map -> tree of untyped nodes
 // untyped nodes -> nodes augmented with metadata such as kind (inferred from element)
-// "typed" nodes -> typed element
+// "typed" nodes -> typed element.
 func Decode(args []string, element interface{}) error {
 	ref, err := Parse(args, element)
 	if err != nil {
@@ -24,7 +24,7 @@ func Decode(args []string, element interface{}) error {
 // The operation goes through three stages roughly summarized as:
 // typed configuration in element -> tree of untyped nodes
 // untyped nodes -> nodes augmented with metadata such as kind (inferred from element)
-// "typed" nodes -> flags with default values (determined by type/kind)
+// "typed" nodes -> flags with default values (determined by type/kind).
 func Encode(element interface{}) ([]parser.Flat, error) {
 	if element == nil {
 		return nil, nil

pkg/config/flag/flagparser.go

@@ -101,7 +101,7 @@ func (f *flagSet) parseOne() (bool, error) {
 	return true, nil
 }
 
-func (f *flagSet) setValue(name string, value string) {
+func (f *flagSet) setValue(name, value string) {
 	srcKey := parser.DefaultRootName + "." + name
 	neutralKey := strings.ToLower(srcKey)
 

pkg/config/kv/kv.go

@@ -12,7 +12,7 @@ import (
 // The operation goes through three stages roughly summarized as:
 // KV pairs -> tree of untyped nodes
 // untyped nodes -> nodes augmented with metadata such as kind (inferred from element)
-// "typed" nodes -> typed element
+// "typed" nodes -> typed element.
 func Decode(pairs []*store.KVPair, element interface{}, rootName string) error {
 	if element == nil {
 		return nil