Prepare release v2.4.8

Raise errors for non-ASCII domain names in a router's rules
Adding an option to (de)activate Pilot integration into the Traefik dashboard
2025-09-09 17:44:30 +03:00 · 2021-03-23 16:34:04 +01:00 · 2021-03-22 21:16:04 +01:00 · 2021-03-22 19:18:04 +01:00 · 2021-03-22 15:26:03 +01:00 · 2021-03-19 09:12:04 +01:00
815 changed files with 38651 additions and 25484 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,24 +0,0 @@
-provider/kubernetes/**  @containous/kubernetes
-provider/rancher/**     @containous/rancher
-provider/marathon/**    @containous/marathon
-provider/docker/**      @containous/docker
-
-docs/user-guide/kubernetes.md       @containous/kubernetes
-docs/user-guide/marathon.md         @containous/marathon
-docs/user-guide/swarm.md            @containous/docker
-docs/user-guide/swarm-mode.md       @containous/docker
-
-docs/configuration/backends/docker.md       @containous/docker
-docs/configuration/backends/kubernetes.md   @containous/kubernetes
-docs/configuration/backends/marathon.md     @containous/marathon
-docs/configuration/backends/rancher.md      @containous/rancher
-
-examples/k8s/                   @containous/kubernetes
-examples/compose-k8s.yaml       @containous/kubernetes
-examples/k8s.namespace.yaml     @containous/kubernetes
-examples/compose-rancher.yml    @containous/rancher
-examples/compose-marathon.yml   @containous/marathon
-
-vendor/github.com/gambol99/go-marathon  @containous/marathon
-vendor/github.com/rancher               @containous/rancher
-vendor/k8s.io/                          @containous/kubernetes
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -17,7 +17,7 @@ Bug
 <!--

 The configurations between 1.X and 2.X are NOT compatible.
-Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.

 -->

--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -22,7 +22,7 @@ Bug
 <!--

 The configurations between 1.X and 2.X are NOT compatible.
-Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.

 -->

--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Traefik Community Support
+    url: https://community.traefik.io/
+    about: If you have a question, or are looking for advice, please post on our Discuss forum! The community loves to chime in to help. Happy Coding!
+  - name: Traefik Helm Chart Issues
+    url: https://github.com/traefik/traefik-helm-chart
+    about: Are you submitting an issue or feature enhancement for the Traefik helm chart? Please post in the traefik-helm-chart GitHub Issues.
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -3,17 +3,17 @@ PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
 - for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.2
+- for Traefik v2: use branch v2.4

 Bug fixes:
 - for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.2
+- for Traefik v2: use branch v2.4

 Enhancements:
 - for Traefik v1: we only accept bug fixes
 - for Traefik v2: use branch master

-HOW TO WRITE A GOOD PULL REQUEST? https://docs.traefik.io/contributing/submitting-pull-requests/
+HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/

 -->

--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -0,0 +1,52 @@
+name: Build and Publish Documentation
+
+on:
+  push:
+    branches:
+      - master
+      - v*
+
+jobs:
+
+  docs:
+    name: Doc Process
+    runs-on: ubuntu-latest
+    if: github.repository == 'traefik/traefik'
+    env:
+      STRUCTOR_VERSION: v1.11.2
+      MIXTUS_VERSION: v0.4.1
+
+    steps:
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Install Structor ${{ env.STRUCTOR_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/structor/master/godownloader.sh | sh -s -- -b $HOME/bin ${STRUCTOR_VERSION}
+
+      - name: Install Seo-doc
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/seo-doc/master/godownloader.sh | sh -s -- -b "${HOME}/bin"
+
+      - name: Install Mixtus ${{ env.MIXTUS_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}
+
+      - name: Build documentation
+        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
+        env:
+          STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}
+
+      - name: Apply seo
+        run: $HOME/bin/seo -path=./site
+
+      - name: Publish documentation
+        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_REPO }}
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,5 @@
 *.exe
 cover.out
 vendor/
+plugins-storage/
+traefik_changelog.md
--- a/.golangci.toml
+++ b/.golangci.toml
@@ -30,30 +30,64 @@
    lines = 230 # default 60
    statements = 120 # default 40

+  [linters-settings.forbidigo]
+    forbid = [
+      '^print(ln)?$',
+      '^spew\.Print(f|ln)?$',
+      '^spew\.Dump$',
+    ]
+
+  [linters-settings.depguard]
+    list-type = "blacklist"
+    include-go-root = false
+    packages = ["github.com/pkg/errors"]
+
+  [linters-settings.godox]
+    keywords = ["FIXME"]
+
+  [linters-settings.importas]
+    corev1 = "k8s.io/api/core/v1"
+    networkingv1beta1 = "k8s.io/api/networking/v1beta1"
+    extensionsv1beta1 = "k8s.io/api/extensions/v1beta1"
+    metav1 = "k8s.io/apimachinery/pkg/apis/meta/v1"
+    kubeerror = "k8s.io/apimachinery/pkg/api/errors"
+
 [linters]
  enable-all = true
  disable = [
+    "scopelint", # Deprecated
+    "interfacer", # Deprecated
+    "maligned", # Deprecated
+    "sqlclosecheck", # Not relevant (SQL)
+    "rowserrcheck", # Not relevant (SQL)
+    "lll", # Not relevant
    "gocyclo", # FIXME must be fixed
-    "gosec",
-    "dupl",
-    "maligned",
-    "lll",
-    "unparam",
-    "prealloc",
-    "scopelint",
+    "cyclop", # Duplicate of gocyclo
+    "gocognit", # Too strict
+    "nestif", # Too many false-positive.
+    "prealloc", # Too many false-positive.
+    "makezero", # Not relevant
+    "ifshort", # Not relevant
+    "dupl", # Too strict
+    "gosec", # Too strict
    "gochecknoinits",
    "gochecknoglobals",
-    "godox",
-    "gocognit",
-    "bodyclose", # Too many false-positive and panics.
    "wsl", # Too strict
+    "nlreturn", # Not relevant
    "gomnd", # Too strict
    "stylecheck", # skip because report issues related to some generated files.
    "testpackage", # Too strict
+    "tparallel", # Not relevant
+    "paralleltest", # Not relevant
+    "exhaustive", # Not relevant
+    "exhaustivestruct", # Not relevant
    "goerr113", # Too strict
-    "nestif", # Too many false-positive.
+    "wrapcheck", # Too strict
    "noctx", # Too strict
-    "exhaustive", # Too strict
+    "bodyclose", # Too many false-positive and panics.
+    "unparam", # Too strict
+    "godox", # Too strict
+    "forcetypeassert", # Too strict
  ]

 [issues]
@@ -61,9 +95,9 @@
  max-per-linter = 0
  max-same-issues = 0
  exclude = [
-    "SA1019: http.CloseNotifier is deprecated: the CloseNotifier interface predates Go's context package. New code should use Request.Context instead.", # FIXME must be fixed
    "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked",
    "should have a package comment, unless it's in another file for this package",
+    "SA1019: http.CloseNotifier has been deprecated",  # FIXME must be fixed
  ]
 [[issues.exclude-rules]]
    path = "(.+)_test.go"
@@ -80,18 +114,12 @@
 [[issues.exclude-rules]]
    path = "pkg/h2c/h2c.go"
    text = "Error return value of `rw.Write` is not checked"
- [[issues.exclude-rules]]
-    path = "pkg/middlewares/recovery/recovery.go"
-    text = "`logger` can be `github.com/stretchr/testify/assert.TestingT`"
 [[issues.exclude-rules]]
    path = "pkg/provider/docker/builder_test.go"
    text = "(U1000: func )?`(.+)` is unused"
 [[issues.exclude-rules]]
    path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
    text = "(U1000: func )?`(.+)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/config/parser/.+_test.go"
-    text = "U1000: field `(foo|fuu)` is unused"
 [[issues.exclude-rules]]
    path = "pkg/server/service/bufferpool.go"
    text = "SA6002: argument should be pointer-like to avoid allocations"
@@ -100,10 +128,7 @@
    text = "string `traefik` has (\\d) occurrences, make it a constant"
 [[issues.exclude-rules]]
    path = "pkg/server/middleware/middlewares.go"
-    text = "Function 'buildConstructor' is too long \\(\\d+ > 230\\)"
- [[issues.exclude-rules]] # FIXME must be fixed
-    path = "cmd/context.go"
-    text = "S1000: should use a simple channel send/receive instead of `select` with a single case"
+    text = "Function 'buildConstructor' has too many statements"
 [[issues.exclude-rules]]
    path = "pkg/tracing/haystack/logger.go"
    linters = ["goprintffuncname"]
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -7,11 +7,11 @@ before:
 builds:
  - binary: traefik

-    main: ./cmd/traefik/traefik.go
+    main: ./cmd/traefik/
    env:
      - CGO_ENABLED=0
    ldflags:
-      - -s -w -X github.com/containous/traefik/v2/pkg/version.Version={{.Version}} -X github.com/containous/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/containous/traefik/v2/pkg/version.BuildDate={{.Date}}
+      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}

    goos:
      - linux
--- a/.semaphoreci/setup.sh
+++ b/.semaphoreci/setup.sh
@@ -1,6 +1,6 @@
 # For personnal CI
-# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/containous/
-# cd /home/runner/workspace/src/github.com/containous/traefik/
+# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/traefik/
+# cd /home/runner/workspace/src/github.com/traefik/traefik/
 for s in apache2 cassandra elasticsearch memcached mysql mongod postgresql sphinxsearch rethinkdb rabbitmq-server redis-server; do sudo service $s stop; done
 sudo swapoff -a
 sudo dd if=/dev/zero of=/swapfile bs=1M count=3072
@@ -10,7 +10,7 @@ sudo rm -rf /home/runner/.rbenv
 sudo rm -rf /usr/local/golang/{1.4.3,1.5.4,1.6.4,1.7.6,1.8.6,1.9.7,1.10.3,1.11}
 #export DOCKER_VERSION=18.06.3
 source .semaphoreci/vars
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
+if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/traefik/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
 echo ${SHOULD_TEST}
 if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
 echo ${TEMP_STORAGE}
@@ -20,7 +20,7 @@ echo ${SHOULD_TEST}
 if [ -n "$SHOULD_TEST" ]; then docker version; fi
 export GO_VERSION=1.13
 if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
-#if [ "${GO_VERSION}" == '1.14' ]; then export GO_VERSION=1.14rc2; fi
+#if [ "${GO_VERSION}" == '1.15' ]; then export GO_VERSION=1.15rc2; fi
 echo "Selected Go version: ${GO_VERSION}"

 if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi
--- a/.semaphoreci/vars
+++ b/.semaphoreci/vars
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -e

-export REPO='containous/traefik'
+export REPO='traefik/traefik'

 if VERSION=$(git describe --exact-match --abbrev=0 --tags);
 then
@@ -10,7 +10,7 @@ else
  export VERSION=''
 fi

-export CODENAME=chevrotin
+export CODENAME=livarot

 export N_MAKE_JOBS=2

--- a/.travis.yml
+++ b/.travis.yml
@@ -11,12 +11,12 @@ env:
  global:
    - REPO=$TRAVIS_REPO_SLUG
    - VERSION=$TRAVIS_TAG
-    - CODENAME=chevrotin
+    - CODENAME=livarot
    - GO111MODULE=on

 script:
 - echo "Skipping tests... (Tests are executed on SemaphoreCI)"
- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs; fi
+- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then travis_retry make docs-pull-images && make docs; fi

 before_deploy:
  - >
@@ -25,12 +25,11 @@ before_deploy:
      sudo -E apt-get -yq update;
      sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
      docker version;
+      echo "${DOCKERHUB_PASSWORD}" | docker login -u "${DOCKERHUB_USERNAME}" --password-stdin;
      make build-image;
      if [ "$TRAVIS_TAG" ]; then
        make release-packages;
      fi;
-      curl -sfL https://raw.githubusercontent.com/containous/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
-      structor -o containous -r traefik --dockerfile-url="https://raw.githubusercontent.com/containous/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/containous/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/containous/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug;
    fi

 deploy:
@@ -40,19 +39,12 @@ deploy:
    skip_cleanup: true
    file_glob: true
    on:
-      repo: containous/traefik
+      repo: traefik/traefik
      tags: true
  - provider: script
    script: sh script/deploy.sh
    skip_cleanup: true
    on:
-      repo: containous/traefik
+      repo: traefik/traefik
      tags: true
-  - provider: pages
-    edge: false
-    github_token: ${GITHUB_TOKEN}
-    local_dir: site
-    skip_cleanup: true
-    on:
-      repo: containous/traefik
-      all_branches: true
+
--- a/.travis/traefiker_rsa.enc
+++ b/.travis/traefiker_rsa.enc
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -36,7 +36,7 @@ Representation of a project may be further defined and clarified by project main

 ## Enforcement

-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@containo.us
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@traefik.io
 All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 
 The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 
 Further details of specific enforcement policies may be posted separately.
@@ -48,4 +48,4 @@ Project maintainers who do not follow or enforce the Code of Conduct in good fai
 This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]

 [homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[version]: http://contributor-covenant.org/version/1/4/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,4 +1,4 @@
 # Contributing

- https://docs.traefik.io/contributing/submitting-pull-requests/
- https://docs.traefik.io/contributing/submitting-issues/
+- https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
+- https://doc.traefik.io/traefik/contributing/submitting-issues/
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS
+Copyright (c) 2016-2020 Containous SAS; 2020-2021 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/18
+++ b/18
@@ -13,7 +13,7 @@ GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/nul
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))

 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
-TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"containous/traefik")
+TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")

 INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
@@ -29,7 +29,7 @@ TRAEFIK_ENVS := \
 	-e CI \
 	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.

-TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/containous/traefik/$(BIND_DIR)"
+TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/traefik/traefik/$(BIND_DIR)"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
 DOCKER_NON_INTERACTIVE ?= false
 DOCKER_RUN_TRAEFIK := docker run --add-host=host.docker.internal:127.0.0.1 $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
@@ -37,6 +37,8 @@ DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INT

 PRE_TARGET ?= build-dev-image

+PLATFORM_URL := $(if $(PLATFORM_URL),$(PLATFORM_URL),"https://pilot.traefik.io")
+
 default: binary

 ## Build Dev Docker image
@@ -53,7 +55,7 @@ dist:

 ## Build WebUI Docker image
 build-webui-image:
-	docker build -t traefik-webui -f webui/Dockerfile webui
+	docker build -t traefik-webui --build-arg ARG_PLATFORM_URL=$(PLATFORM_URL) -f webui/Dockerfile webui

 ## Generate WebUI
 generate-webui: build-webui-image
@@ -61,18 +63,18 @@ generate-webui: build-webui-image
 		mkdir -p static; \
 		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build:nc; \
 		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ../static; \
-		echo 'For more informations show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
+		echo 'For more information show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
 	fi

 ## Build the linux binary
 binary: generate-webui $(PRE_TARGET)
 	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary

-## Build the binary for the standard plaforms (linux, darwin, windows)
+## Build the binary for the standard platforms (linux, darwin, windows)
 crossbinary-default: generate-webui build-dev-image
 	$(DOCKER_RUN_TRAEFIK_NOTTY) ./script/make.sh generate crossbinary-default

-## Build the binary for the standard plaforms (linux, darwin, windows) in parallel
+## Build the binary for the standard platforms (linux, darwin, windows) in parallel
 crossbinary-default-parallel:
 	$(MAKE) generate-webui
 	$(MAKE) build-dev-image crossbinary-default
@@ -125,6 +127,10 @@ docs:
 docs-serve:
 	make -C ./docs docs-serve

+## Pull image for doc building
+docs-pull-images:
+	make -C ./docs docs-pull-images
+
 ## Generate CRD clientset
 generate-crd:
 	./script/update-generated-crd-code.sh
--- a/README.md
+++ b/README.md
@@ -4,11 +4,11 @@
 </p>

 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
-[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
-[![Go Report Card](https://goreportcard.com/badge/containous/traefik)](https://goreportcard.com/report/containous/traefik)
+[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
+[![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
-[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
-[![Join the community support forum at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
+[![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)


@@ -33,7 +33,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo

 ---

-:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/).
+:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://doc.traefik.io/traefik/).

 ## Overview

@@ -69,15 +69,15 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t

 ## Supported Backends

- [Docker](https://docs.traefik.io/providers/docker/) / [Swarm mode](https://docs.traefik.io/providers/docker/)
- [Kubernetes](https://docs.traefik.io/providers/kubernetes-crd/)
- [Marathon](https://docs.traefik.io/providers/marathon/)
- [Rancher](https://docs.traefik.io/providers/rancher/) (Metadata)
- [File](https://docs.traefik.io/providers/file/)
+- [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
+- [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
+- [Marathon](https://doc.traefik.io/traefik/providers/marathon/)
+- [Rancher](https://doc.traefik.io/traefik/providers/rancher/) (Metadata)
+- [File](https://doc.traefik.io/traefik/providers/file/)

 ## Quickstart

-To get your hands on Traefik, you can use the [5-Minute Quickstart](https://docs.traefik.io/getting-started/quick-start/) in our documentation (you will need Docker).
+To get your hands on Traefik, you can use the [5-Minute Quickstart](https://doc.traefik.io/traefik/getting-started/quick-start/) in our documentation (you will need Docker).

 ## Web UI

@@ -87,28 +87,28 @@ You can access the simple HTML frontend of Traefik.

 ## Documentation

-You can find the complete documentation of Traefik v2 at [https://docs.traefik.io](https://docs.traefik.io).
+You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).

-If you are using Traefik v1, you can find the complete documentation at [https://docs.traefik.io/v1.7/](https://docs.traefik.io/v1.7/).
+If you are using Traefik v1, you can find the complete documentation at [https://doc.traefik.io/traefik/v1.7/](https://doc.traefik.io/traefik/v1.7/).

 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).

 ## Support

 To get community support, you can:
- join the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+- join the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)

-If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
+If you need commercial support, please contact [Traefik.io](https://traefik.io) by mail: <mailto:support@traefik.io>.

 ## Download

- Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/master/traefik.sample.toml):

 ```shell
 ./traefik --configFile=traefik.toml
 ```

- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+- Or use the official tiny Docker image and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/master/traefik.sample.toml):

 ```shell
 docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik
@@ -117,12 +117,12 @@ docker run -d -p 8080:8080 -p 80:80 -v $PWD/traefik.toml:/etc/traefik/traefik.to
 - Or get the sources:

 ```shell
-git clone https://github.com/containous/traefik
+git clone https://github.com/traefik/traefik
 ```

 ## Introductory Videos

-You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us).
+You can find high level and deep dive videos on [videos.traefik.io](https://videos.traefik.io).

 ## Maintainers

@@ -137,7 +137,7 @@ By participating in this project, you agree to abide by its terms.

 ## Release Cycle

- We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
+- We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
 - Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
 - Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).

@@ -152,9 +152,9 @@ We use [Semantic Versioning](https://semver.org/).

 ## Credits

-Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the logo ![logo](docs/content/assets/img/traefik.icon.png).
+Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the gopher's logo!.

-Traefik's logo is licensed under the Creative Commons 3.0 Attributions license.
+The gopher's logo of Traefik is licensed under the Creative Commons 3.0 Attributions license.

-Traefik's logo was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
+The gopher's logo of Traefik was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
 The original Go gopher was designed by [Renee French](https://reneefrench.blogspot.com/).
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+We strongly advise you to register your Traefik instances to [Pilot](http://pilot.traefik.io) to be notified of security advisories that apply to your Traefik version.
+You can also join our security mailing list to be aware of the latest announcements from our security team.
+You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+
+Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
+
+## Supported Versions
+
+- We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
+
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).
+
+We use [Semantic Versioning](https://semver.org/).
+
+| Version   | Supported          |
+| --------- | ------------------ |
+| `2.2.x`   | :white_check_mark: |
+| `< 2.2.x` | :x:                |
+| `1.7.x`   | :white_check_mark: |
+| `< 1.7.x` | :x:                |
+
+## Reporting a Vulnerability
+
+We want to keep Traefik safe for everyone.
+If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.14-alpine
+FROM golang:1.16-alpine

 RUN apk --update upgrade \
    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
    && chmod +x /usr/local/bin/go-bindata

 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.28.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.38.0

 # Download misspell binary to bin folder in $GOPATH
 RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
@@ -27,11 +27,11 @@ RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install
 # Download goreleaser binary to bin folder in $GOPATH
 RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh

-WORKDIR /go/src/github.com/containous/traefik
+WORKDIR /go/src/github.com/traefik/traefik

 # Download go modules
 COPY go.mod .
 COPY go.sum .
 RUN GO111MODULE=on GOPROXY=https://proxy.golang.org go mod download

-COPY . /go/src/github.com/containous/traefik
+COPY . /go/src/github.com/traefik/traefik
--- a/cmd/configuration.go
+++ b/cmd/configuration.go
@@ -3,8 +3,8 @@ package cmd
 import (
 	"time"

-	"github.com/containous/traefik/v2/pkg/config/static"
-	"github.com/containous/traefik/v2/pkg/types"
+	ptypes "github.com/traefik/paerser/types"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )

 // TraefikCmdConfiguration wraps the static configuration and extra parameters.
@@ -23,7 +23,7 @@ func NewTraefikConfiguration() *TraefikCmdConfiguration {
 			},
 			EntryPoints: make(static.EntryPoints),
 			Providers: &static.Providers{
-				ProvidersThrottleDuration: types.Duration(2 * time.Second),
+				ProvidersThrottleDuration: ptypes.Duration(2 * time.Second),
 			},
 			ServersTransport: &static.ServersTransport{
 				MaxIdleConnsPerHost: 200,
--- a/cmd/context.go
+++ b/cmd/context.go
@@ -13,10 +13,8 @@ func ContextWithSignal(ctx context.Context) context.Context {
 	signals := make(chan os.Signal)
 	signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM)
 	go func() {
-		select {
-		case <-signals:
-			cancel()
-		}
+		<-signals
+		cancel()
 	}()
 	return newCtx
 }
--- a/cmd/healthcheck/healthcheck.go
+++ b/cmd/healthcheck/healthcheck.go
@@ -7,8 +7,8 @@ import (
 	"os"
 	"time"

-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/config/static"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )

 // NewCmd builds a new HealthCheck command.
--- a/cmd/traefik/plugins.go
+++ b/cmd/traefik/plugins.go
@@ -0,0 +1,49 @@
+package main
+
+import (
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/plugins"
+)
+
+const outputDir = "./plugins-storage/"
+
+func createPluginBuilder(staticConfiguration *static.Configuration) (*plugins.Builder, error) {
+	client, plgs, devPlugin, err := initPlugins(staticConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	return plugins.NewBuilder(client, plgs, devPlugin)
+}
+
+func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, *plugins.DevPlugin, error) {
+	if !isPilotEnabled(staticCfg) || !hasPlugins(staticCfg) {
+		return nil, map[string]plugins.Descriptor{}, nil, nil
+	}
+
+	opts := plugins.ClientOptions{
+		Output: outputDir,
+		Token:  staticCfg.Pilot.Token,
+	}
+
+	client, err := plugins.NewClient(opts)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	err = plugins.Setup(client, staticCfg.Experimental.Plugins, staticCfg.Experimental.DevPlugin)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	return client, staticCfg.Experimental.Plugins, staticCfg.Experimental.DevPlugin, nil
+}
+
+func isPilotEnabled(staticCfg *static.Configuration) bool {
+	return staticCfg.Pilot != nil && staticCfg.Pilot.Token != ""
+}
+
+func hasPlugins(staticCfg *static.Configuration) bool {
+	return staticCfg.Experimental != nil &&
+		(len(staticCfg.Experimental.Plugins) > 0 || staticCfg.Experimental.DevPlugin != nil)
+}
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -11,30 +11,34 @@ import (
 	"strings"
 	"time"

-	"github.com/containous/traefik/v2/autogen/genstatic"
-	"github.com/containous/traefik/v2/cmd"
-	"github.com/containous/traefik/v2/cmd/healthcheck"
-	cmdVersion "github.com/containous/traefik/v2/cmd/version"
-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/collector"
-	"github.com/containous/traefik/v2/pkg/config/dynamic"
-	"github.com/containous/traefik/v2/pkg/config/static"
-	"github.com/containous/traefik/v2/pkg/log"
-	"github.com/containous/traefik/v2/pkg/metrics"
-	"github.com/containous/traefik/v2/pkg/middlewares/accesslog"
-	"github.com/containous/traefik/v2/pkg/provider/acme"
-	"github.com/containous/traefik/v2/pkg/provider/aggregator"
-	"github.com/containous/traefik/v2/pkg/provider/traefik"
-	"github.com/containous/traefik/v2/pkg/safe"
-	"github.com/containous/traefik/v2/pkg/server"
-	"github.com/containous/traefik/v2/pkg/server/middleware"
-	"github.com/containous/traefik/v2/pkg/server/service"
-	traefiktls "github.com/containous/traefik/v2/pkg/tls"
-	"github.com/containous/traefik/v2/pkg/types"
-	"github.com/containous/traefik/v2/pkg/version"
 	"github.com/coreos/go-systemd/daemon"
 	assetfs "github.com/elazarl/go-bindata-assetfs"
+	"github.com/go-acme/lego/v4/challenge"
 	"github.com/sirupsen/logrus"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/autogen/genstatic"
+	"github.com/traefik/traefik/v2/cmd"
+	"github.com/traefik/traefik/v2/cmd/healthcheck"
+	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
+	tcli "github.com/traefik/traefik/v2/pkg/cli"
+	"github.com/traefik/traefik/v2/pkg/collector"
+	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	"github.com/traefik/traefik/v2/pkg/config/runtime"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/metrics"
+	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
+	"github.com/traefik/traefik/v2/pkg/pilot"
+	"github.com/traefik/traefik/v2/pkg/provider/acme"
+	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
+	"github.com/traefik/traefik/v2/pkg/provider/traefik"
+	"github.com/traefik/traefik/v2/pkg/safe"
+	"github.com/traefik/traefik/v2/pkg/server"
+	"github.com/traefik/traefik/v2/pkg/server/middleware"
+	"github.com/traefik/traefik/v2/pkg/server/service"
+	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/types"
+	"github.com/traefik/traefik/v2/pkg/version"
 	"github.com/vulcand/oxy/roundrobin"
 )

@@ -42,7 +46,7 @@ func main() {
 	// traefik config inits
 	tConfig := cmd.NewTraefikConfiguration()

-	loaders := []cli.ResourceLoader{&cli.FileLoader{}, &cli.FlagLoader{}, &cli.EnvLoader{}}
+	loaders := []cli.ResourceLoader{&tcli.FileLoader{}, &tcli.FlagLoader{}, &tcli.EnvLoader{}}

 	cmdTraefik := &cli.Command{
 		Name: "traefik",
@@ -117,6 +121,12 @@ func runCmd(staticConfiguration *static.Configuration) error {

 	ctx := cmd.ContextWithSignal(context.Background())

+	if staticConfiguration.Experimental != nil && staticConfiguration.Experimental.DevPlugin != nil {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithTimeout(ctx, 30*time.Minute)
+		defer cancel()
+	}
+
 	if staticConfiguration.Ping != nil {
 		staticConfiguration.Ping.WithContext(ctx)
 	}
@@ -163,15 +173,30 @@ func runCmd(staticConfiguration *static.Configuration) error {
 func setupServer(staticConfiguration *static.Configuration) (*server.Server, error) {
 	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)

+	ctx := context.Background()
+	routinesPool := safe.NewPool(ctx)
+
 	// adds internal provider
 	err := providerAggregator.AddProvider(traefik.New(*staticConfiguration))
 	if err != nil {
 		return nil, err
 	}

-	tlsManager := traefiktls.NewManager()
+	// ACME

-	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
+	tlsManager := traefiktls.NewManager()
+	httpChallengeProvider := acme.NewChallengeHTTP()
+
+	// we need to wait at least 2 times the ProvidersThrottleDuration to be sure to handle the challenge.
+	tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration) * 2)
+	err = providerAggregator.AddProvider(tlsChallengeProvider)
+	if err != nil {
+		return nil, err
+	}
+
+	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)
+
+	// Entrypoints

 	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
 	if err != nil {
@@ -183,66 +208,103 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}

-	ctx := context.Background()
-	routinesPool := safe.NewPool(ctx)
+	// Pilot

-	metricsRegistry := registerMetricClients(staticConfiguration.Metrics)
-	accessLog := setupAccessLog(staticConfiguration.AccessLog)
-	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
-	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry)
-	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder)
+	var aviator *pilot.Pilot
+	var pilotRegistry *metrics.PilotRegistry
+	if isPilotEnabled(staticConfiguration) {
+		pilotRegistry = metrics.RegisterPilot()

-	var defaultEntryPoints []string
-	for name, cfg := range staticConfiguration.EntryPoints {
-		protocol, err := cfg.GetProtocol()
-		if err != nil {
-			// Should never happen because Traefik should not start if protocol is invalid.
-			log.WithoutContext().Errorf("Invalid protocol: %v", err)
-		}
+		aviator = pilot.New(staticConfiguration.Pilot.Token, pilotRegistry, routinesPool)

-		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
-			defaultEntryPoints = append(defaultEntryPoints, name)
-		}
+		routinesPool.GoCtx(func(ctx context.Context) {
+			aviator.Tick(ctx)
+		})
 	}

-	sort.Strings(defaultEntryPoints)
+	if staticConfiguration.Pilot != nil {
+		version.PilotEnabled = staticConfiguration.Pilot.Dashboard
+	}
+
+	// Plugins
+
+	pluginBuilder, err := createPluginBuilder(staticConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	// Metrics
+
+	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
+	if pilotRegistry != nil {
+		metricRegistries = append(metricRegistries, pilotRegistry)
+	}
+	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
+
+	// Service manager factory
+
+	roundTripperManager := service.NewRoundTripperManager()
+	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)
+
+	// Router factory
+
+	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder)
+
+	// Watcher

 	watcher := server.NewConfigurationWatcher(
 		routinesPool,
 		providerAggregator,
 		time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration),
-		defaultEntryPoints,
+		getDefaultsEntrypoints(staticConfiguration),
+		"internal",
 	)

+	// TLS
 	watcher.AddListener(func(conf dynamic.Configuration) {
 		ctx := context.Background()
 		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
 	})

+	// Metrics
 	watcher.AddListener(func(_ dynamic.Configuration) {
 		metricsRegistry.ConfigReloadsCounter().Add(1)
 		metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
 	})

-	watcher.AddListener(switchRouter(routerFactory, acmeProviders, serverEntryPointsTCP, serverEntryPointsUDP))
-
+	// Server Transports
 	watcher.AddListener(func(conf dynamic.Configuration) {
-		if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
-			var eps []string
-			for key := range serverEntryPointsTCP {
-				eps = append(eps, key)
-			}
-
-			metrics.OnConfigurationUpdate(conf, eps)
-		}
+		roundTripperManager.Update(conf.HTTP.ServersTransports)
 	})

+	// Switch router
+	watcher.AddListener(switchRouter(routerFactory, serverEntryPointsTCP, serverEntryPointsUDP, aviator))
+
+	// Metrics
+	if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
+		var eps []string
+		for key := range serverEntryPointsTCP {
+			eps = append(eps, key)
+		}
+		watcher.AddListener(func(conf dynamic.Configuration) {
+			metrics.OnConfigurationUpdate(conf, eps)
+		})
+	}
+
+	// TLS challenge
+	watcher.AddListener(tlsChallengeProvider.ListenConfiguration)
+
+	// ACME
 	resolverNames := map[string]struct{}{}
 	for _, p := range acmeProviders {
 		resolverNames[p.ResolverName] = struct{}{}
 		watcher.AddListener(p.ListenConfiguration)
 	}

+	// Certificate resolver logs
 	watcher.AddListener(func(config dynamic.Configuration) {
 		for rtName, rt := range config.HTTP.Routers {
 			if rt.TLS == nil || rt.TLS.CertResolver == "" {
@@ -258,63 +320,90 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog), nil
 }

-func switchRouter(routerFactory *server.RouterFactory, acmeProviders []*acme.Provider, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints) func(conf dynamic.Configuration) {
-	return func(conf dynamic.Configuration) {
-		routers, udpRouters := routerFactory.CreateRouters(conf)
-		for entryPointName, rt := range routers {
-			for _, p := range acmeProviders {
-				if p != nil && p.HTTPChallenge != nil && p.HTTPChallenge.EntryPoint == entryPointName {
-					rt.HTTPHandler(p.CreateHandler(rt.GetHTTPHandler()))
-					break
-				}
-			}
+func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvider http.Handler) http.Handler {
+	var acmeHTTPHandler http.Handler
+	for _, p := range acmeProviders {
+		if p != nil && p.HTTPChallenge != nil {
+			acmeHTTPHandler = httpChallengeProvider
+			break
 		}
+	}
+	return acmeHTTPHandler
+}
+
+func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
+	var defaultEntryPoints []string
+	for name, cfg := range staticConfiguration.EntryPoints {
+		protocol, err := cfg.GetProtocol()
+		if err != nil {
+			// Should never happen because Traefik should not start if protocol is invalid.
+			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+		}
+
+		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
+			defaultEntryPoints = append(defaultEntryPoints, name)
+		}
+	}
+
+	sort.Strings(defaultEntryPoints)
+	return defaultEntryPoints
+}
+
+func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints, aviator *pilot.Pilot) func(conf dynamic.Configuration) {
+	return func(conf dynamic.Configuration) {
+		rtConf := runtime.NewConfig(conf)
+
+		routers, udpRouters := routerFactory.CreateRouters(rtConf)
+
+		if aviator != nil {
+			aviator.SetDynamicConfiguration(conf)
+		}
+
 		serverEntryPointsTCP.Switch(routers)
 		serverEntryPointsUDP.Switch(udpRouters)
 	}
 }

 // initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
-func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
-	challengeStore := acme.NewLocalChallengeStore()
+func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}

 	var resolvers []*acme.Provider
 	for name, resolver := range c.CertificatesResolvers {
-		if resolver.ACME != nil {
-			if localStores[resolver.ACME.Storage] == nil {
-				localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
-			}
-
-			p := &acme.Provider{
-				Configuration:  resolver.ACME,
-				Store:          localStores[resolver.ACME.Storage],
-				ChallengeStore: challengeStore,
-				ResolverName:   name,
-			}
-
-			if err := providerAggregator.AddProvider(p); err != nil {
-				log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
-				continue
-			}
-
-			p.SetTLSManager(tlsManager)
-
-			if p.TLSChallenge != nil {
-				tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
-			}
-
-			p.SetConfigListenerChan(make(chan dynamic.Configuration))
-
-			resolvers = append(resolvers, p)
+		if resolver.ACME == nil {
+			continue
 		}
+
+		if localStores[resolver.ACME.Storage] == nil {
+			localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
+		}
+
+		p := &acme.Provider{
+			Configuration:         resolver.ACME,
+			Store:                 localStores[resolver.ACME.Storage],
+			ResolverName:          name,
+			HTTPChallengeProvider: httpChallengeProvider,
+			TLSChallengeProvider:  tlsChallengeProvider,
+		}
+
+		if err := providerAggregator.AddProvider(p); err != nil {
+			log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
+			continue
+		}
+
+		p.SetTLSManager(tlsManager)
+
+		p.SetConfigListenerChan(make(chan dynamic.Configuration))
+
+		resolvers = append(resolvers, p)
 	}
+
 	return resolvers
 }

-func registerMetricClients(metricsConfig *types.Metrics) metrics.Registry {
+func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
-		return metrics.NewVoidRegistry()
+		return nil
 	}

 	var registries []metrics.Registry
@@ -349,7 +438,7 @@ func registerMetricClients(metricsConfig *types.Metrics) metrics.Registry {
 			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
 	}

-	return metrics.NewMultiRegistry(registries)
+	return registries
 }

 func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
@@ -435,13 +524,13 @@ func stats(staticConfiguration *static.Configuration) {
 		logger.Info(`Stats collection is enabled.`)
 		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
 		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://docs.traefik.io/contributing/data-collection/`)
+		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
 		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://docs.traefik.io/contributing/data-collection/
+More details on: https://doc.traefik.io/traefik/contributing/data-collection/
 `)
 	}
 }
--- a/cmd/version/version.go
+++ b/cmd/version/version.go
@@ -7,8 +7,8 @@ import (
 	"runtime"
 	"text/template"

-	"github.com/containous/traefik/v2/pkg/cli"
-	"github.com/containous/traefik/v2/pkg/version"
+	"github.com/traefik/paerser/cli"
+	"github.com/traefik/traefik/v2/pkg/version"
 )

 var versionTemplate = `Version:      {{.Version}}
--- a/contrib/grafana/traefik-kubernetes.json
+++ b/contrib/grafana/traefik-kubernetes.json
@@ -130,7 +130,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "count(kube_pod_status_ready{namespace=\"$namespace\",condition=\"true\",pod=~\"traefik.*\"})",
+          "expr": "count(kube_pod_status_ready{condition=\"true\",pod=~\"traefik.*\"})",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -150,10 +150,7 @@
      "valueName": "current"
    },
    {
-      "aliasColors": {
-        "Latency over 1 min": "rgb(9, 116, 190)",
-        "Latency over 5 min": "#bf1b00"
-      },
+      "aliasColors": {},
      "bars": false,
      "dashLength": 10,
      "dashes": false,
@@ -183,22 +180,17 @@
      "pointradius": 5,
      "points": false,
      "renderer": "flot",
-      "seriesOverrides": [
-        {
-          "alias": "Latency over 5 min",
-          "yaxis": 1
-        }
-      ],
+      "seriesOverrides": [],
      "spaceLength": 10,
      "stack": false,
      "steppedLine": false,
      "targets": [
        {
-          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\", code=\"200\",method=\"GET\"}[5m])) by (le))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (le))",
          "format": "time_series",
          "hide": false,
          "intervalFactor": 1,
-          "legendFormat": "Latency over 1 min",
+          "legendFormat": "Latency over 5 min",
          "refId": "A"
        }
      ],
@@ -281,7 +273,7 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "histogram_quantile(0.$percentiles, rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\",code=\"200\",method=\"GET\"}[5m]))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (instance, le))",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "{{ instance }}",
@@ -343,7 +335,7 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 7,
          "gridPos": {
            "h": 7,
@@ -379,7 +371,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(traefik_entrypoint_open_connections{namespace=\"$namespace\"}) by (method)",
+              "expr": "sum(traefik_entrypoint_open_connections) by (method)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "{{ method }}",
@@ -431,7 +423,7 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 7,
@@ -465,7 +457,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\",le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_entrypoint_request_duration_seconds_count{namespace=\"$namespace\",code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Code 200",
@@ -511,9 +503,97 @@
            "align": false,
            "alignLevel": null
          }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 23
+          },
+          "id": 3,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_entrypoint_requests_total[1m])) by (entrypoint)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ entrypoint }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per entrypoint",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
        }
      ],
-      "title": "Frontends (entrypoints)",
+      "title": "Entrypoints",
      "type": "row"
    },
    {
@@ -522,7 +602,7 @@
        "h": 1,
        "w": 24,
        "x": 0,
-        "y": 16
+        "y": 33
      },
      "id": 24,
      "panels": [
@@ -531,13 +611,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 7,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 0,
-            "y": 17
+            "y": 34
          },
          "id": 25,
          "legend": {
@@ -567,7 +647,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(traefik_backend_open_connections{namespace=\"$namespace\"}) by (method)",
+              "expr": "sum(traefik_service_open_connections) by (method)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "{{ method }}",
@@ -619,13 +699,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 12,
-            "y": 17
+            "y": 34
          },
          "id": 26,
          "legend": {
@@ -653,7 +733,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_request_duration_seconds_bucket{namespace=\"$namespace\",le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_backend_request_duration_seconds_count{namespace=\"$namespace\",code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_service_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Code 200",
@@ -699,9 +779,97 @@
            "align": false,
            "alignLevel": null
          }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 41
+          },
+          "id": 4,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_service_requests_total[1m])) by (service)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ service }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per service",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
        }
      ],
-      "title": "Backends",
+      "title": "Services",
      "type": "row"
    },
    {
@@ -710,7 +878,7 @@
        "h": 1,
        "w": 24,
        "x": 0,
-        "y": 17
+        "y": 51
      },
      "id": 15,
      "panels": [
@@ -725,7 +893,7 @@
            "h": 9,
            "w": 12,
            "x": 0,
-            "y": 18
+            "y": 52
          },
          "id": 5,
          "legend": {
@@ -755,7 +923,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code=~\"2..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"2..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{method}} : {{code}}",
@@ -813,7 +981,7 @@
            "h": 9,
            "w": 12,
            "x": 12,
-            "y": 18
+            "y": 52
          },
          "id": 27,
          "legend": {
@@ -841,7 +1009,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code=~\"5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"5..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{method}} : {{code}}",
@@ -899,95 +1067,7 @@
            "h": 9,
            "w": 12,
            "x": 0,
-            "y": 27
-          },
-          "id": 3,
-          "legend": {
-            "alignAsTable": true,
-            "avg": true,
-            "current": true,
-            "max": true,
-            "min": false,
-            "rightSide": true,
-            "show": true,
-            "sort": "avg",
-            "sortDesc": true,
-            "total": false,
-            "values": true
-          },
-          "lines": false,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\"}[1m])) by (backend)",
-              "format": "time_series",
-              "intervalFactor": 2,
-              "legendFormat": "{{ backend }}",
-              "refId": "A"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeShift": null,
-          "title": "Backend total requests over 1min per backend",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
-        },
-        {
-          "aliasColors": {},
-          "bars": true,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "${DS_PROMETHEUS}",
-          "fill": 1,
-          "gridPos": {
-            "h": 9,
-            "w": 12,
-            "x": 12,
-            "y": 27
+            "y": 61
          },
          "id": 6,
          "legend": {
@@ -1016,7 +1096,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code!~\"2..|5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{ method }} : {{code}}",
@@ -1026,7 +1106,7 @@
          "thresholds": [],
          "timeFrom": null,
          "timeShift": null,
-          "title": "Others status code over 5min",
+          "title": "Others statuses code over 5min",
          "tooltip": {
            "shared": true,
            "sort": 0,
@@ -1064,7 +1144,7 @@
          }
        }
      ],
-      "title": "HTTP Codes  stats",
+      "title": "HTTP Codes stats",
      "type": "row"
    },
    {
@@ -1073,7 +1153,7 @@
        "h": 1,
        "w": 24,
        "x": 0,
-        "y": 18
+        "y": 70
      },
      "id": 35,
      "panels": [
@@ -1082,13 +1162,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 9,
            "w": 12,
            "x": 0,
-            "y": 19
+            "y": 71
          },
          "id": 31,
          "legend": {
@@ -1116,21 +1196,21 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "max(container_memory_usage_bytes{namespace=\"$namespace\", container_name=\"traefik\"})",
+              "expr": "sum(container_memory_usage_bytes{container=\"traefik\"})",
              "format": "time_series",
              "intervalFactor": 1,
-              "legendFormat": "Max memory used",
+              "legendFormat": "Memory used",
              "refId": "A"
            },
            {
-              "expr": "avg(kube_pod_container_resource_requests_memory_bytes{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_requests_memory_bytes{container=\"traefik\"})",
              "format": "time_series",
              "intervalFactor": 1,
-              "legendFormat": "Requested memory usage",
+              "legendFormat": "Requested memory",
              "refId": "B"
            },
            {
-              "expr": "avg(kube_pod_container_resource_limits_memory_bytes{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_limits_memory_bytes{container=\"traefik\"})",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Limit memory usage",
@@ -1140,7 +1220,7 @@
          "thresholds": [],
          "timeFrom": null,
          "timeShift": null,
-          "title": "Traefik max memory usage",
+          "title": "Traefik memory usage",
          "tooltip": {
            "shared": true,
            "sort": 0,
@@ -1182,13 +1262,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 9,
            "w": 12,
            "x": 12,
-            "y": 19
+            "y": 71
          },
          "id": 33,
          "legend": {
@@ -1215,21 +1295,21 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "max(rate(container_cpu_usage_seconds_total{namespace=\"$namespace\", container_name=\"traefik\"}[1m]))",
+              "expr": "sum(rate(container_cpu_usage_seconds_total{container=\"traefik\"}[2m]))",
              "format": "time_series",
              "intervalFactor": 1,
-              "legendFormat": "Max cpu used",
+              "legendFormat": "Cpu used",
              "refId": "A"
            },
            {
-              "expr": "avg(kube_pod_container_resource_requests_cpu_cores{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_requests_cpu_cores{container=\"traefik\"})",
              "format": "time_series",
              "intervalFactor": 1,
-              "legendFormat": "Requested cpu usage",
+              "legendFormat": "Requested cpu",
              "refId": "B"
            },
            {
-              "expr": "avg(kube_pod_container_resource_limits_cpu_cores{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_limits_cpu_cores{container=\"traefik\"})",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Limit cpu usage",
@@ -1239,7 +1319,7 @@
          "thresholds": [],
          "timeFrom": null,
          "timeShift": null,
-          "title": "Traefik max CPU usage",
+          "title": "Traefik CPU usage",
          "tooltip": {
            "shared": true,
            "sort": 0,
@@ -1277,7 +1357,7 @@
          }
        }
      ],
-      "title": "Pods ressources",
+      "title": "Pods resources",
      "type": "row"
    }
  ],
@@ -1288,26 +1368,6 @@
  ],
  "templating": {
    "list": [
-      {
-        "allValue": null,
-        "current": {},
-        "datasource": "${DS_PROMETHEUS}",
-        "hide": 0,
-        "includeAll": false,
-        "label": null,
-        "multi": false,
-        "name": "namespace",
-        "options": [],
-        "query": "label_values(traefik_config_reloads_total, namespace)",
-        "refresh": 1,
-        "regex": "",
-        "sort": 0,
-        "tagValuesQuery": "",
-        "tags": [],
-        "tagsQuery": "",
-        "type": "query",
-        "useTags": false
-      },
      {
        "allValue": null,
        "current": {
@@ -1370,5 +1430,5 @@
  "timezone": "",
  "title": "Traefik",
  "uid": "traefik-kubernetes",
-  "version": 1
+  "version": 2
 }
--- a/contrib/grafana/traefik.json
+++ b/contrib/grafana/traefik.json
@@ -64,10 +64,7 @@
      "type": "row"
    },
    {
-      "aliasColors": {
-        "Latency over 1 min": "rgb(9, 116, 190)",
-        "Latency over 5 min": "#bf1b00"
-      },
+      "aliasColors": {},
      "bars": false,
      "dashLength": 10,
      "dashes": false,
@@ -97,22 +94,17 @@
      "pointradius": 5,
      "points": false,
      "renderer": "flot",
-      "seriesOverrides": [
-        {
-          "alias": "Latency over 5 min",
-          "yaxis": 1
-        }
-      ],
+      "seriesOverrides": [],
      "spaceLength": 10,
      "stack": false,
      "steppedLine": false,
      "targets": [
        {
-          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=\"200\",method=\"GET\"}[5m])) by (le))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (le))",
          "format": "time_series",
          "hide": false,
          "intervalFactor": 1,
-          "legendFormat": "Latency over 1 min",
+          "legendFormat": "Latency over 5 min",
          "refId": "A"
        }
      ],
@@ -195,7 +187,7 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "histogram_quantile(0.$percentiles, rate(traefik_entrypoint_request_duration_seconds_bucket{code=\"200\",method=\"GET\"}[5m]))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (instance, le))",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "{{ instance }}",
@@ -257,13 +249,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 7,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 0,
-            "y": 2
+            "y": 16
          },
          "id": 19,
          "legend": {
@@ -345,13 +337,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 12,
-            "y": 2
+            "y": 16
          },
          "id": 22,
          "legend": {
@@ -379,7 +371,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Code 200",
@@ -425,9 +417,97 @@
            "align": false,
            "alignLevel": null
          }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 23
+          },
+          "id": 3,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_entrypoint_requests_total[1m])) by (entrypoint)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ entrypoint }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per entrypoint",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
        }
      ],
-      "title": "Frontends (entrypoints)",
+      "title": "Entrypoints",
      "type": "row"
    },
    {
@@ -436,7 +516,7 @@
        "h": 1,
        "w": 24,
        "x": 0,
-        "y": 16
+        "y": 33
      },
      "id": 24,
      "panels": [
@@ -445,13 +525,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 7,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 0,
-            "y": 3
+            "y": 34
          },
          "id": 25,
          "legend": {
@@ -481,7 +561,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(traefik_backend_open_connections) by (method)",
+              "expr": "sum(traefik_service_open_connections) by (method)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "{{ method }}",
@@ -533,13 +613,13 @@
          "bars": false,
          "dashLength": 10,
          "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
          "fill": 1,
          "gridPos": {
            "h": 7,
            "w": 12,
            "x": 12,
-            "y": 3
+            "y": 34
          },
          "id": 26,
          "legend": {
@@ -567,7 +647,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_backend_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_service_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
              "format": "time_series",
              "intervalFactor": 1,
              "legendFormat": "Code 200",
@@ -613,9 +693,97 @@
            "align": false,
            "alignLevel": null
          }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 41
+          },
+          "id": 4,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_service_requests_total[1m])) by (service)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ service }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per service",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
        }
      ],
-      "title": "Backends",
+      "title": "Services",
      "type": "row"
    },
    {
@@ -624,7 +792,7 @@
        "h": 1,
        "w": 24,
        "x": 0,
-        "y": 17
+        "y": 51
      },
      "id": 15,
      "panels": [
@@ -639,7 +807,7 @@
            "h": 9,
            "w": 12,
            "x": 0,
-            "y": 4
+            "y": 52
          },
          "id": 5,
          "legend": {
@@ -669,7 +837,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{code=~\"2..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"2..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{method}} : {{code}}",
@@ -727,7 +895,7 @@
            "h": 9,
            "w": 12,
            "x": 12,
-            "y": 4
+            "y": 52
          },
          "id": 27,
          "legend": {
@@ -755,7 +923,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{code=~\"5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"5..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{method}} : {{code}}",
@@ -813,95 +981,7 @@
            "h": 9,
            "w": 12,
            "x": 0,
-            "y": 13
-          },
-          "id": 3,
-          "legend": {
-            "alignAsTable": true,
-            "avg": true,
-            "current": true,
-            "max": true,
-            "min": false,
-            "rightSide": true,
-            "show": true,
-            "sort": "avg",
-            "sortDesc": true,
-            "total": false,
-            "values": true
-          },
-          "lines": false,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "sum(rate(traefik_backend_requests_total[1m])) by (backend)",
-              "format": "time_series",
-              "intervalFactor": 2,
-              "legendFormat": "{{ backend }}",
-              "refId": "A"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeShift": null,
-          "title": "Backend total requests over 1min per backend",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
-        },
-        {
-          "aliasColors": {},
-          "bars": true,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "${DS_PROMETHEUS}",
-          "fill": 1,
-          "gridPos": {
-            "h": 9,
-            "w": 12,
-            "x": 12,
-            "y": 13
+            "y": 61
          },
          "id": 6,
          "legend": {
@@ -930,7 +1010,7 @@
          "steppedLine": false,
          "targets": [
            {
-              "expr": "sum(rate(traefik_backend_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
              "format": "time_series",
              "intervalFactor": 2,
              "legendFormat": "{{ method }} : {{code}}",
@@ -940,7 +1020,7 @@
          "thresholds": [],
          "timeFrom": null,
          "timeShift": null,
-          "title": "Others status code over 5min",
+          "title": "Others statuses code over 5min",
          "tooltip": {
            "shared": true,
            "sort": 0,
@@ -978,7 +1058,7 @@
          }
        }
      ],
-      "title": "HTTP Codes  stats",
+      "title": "HTTP Codes stats",
      "type": "row"
    }
  ],
@@ -1051,5 +1131,5 @@
  "timezone": "",
  "title": "Traefik",
  "uid": "traefik",
-  "version": 1
+  "version": 2
 }
--- a/contrib/systemd/traefik.service
+++ b/contrib/systemd/traefik.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Traefik
-Documentation=https://docs.traefik.io
+Documentation=https://doc.traefik.io/traefik/
 #After=network-online.target
 #AssertFileIsExecutable=/usr/bin/traefik
 #AssertPathExists=/etc/traefik/traefik.toml
--- a/docs/Makefile
+++ b/docs/Makefile
@@ -12,7 +12,7 @@ TRAEFIK_DOCS_CHECK_IMAGE ?= $(TRAEFIK_DOCS_BUILD_IMAGE)-check
 SITE_DIR := $(CURDIR)/site

 DOCKER_RUN_DOC_PORT := 8000
-DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs 
+DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs
 DOCKER_RUN_DOC_OPTS := --rm $(DOCKER_RUN_DOC_MOUNTS) -p $(DOCKER_RUN_DOC_PORT):8000

 # Default: generates the documentation into $(SITE_DIR)
@@ -22,6 +22,10 @@ docs: docs-clean docs-image docs-lint docs-build docs-verify
 docs-serve: docs-image
 	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) mkdocs serve

+## Pull image for doc building
+docs-pull-images:
+	grep --no-filename -E '^FROM' ./*.Dockerfile | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
+
 # Utilities Targets for each step
 docs-image:
 	docker build -t $(TRAEFIK_DOCS_BUILD_IMAGE) -f docs.Dockerfile ./
--- a/docs/check.Dockerfile
+++ b/docs/check.Dockerfile
@@ -1,5 +1,5 @@

-FROM alpine:3.10 as alpine
+FROM alpine:3.13 as alpine

 RUN apk --no-cache --no-progress add \
    libcurl \
--- a/docs/content/CNAME
+++ b/docs/content/CNAME
@@ -1 +0,0 @@
-docs.traefik.io
--- a/docs/content/assets/img/traefik.icon.png
+++ b/docs/content/assets/img/traefik.icon.png
--- a/docs/content/assets/img/traefikproxy-icon-color.png
+++ b/docs/content/assets/img/traefikproxy-icon-color.png
--- a/docs/content/assets/img/traefikproxy-vertical-logo-color.svg
+++ b/docs/content/assets/img/traefikproxy-vertical-logo-color.svg
--- a/docs/content/assets/styles/atom-one-light.css
+++ b/docs/content/assets/styles/atom-one-light.css
@@ -1,96 +0,0 @@
-/*
-
-Atom One Light by Daniel Gamage
-Original One Light Syntax theme from https://github.com/atom/one-light-syntax
-
-base:    #fafafa
-mono-1:  #383a42
-mono-2:  #686b77
-mono-3:  #a0a1a7
-hue-1:   #0184bb
-hue-2:   #4078f2
-hue-3:   #a626a4
-hue-4:   #50a14f
-hue-5:   #e45649
-hue-5-2: #c91243
-hue-6:   #986801
-hue-6-2: #c18401
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  color: #383a42;
-  background: #fafafa;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #a0a1a7;
-  font-style: italic;
-}
-
-.hljs-doctag,
-.hljs-keyword,
-.hljs-formula {
-  color: #a626a4;
-}
-
-.hljs-section,
-.hljs-name,
-.hljs-selector-tag,
-.hljs-deletion,
-.hljs-subst {
-  color: #e45649;
-}
-
-.hljs-literal {
-  color: #0184bb;
-}
-
-.hljs-string,
-.hljs-regexp,
-.hljs-addition,
-.hljs-attribute,
-.hljs-meta-string {
-  color: #50a14f;
-}
-
-.hljs-built_in,
-.hljs-class .hljs-title {
-  color: #c18401;
-}
-
-.hljs-attr,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-type,
-.hljs-selector-class,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-number {
-  color: #986801;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-link,
-.hljs-meta,
-.hljs-selector-id,
-.hljs-title {
-  color: #4078f2;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-link {
-  text-decoration: underline;
-}
--- a/docs/content/assets/styles/extra.css
+++ b/docs/content/assets/styles/extra.css
@@ -1,63 +0,0 @@
-@import url('https://fonts.googleapis.com/css?family=Noto+Sans|Noto+Serif');
-
-.md-logo img {
-    background-color: white;
-    border-radius: 50%;
-    width: 30px;
-    height: 30px;
-}
-
-/* Fix for Chrome */
-.md-typeset__table td code {
-    word-break: unset;
-}
-
-.md-typeset__table tr :nth-child(1) {
-    word-wrap: break-word;
-    max-width: 30em;
-}
-
-body {
-    font-family: 'Noto Sans', sans-serif;
-}
-
-h1 {
-    font-weight: bold !important;
-    color: rgba(0,0,0,.9) !important;
-}
-
-h2 {
-    font-weight: bold !important;
-}
-
-h3 {
-    font-weight: bold !important;
-}
-
-.md-typeset h5 {
-    text-transform: none;
-}
-
-figcaption {
-    text-align: center;
-    font-size: 0.8em;
-    font-style: italic;
-    color: #8D909F;
-}
-
-p.subtitle {
-    color: rgba(0,0,0,.54);
-    padding-top: 0;
-    margin-top: -2em;
-    font-weight: bold;
-    font-size: 1.25em;
-}
-
-.markdown-body .task-list-item {
-    list-style-type: none !important;
-}
-
-.markdown-body .task-list-item input[type="checkbox"] {
-    margin: 0 4px 0.25em -20px;
-    vertical-align: middle;
-}
--- a/docs/content/contributing/advocating.md
+++ b/docs/content/contributing/advocating.md
@@ -5,6 +5,6 @@ Spread the Love & Tell Us about It

 There are many ways to contribute to the project, and there is one that always spark joy: when we see/read about users talking about how Traefik helps them solve their problems.

-If you're talking about Traefik, [let us know](https://blog.containo.us/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
+If you're talking about Traefik, [let us know](https://blog.traefik.io/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!

-Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/containous/traefik/wiki/Awesome-Traefik).
+Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/traefik/traefik/wiki/Awesome-Traefik).
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -30,12 +30,12 @@ Successfully tagged traefik-webui:latest
 [...]
 docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
 Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.14-alpine
+Step 1/10 : FROM golang:1.16-alpine
 ---> f4bfb3d22bda
 [...]
 Successfully built 5c3c1a911277
 Successfully tagged traefik-dev:4475--feature-documentation
-docker run  -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER		 -v "/home/ldez/sources/go/src/github.com/containous/traefik/"dist":/go/src/github.com/containous/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
+docker run  -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER		 -v "/home/ldez/sources/go/src/github.com/traefik/traefik/"dist":/go/src/github.com/traefik/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
 ---> Making bundle: generate (in .)
 removed 'autogen/genstatic/gen.go'

@@ -62,13 +62,13 @@ PRE_TARGET= make test-unit

 Requirements:

- `go` v1.14+
+- `go` v1.16+
 - environment variable `GO111MODULE=on`
 - [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`

 !!! tip "Source Directory"

-    It is recommended that you clone Traefik into the `~/go/src/github.com/containous/traefik` directory.
+    It is recommended that you clone Traefik into the `~/go/src/github.com/traefik/traefik` directory.
    This is the official golang workspace hierarchy that will allow dependencies to be properly resolved.

 !!! note "Environment"
@@ -104,7 +104,7 @@ Once you've set up your go environment and cloned the source repository, you can
 Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).

 ```bash
-cd ~/go/src/github.com/containous/traefik
+cd ~/go/src/github.com/traefik/traefik

 # Get go-bindata. (Important: the ellipses are required.)
 GO111MODULE=off go get github.com/containous/go-bindata/...
@@ -124,7 +124,7 @@ go generate
 go build ./cmd/traefik
 ```

-You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
+You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/traefik/traefik` directory.

 ## Testing

@@ -138,13 +138,13 @@ Run all tests (unit and integration) using the `test` target.
 $ make test-unit
 docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
 # […]
-docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/containous/traefik/dist:/go/src/github.com/containous/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
+docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/traefik/traefik/dist:/go/src/github.com/traefik/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
 ---> Making bundle: generate (in .)
 removed 'gen.go'

 ---> Making bundle: test-unit (in .)
 + go test -cover -coverprofile=cover.out .
-ok      github.com/containous/traefik   0.005s  coverage: 4.1% of statements
+ok      github.com/traefik/traefik   0.005s  coverage: 4.1% of statements

 Test success
 ```
@@ -172,7 +172,7 @@ More: https://labix.org/gocheck
 Unit tests can be run from the cloned directory using `$ go test ./...` which should return `ok`, similar to:

 ```test
-ok      _/home/user/go/src/github/containous/traefik    0.004s
+ok      _/home/user/go/src/github/traefik/traefik    0.004s
 ```

 Integration tests must be run from the `integration/` directory and require the `-integration` switch: `$ cd integration && go test -integration ./...`.
--- a/docs/content/contributing/data-collection.md
+++ b/docs/content/contributing/data-collection.md
@@ -29,7 +29,9 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to

 ## Collected Data

-This feature comes from the public proposal [here](https://github.com/containous/traefik/issues/2369).
+This feature comes from the public proposal [here](https://github.com/traefik/traefik/issues/2369).
+
+This feature is activated when using Traefik Pilot to better understand the community's need, and also to get information about plug-ins popularity.

 In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
 Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
@@ -85,11 +87,11 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
    ca = "xxxx"
    cert = "xxxx"
    key = "xxxx"
-    insecureSkipVerify = false
+    insecureSkipVerify = true
 ```

 ## The Code for Data Collection

-If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/containous/traefik/blob/master/pkg/collector/collector.go)
+If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)

 By default we anonymize all configuration fields, except fields tagged with `export=true`.
--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -10,7 +10,7 @@ Let's see how.

 ### General

-This [documentation](https://docs.traefik.io/) is built with [mkdocs](https://mkdocs.org/).
+This [documentation](https://doc.traefik.io/traefik/) is built with [mkdocs](https://mkdocs.org/).

 ### Method 1: `Docker` and `make`

@@ -20,7 +20,7 @@ You can build the documentation and test it locally (with live reloading), using
 $ make docs
 docker build -t traefik-docs -f docs.Dockerfile .
 # […]
-docker run  --rm -v /home/user/go/github/containous/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
+docker run  --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
 # […]
 [I 170828 20:47:48 server:283] Serving on http://0.0.0.0:8000
 [I 170828 20:47:48 handlers:60] Start watching changes
@@ -75,7 +75,7 @@ To check that the documentation meets standard expectations (no dead links, html
 $ make docs-verify
 docker build -t traefik-docs-verify ./script/docs-verify-docker-image ## Build Validator image
 ...
-docker run --rm -v /home/travis/build/containous/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
+docker run --rm -v /home/travis/build/traefik/traefik:/app traefik-docs-verify ## Check for dead links and w3c compliance
 === Checking HTML content...
 Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/basics/index.html on *.html...
 ```
--- a/docs/content/contributing/maintainers.md
+++ b/docs/content/contributing/maintainers.md
@@ -11,75 +11,22 @@
 * Ludovic Fernandez [@ldez](https://github.com/ldez)
 * Julien Salleyron [@juliens](https://github.com/juliens)
 * Nicolas Mengin [@nmengin](https://github.com/nmengin)
-* Marco Jantke [@marco-jantke](https://github.com/marco-jantke)
+* Marco Jantke [@mjantke](https://github.com/mjeri)
 * Michaël Matur [@mmatur](https://github.com/mmatur)
 * Gérald Croës [@geraldcroes](https://github.com/geraldcroes)
 * Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou)
 * Mathieu Lonjaret [@mpl](https://github.com/mpl)
 * Romain Tribotté [@rtribotte](https://github.com/rtribotte)
+* Kevin Pollet [@kevinpollet](https://github.com/kevinpollet)
+* Harold Ozouf [@jspdown](https://github.com/jspdown)

-## Contributions Daily Meeting
+## Issue Triage

-* 3 Maintainers should attend to a Contributions Daily Meeting where we sort and label new issues ([is:issue label:status/0-needs-triage](https://github.com/containous/traefik/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Astatus%2F0-needs-triage+)), and review every Pull Requests
-* Every pull request should be checked during the Contributions Daily Meeting
-    * Even if it’s already assigned
-    * Even PR labelled with `contributor/waiting-for-corrections` or `contributor/waiting-for-feedback`
-* Issues labeled with `priority/P0` and `priority/P1` should be assigned.
-* Modifying an issue or a pull request (labels, assignees, milestone) is only possible:
-    * During the Contributions Daily Meeting
-    * By an assigned maintainer
-    * In case of emergency, if a change proposal is approved by 2 other maintainers (on Slack, Discord, Discourse, etc)
+Issues and PRs are triaged daily and the process for triaging may be found under [triaging issues](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in our [contributors guide repository](https://github.com/traefik/contributors-guide).

 ## PR review process:

-* The status `needs-design-review` is only used in complex/heavy/tricky PRs.
-* From `1` to `2`: 1 comment that says “design LGTM” (by a senior maintainer).
-* From `2` to `3`: 3 LGTM approvals by any maintainer.
-* If needed, a specific maintainer familiar with a particular domain can be requested for the review.
-* If a PR has been implemented in pair programming, one peer's LGTM goes into the review for free
-* Amending someone else's pull request is authorized only in emergency, if a rebase is needed, or if the initial contributor is silent
-
-We use [PRM](https://github.com/ldez/prm) to manage locally pull requests.
-
-## Bots
-
-### [Myrmica Lobicornis](https://github.com/containous/lobicornis/)
-
-Update and Merge Pull Request.
-
-The maintainer giving the final LGTM must add the `status/3-needs-merge` label to trigger the merge bot.
-
-By default, a squash-rebase merge will be carried out.
-To preserve commits, add `bot/merge-method-rebase` before `status/3-needs-merge`.
-
-The status `status/4-merge-in-progress` is only used by the bot.
-
-If the bot is not able to perform the merge, the label `bot/need-human-merge` is added.  
-In such a situation, solve the conflicts/CI/... and then remove the label `bot/need-human-merge`.
-
-To prevent the bot from automatically merging a PR, add the label `bot/no-merge`.
-
-The label `bot/light-review` decreases the number of required LGTM from 3 to 1.
-
-This label is used when:
-
-* Updating the vendors from previously reviewed PRs
-* Merging branches into the master
-* Preparing the release
-
-### [Myrmica Bibikoffi](https://github.com/containous/bibikoffi/)
-
-* closes stale issues [cron]
-    * use some criterion as number of days between creation, last update, labels, ...
-
-### [Myrmica Aloba](https://github.com/containous/aloba)
-
-Manage GitHub labels.
-
-* Add labels on new PR [GitHub WebHook]
-* Add milestone to a new PR based on a branch version (1.4, 1.3, ...) [GitHub WebHook]
-* Add and remove `contributor/waiting-for-corrections` label when a review request changes [GitHub WebHook]
-* Weekly report of PR status on Slack (CaptainPR) [cron]
+The process for reviewing PRs may be found under [review guidelines](https://github.com/traefik/contributors-guide/blob/master/review_guidelines.md) in our contributors guide repository.

 ## Labels

--- a/docs/content/contributing/submitting-issues.md
+++ b/docs/content/contributing/submitting-issues.md
@@ -3,7 +3,7 @@
 Help Us Help You!
 {: .subtitle }

-We use the [GitHub issue tracker](https://github.com/containous/traefik/issues) to keep track of issues in Traefik. 
+We use the [GitHub issue tracker](https://github.com/traefik/traefik/issues) to keep track of issues in Traefik. 

 The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting).
 To save us some time and get quicker feedback, be sure to follow the guide lines below.
@@ -14,7 +14,7 @@ To save us some time and get quicker feedback, be sure to follow the guide lines

    For end-user related support questions, try using first:

-    - the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+    - the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)

 ## Issue Title

@@ -22,7 +22,7 @@ The title must be short and descriptive. (~60 characters)

 ## Description

-Follow the [issue template](https://github.com/containous/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible.
+Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible.

 Explain us in which conditions you encountered the issue, what is your context.

--- a/docs/content/contributing/submitting-pull-requests.md
+++ b/docs/content/contributing/submitting-pull-requests.md
@@ -5,41 +5,5 @@ A Quick Guide for Efficient Contributions

 So you've decided to improve Traefik? 
 Thank You! 
-Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.

-Let's go through the classic pitfalls to make sure everything is right. 
-
-## Title
-
-The title must be short and descriptive. (~60 characters)
-
-## Description
-
-Follow the [pull request template](https://github.com/containous/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible.
-
-Explain the conditions which led you to write this PR: give us context.
-The context should lead to something, an idea or a problem that you’re facing.
-
-Remain clear and concise.
-
-Take time to polish the format of your message so we'll enjoy reading it and working on it.
-Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
-
-## PR Content
-
- Make it small.
- One feature per Pull Request.
- Write useful descriptions and titles.
- Avoid re-formatting code that is not on the path of your PR.
- Make sure the [code builds](building-testing.md).
- Make sure [all tests pass](building-testing.md).
- Add tests.
- Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
-
-!!! note "Third-Party Dependencies"
-
-    If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
-
-!!! tip "10 Tips for Better Pull Requests"
-
-    We enjoyed this article, maybe you will too! [10 tips for better pull requests](https://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).
+Please review the [guidelines on creating PRs](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md) for Traefik in our [contributors guide repository](https://github.com/traefik/contributors-guide).
--- a/docs/content/contributing/thank-you.md
+++ b/docs/content/contributing/thank-you.md
@@ -3,8 +3,8 @@
 _You_ Made It
 {: .subtitle}

-Traefik truly is an [open-source project](https://github.com/containous/traefik/),
-and wouldn't have become what it is today without the help of our [many contributors](https://github.com/containous/traefik/graphs/contributors) (at the time of writing this),
+Traefik truly is an [open-source project](https://github.com/traefik/traefik/),
+and wouldn't have become what it is today without the help of our [many contributors](https://github.com/traefik/traefik/graphs/contributors) (at the time of writing this),
 not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.

 So once again, thank you for your invaluable help on making Traefik such a good product.
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -9,11 +9,14 @@ You can install Traefik with the following flavors:

 ## Use the Official Docker Image

-Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/v2.2/traefik.sample.toml):
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
+
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.4/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.4/traefik.sample.yml)

 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.2
+    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.4
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -30,9 +33,9 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! warning
    
    The Traefik Chart from 
-    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://docs.traefik.io/v1.7).
+    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://doc.traefik.io/traefik/v1.7).

-Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/containous/traefik-helm-chart>.
+Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/traefik/traefik-helm-chart>.

 Ensure that the following requirements are met:

@@ -42,7 +45,7 @@ Ensure that the following requirements are met:
 Add Traefik's chart repository to Helm:

 ```bash
-helm repo add traefik https://containous.github.io/traefik-helm-chart
+helm repo add traefik https://helm.traefik.io/traefik
 ```

 You can update the chart repository by running:
@@ -76,7 +79,7 @@ helm install traefik traefik/traefik
    {: #helm-custom-values }
    
    The values are not (yet) documented, but are self-explanatory:
-    you can look at the [default `values.yaml`](https://github.com/containous/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
+    you can look at the [default `values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
    
    You can also set Traefik command line flags using `additionalArguments`.
    Example of installation with logging set to `DEBUG`:
@@ -128,7 +131,7 @@ spec:

 ## Use the Binary Distribution

-Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page.
+Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page.

 ??? info "Check the integrity of the downloaded file"

--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -15,7 +15,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v2 Traefik docker image
-    image: traefik:v2.2
+    image: traefik:v2.4
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
@@ -48,7 +48,7 @@ Edit your `docker-compose.yml` file and add the following at the end of your fil
 # ...
  whoami:
    # A container that exposes an API to show its IP address
-    image: containous/whoami
+    image: traefik/whoami
    labels:
      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
 ```
--- a/docs/content/glossary.md
+++ b/docs/content/glossary.md
@@ -12,7 +12,7 @@ Where Every Technical Word finds its Definition`
 - [ ] [Static configuration](getting-started/configuration-overview.md#the-static-configuration)
 - [ ] [Dynamic configuration](getting-started/configuration-overview.md#the-dynamic-configuration)
 - [ ] ACME
- [ ] TraefikEE
+- [ ] Traefik Enterprise
 - [ ] Tracing
 - [ ] Metrics
 - [ ] Orchestrator
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -10,7 +10,7 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom

    Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
    when experimenting to avoid hitting this limit too fast.
-    
+
 ## Certificate Resolvers

 Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration), 
@@ -284,7 +284,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 |-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
 | [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
 | [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
-| [ArvanCloud](https://arvancloud.com)                        | `arvancloud`   | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)   |
+| [ArvanCloud](https://www.arvancloud.com/en)                 | `arvancloud`   | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)   |
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)    | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
 | [Autodns](https://www.internetx.com/domains/autodns/)       | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
 | [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
@@ -303,14 +303,16 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
 | [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)       |
 | [Domain Offensive (do.de)](https://www.do.de/)              | `dode`         | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)         |
+| [Domeneshop](https://domene.shop)                           | `domeneshop`   | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)   |
 | [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)    |
 | [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)      |
 | [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)          |
 | [Dynu](https://www.dynu.com)                                | `dynu`         | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)         |
 | [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)      |
+| [EdgeDNS](https://www.akamai.com/)                          | `edgedns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
 | External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
 | [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)     |
-| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/fastdns)      |
+| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
 | [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)        |
 | [Gandi v5](http://doc.livedns.gandi.net)                    | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)      |
 | [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)       |
@@ -319,13 +321,16 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Hetzner](https://hetzner.com)                              | `hetzner`      | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)      |
 | [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
 | HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
+| [HyperOne](https://www.hyperone.com)                        | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
+| [Infomaniak](https://www.infomaniak.com)                    | `infomaniak`   | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)   |
 | [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
-| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
+| [ionos](https://ionos.com/)                                 | `ionos`        | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)        |
+| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
 | [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
-| [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
-| [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4)     |
+| [Linode v4](https://www.linode.com)                         | `linode`       | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
 | [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
+| [Loopia](https://loopia.com/)                               | `loopia`       | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)       |
 | [LuaDNS](https://luadns.com)                                | `luadns`       | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)       |
 | manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
@@ -336,7 +341,8 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
 | [Netlify](https://www.netlify.com)                          | `netlify`      | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)      |
 | [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
-| [Ns1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
+| [Njalla](https://njal.la)                                   | `njalla`       | `NJALLA_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)       |
+| [NS1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
 | [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
 | [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
 | [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)    |
@@ -362,7 +368,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |

 [^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
-[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application)
+[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production)
 [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
 [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
 [^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
@@ -406,6 +412,35 @@ certificatesResolvers:
 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
 As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).

+## External Account Binding
+
+- `kid`: Key identifier from External CA
+- `hmacEncoded`: HMAC key from External CA, should be in Base64 URL Encoding without padding format
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.eab]
+    kid = "abc-keyID-xyz"
+    hmacEncoded = "abc-hmac-xyz"
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      eab:
+        kid: abc-keyID-xyz
+        hmacEncoded: abc-hmac-xyz
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.eab.kid=abc-keyID-xyz
+--certificatesresolvers.myresolver.acme.eab.hmacencoded=abc-hmac-xyz
+```
+
 ## More Configuration

 ### `caServer`
@@ -484,6 +519,65 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 !!! warning
    For concurrency reasons, this file cannot be shared across multiple instances of Traefik.

+### `preferredChain`
+
+_Optional, Default=""_
+
+Preferred chain to use.
+
+If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+If no match, the default offered chain will be used.
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  preferredChain = "ISRG Root X1"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      preferredChain: 'ISRG Root X1'
+      # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
+# ...
+```
+
+### `keyType`
+
+_Optional, Default="RSA4096"_
+
+KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  keyType = "RSA4096"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      keyType: 'RSA4096'
+      # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.keyType="RSA4096"
+# ...
+```
+
 ## Fallback

 If Let's Encrypt is not reachable, the following certificates will apply:
--- a/docs/content/https/ref-acme.toml
+++ b/docs/content/https/ref-acme.toml
@@ -22,6 +22,16 @@
  #
  # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

+  # Preferred chain to use.
+  #
+  # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+  # If no match, the default offered chain will be used.
+  #
+  # Optional
+  # Default: ""
+  #
+  # preferredChain = "ISRG Root X1"
+
  # KeyType to use.
  #
  # Optional
--- a/docs/content/https/ref-acme.txt
+++ b/docs/content/https/ref-acme.txt
@@ -21,6 +21,16 @@
 #
 --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

+# Preferred chain to use.
+#
+# If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+# If no match, the default offered chain will be used.
+#
+# Optional
+# Default: ""
+#
+--certificatesresolvers.myresolver.acme.preferredchain="ISRG Root X1"
+
 # KeyType to use.
 #
 # Optional
--- a/docs/content/https/ref-acme.yaml
+++ b/docs/content/https/ref-acme.yaml
@@ -24,6 +24,16 @@ certificatesResolvers:
      #
      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"

+      # Preferred chain to use.
+      #
+      # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
+      # If no match, the default offered chain will be used.
+      #
+      # Optional
+      # Default: ""
+      #
+      # preferredChain: 'ISRG Root X1'
+
      # KeyType to use.
      #
      # Optional
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -64,7 +64,7 @@ tls:
 !!! important "Restriction"

    Any store definition other than the default one (named `default`) will be ignored,
-    and there is thefore only one globally available TLS store.
+    and there is therefore only one globally available TLS store.

 In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:

@@ -134,6 +134,25 @@ If no default certificate is provided, Traefik generates and uses a self-signed

 The TLS options allow one to configure some parameters of the TLS connection.

+!!! important "'default' TLS Option"
+
+    The `default` option is special.
+    When no tls options are specified in a tls router, the `default` option is used.  
+    When specifying the `default` option explicitly, make sure not to specify provider namespace as the `default` option does not have one.  
+    Conversely, for cross-provider references, for example, when referencing the file provider from a docker label,
+    you must specify the provider namespace, for example:  
+    `traefik.http.routers.myrouter.tls.options=myoptions@file`
+
+!!! important "TLSOptions in Kubernetes"
+
+    When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that,
+    if not explicitly overwritten, should apply to all ingresses.  
+    To achieve that, you'll have to create a TLSOptions CR with the name `default`.
+    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
+    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
+    you'll have to add an annotation to the Ingress in the following form:
+    `traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd`
+
 ### Minimum TLS Version

 ```toml tab="File (TOML)"
@@ -183,9 +202,9 @@ spec:

 ### Maximum TLS Version

-We discourages the use of this setting to disable TLS1.3.
+We discourage the use of this setting to disable TLS1.3.

-The right approach is to update the clients to support TLS1.3.
+The recommended approach is to update the clients to support TLS1.3.

 ```toml tab="File (TOML)"
 # Dynamic configuration
@@ -316,7 +335,7 @@ spec:

 ### Strict SNI Checking

-With strict SNI checking, Traefik won't allow connections from clients connections
+With strict SNI checking enabled, Traefik won't allow connections from clients
 that do not specify a server_name extension or don't match any certificate configured on the tlsOption.

 ```toml tab="File (TOML)"
@@ -428,6 +447,7 @@ metadata:

 spec:
  clientAuth:
+    # the CA certificate is extracted from key `tls.ca` of the given secrets.
    secretNames:
      - secretCA
    clientAuthType: RequireAndVerifyClientCert
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -3,7 +3,7 @@

 ![Architecture](assets/img/traefik-architecture.png)

-Traefik is an [open-source](https://github.com/containous/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
+Traefik is an [open-source](https://github.com/traefik/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
 It receives requests on behalf of your system and finds out which components are responsible for handling them. 

 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
@@ -20,9 +20,9 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo

 !!! info

-    Join our user friendly and active [Community Forum](https://community.containo.us) to discuss, learn, and connect with the traefik community.
+    Join our user friendly and active [Community Forum](https://community.traefik.io) to discuss, learn, and connect with the traefik community.
    
    If you're a business running critical services behind Traefik,
-    know that [Containous](https://containo.us), the company that sponsors Traefik's development,
-    can provide [commercial support](https://info.containo.us/commercial-services)
-    and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik.
+    know that [Traefik Labs](https://traefik.io), the company that sponsors Traefik's development,
+    can provide [commercial support](https://info.traefik.io/commercial-services)
+    and develops an [Enterprise Edition](https://traefik.io/traefik-enterprise/) of Traefik.
--- a/docs/content/middlewares/addprefix.md
+++ b/docs/content/middlewares/addprefix.md
@@ -5,7 +5,7 @@ Prefixing the Path

 ![AddPrefix](../assets/img/middleware/addprefix.png) 

-The AddPrefix middleware updates the URL Path of the request before forwarding it.
+The AddPrefix middleware updates the path of a request before forwarding it.

 ## Configuration Examples

@@ -64,4 +64,4 @@ http:
 ### `prefix`

 `prefix` is the string to add before the current path in the requested URL.
-It should include the leading slash (`/`).
+It should include a leading slash (`/`).
--- a/docs/content/middlewares/basicauth.md
+++ b/docs/content/middlewares/basicauth.md
@@ -5,7 +5,7 @@ Adding Basic Authentication

 ![BasicAuth](../assets/img/middleware/basicauth.png)

-The BasicAuth middleware is a quick way to restrict access to your services to known users.
+The BasicAuth middleware restricts access to your services to known users.

 ## Configuration Examples

@@ -14,7 +14,7 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
 #
 # Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
 # To create user:password pair, it's possible to use this command:
-# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
 #
 # Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
 labels:
@@ -81,7 +81,7 @@ Passwords must be hashed using MD5, SHA1, or BCrypt.

 ### `users`

-The `users` option is an array of authorized users. Each user will be declared using the `name:hashed-password` format.
+The `users` option is an array of authorized users. Each user must be declared using the `name:hashed-password` format.

 !!! note ""
    
--- a/docs/content/middlewares/buffering.md
+++ b/docs/content/middlewares/buffering.md
@@ -5,22 +5,22 @@ How to Read the Request before Forwarding It

 ![Buffering](../assets/img/middleware/buffering.png)

-The Buffering middleware gives you control on how you want to read the requests before sending them to services.
+The Buffering middleware limits the size of requests that can be forwarded to services.

-With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified limit.
+With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified size limit.

-This can help services deal with large data (multipart/form-data for example), and can minimize time spent sending data to a service.
+This can help services avoid large amounts of data (`multipart/form-data` for example), and can minimize the time spent sending data to a service.

 ## Configuration Examples

 ```yaml tab="Docker"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 labels:
  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```

 ```yaml tab="Kubernetes"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
@@ -31,7 +31,7 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```

@@ -42,20 +42,20 @@ spec:
 ```

 ```yaml tab="Rancher"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 labels:
  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```

 ```toml tab="File (TOML)"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 [http.middlewares]
  [http.middlewares.limit.buffering]
    maxRequestBodyBytes = 2000000
 ```

 ```yaml tab="File (YAML)"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 http:
  middlewares:
    limit:
@@ -67,9 +67,9 @@ http:

 ### `maxRequestBodyBytes`

-With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
+The `maxRequestBodyBytes` option configures the maximum allowed body size for the request (in bytes).

-If the request exceeds the allowed size, it is not forwarded to the service and the client gets a `413 (Request Entity Too Large)` response.
+If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a `413 (Request Entity Too Large)` response.

 ```yaml tab="Docker"
 labels:
@@ -117,7 +117,7 @@ http:

 ### `memRequestBodyBytes`

-You can configure a threshold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. 
+You can configure a threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.

 ```yaml tab="Docker"
 labels:
@@ -165,7 +165,7 @@ http:

 ### `maxResponseBodyBytes`

-With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
+The `maxResponseBodyBytes` option configures the maximum allowed response size from the service (in bytes).

 If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.

@@ -215,7 +215,7 @@ http:

 ### `memResponseBodyBytes`

-You can configure a threshold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. 
+You can configure a threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.

 ```yaml tab="Docker"
 labels:
@@ -263,9 +263,9 @@ http:

 ### `retryExpression`

-You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
+You can have the Buffering middleware replay the request using `retryExpression`.

-??? example "Retries once in case of a network error"
+??? example "Retries once in the case of a network error"
    
    ```yaml tab="Docker"
    labels:
@@ -315,4 +315,4 @@ The retry expression is defined as a logical combination of the functions below

 - `Attempts()` number of attempts (the first one counts)
 - `ResponseCode()` response code of the service
- `IsNetworkError()` - if the response code is related to networking error 
+- `IsNetworkError()` whether the response code is related to networking error
--- a/docs/content/middlewares/chain.md
+++ b/docs/content/middlewares/chain.md
@@ -5,12 +5,12 @@ When One Isn't Enough

 ![Chain](../assets/img/middleware/chain.png)

-The Chain middleware enables you to define reusable combinations of other pieces of middleware. 
+The Chain middleware enables you to define reusable combinations of other pieces of middleware.
 It makes reusing the same groups easier.

 ## Configuration Example

-Example "A Chain for WhiteList, BasicAuth, and HTTPS"
+Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.

 ```yaml tab="Docker"
 labels:
@@ -21,7 +21,7 @@ labels:
  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-  - "http.services.service1.loadbalancer.server.port=80"
+  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

 ```yaml tab="Kubernetes"
@@ -30,11 +30,9 @@ kind: IngressRoute
 metadata:
  name: test
  namespace: default
-
 spec:
  entryPoints:
    - web
-
  routes:
    - match: Host(`mydomain`)
      kind: Rule
@@ -91,7 +89,7 @@ spec:
 - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
 - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "http.services.service1.loadbalancer.server.port=80"
+- "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

 ```json tab="Marathon"
@@ -103,7 +101,7 @@ spec:
  "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
  "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
  "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
-  "http.services.service1.loadbalancer.server.port": "80"
+  "traefik.http.services.service1.loadbalancer.server.port": "80"
 }
 ```

@@ -116,7 +114,7 @@ labels:
  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-  - "http.services.service1.loadbalancer.server.port=80"
+  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

 ```toml tab="File (TOML)"
@@ -148,7 +146,7 @@ labels:
 ```

 ```yaml tab="File (YAML)"
-# ...    
+# ...
 http:
  routers:
    router1:
--- a/docs/content/middlewares/circuitbreaker.md
+++ b/docs/content/middlewares/circuitbreaker.md
@@ -3,27 +3,24 @@
 Don't Waste Time Calling Unhealthy Services
 {: .subtitle }

-![CircuitBreaker](../assets/img/middleware/circuitbreaker.png) 
+![CircuitBreaker](../assets/img/middleware/circuitbreaker.png)

-The circuit breaker protects your system from stacking requests to unhealthy services (resulting in cascading failures).
+The circuit breaker protects your system from stacking requests to unhealthy services, resulting in cascading failures.

-When your system is healthy, the circuit is close (normal operations). 
-When your system becomes unhealthy, the circuit becomes open and the requests are no longer forwarded (but handled by a fallback mechanism).
+When your system is healthy, the circuit is closed (normal operations).
+When your system becomes unhealthy, the circuit opens, and the requests are no longer forwarded, but instead are handled by a fallback mechanism.

-To assess if your system is healthy, the circuit breaker constantly monitors the services. 
+To assess if your system is healthy, the circuit breaker constantly monitors the services.

 !!! note ""

-    - The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state.
-    - The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state.
+    The CircuitBreaker only analyzes what happens _after_ its position within the middleware chain. What happens _before_ has no impact on its state.

 !!! important

-    Each router will eventually gets its own instance of a given circuit breaker.
-    
-    If two different routers refer to the same circuit breaker definition, they will get one instance each.
-    It means that one circuit breaker can be open while the other stays closed: their state is not shared.
-    
+    Each router gets its own instance of a given circuit breaker.
+    One circuit breaker instance can be open while the other remains closed: their state is not shared.
+
    This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.

 ## Configuration Examples
@@ -82,78 +79,79 @@ http:

 There are three possible states for your circuit breaker:

- Close (your service operates normally)
+- Closed (your service operates normally)
 - Open (the fallback mechanism takes over your service)
 - Recovering (the circuit breaker tries to resume normal operations by progressively sending requests to your service)

-### Close
+### Closed

-While close, the circuit breaker only collects metrics to analyze the behavior of the requests.
+While the circuit is closed, the circuit breaker only collects metrics to analyze the behavior of the requests.

-At specified intervals (`checkPeriod`), it will evaluate `expression` to decide if its state must change. 
+At specified intervals (`checkPeriod`), the circuit breaker evaluates `expression` to decide if its state must change.

 ### Open

 While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
-After this duration, it will enter the recovering state.
+After this duration, it enters the recovering state.

 ### Recovering

-While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`).
-If your service fails during recovery, the circuit breaker becomes open again.
-If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
+While recovering, the circuit breaker sends linearly increasing amounts of requests to your service (for `RecoveryDuration`).
+If your service fails during recovery, the circuit breaker opens again.
+If the service operates normally during the entire recovery duration, then the circuit breaker closes.

 ## Configuration Options

 ### Configuring the Trigger

-You can specify an `expression` that, once matched, will trigger the circuit breaker (and apply the fallback mechanism instead of calling your services).
+You can specify an `expression` that, once matched, opens the circuit breaker and applies the fallback mechanism instead of calling your services.

-The `expression` can check three different metrics:
+The `expression` option can check three different metrics:

 - The network error ratio (`NetworkErrorRatio`)
 - The status code ratio (`ResponseCodeRatio`)
- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
+- The latency at a quantile in milliseconds (`LatencyAtQuantileMS`)

 #### `NetworkErrorRatio`

-If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
+If you want the circuit breaker to open at a 30% ratio of network errors, the `expression` is `NetworkErrorRatio() > 0.30`

 #### `ResponseCodeRatio`

-You can trigger the circuit breaker based on the ratio of a given range of status codes.
+You can configure the circuit breaker to open based on the ratio of a given range of status codes.

 The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`, `dividedByTo`.

 The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`).

 !!! note ""
-    If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
-    
-    `from`is inclusive, `to` is exclusive. 

-For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX). 
+    If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
+
+    `from`is inclusive, `to` is exclusive.
+
+For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).

 #### `LatencyAtQuantileMS`

-You can trigger the circuit breaker when a given proportion of your requests become too slow.
+You can configure the circuit breaker to open when a given proportion of your requests become too slow.

-For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
+For example, the expression `LatencyAtQuantileMS(50.0) > 100` opens the circuit breaker when the median latency (quantile 50) reaches 100ms.

 !!! note ""

-    You must provide a float number (with the trailing .0) for the quantile value
- 
-#### Using multiple metrics
+    You must provide a floating point number (with the trailing .0) for the quantile value

-You can combine multiple metrics using operators in your expression.
+#### Using Multiple Metrics
+
+You can combine multiple metrics using operators in your `expression`.

 Supported operators are:

 - AND (`&&`)
 - OR (`||`)

-For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%. 
+For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.

 #### Operators

@@ -168,8 +166,8 @@ Here is the list of supported operators:

 ### Fallback mechanism

-The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service).
-This behavior cannot be configured. 
+The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.
+This behavior cannot be configured.

 ### `CheckPeriod`

@@ -182,6 +180,6 @@ By default, `FallbackDuration` is 10 seconds. This value cannot be configured.

 ### `RecoveringDuration`

-The duration of the recovering mode (recovering state). 
+The duration of the recovering mode (recovering state).

-By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.  
+By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.
--- a/docs/content/middlewares/compress.md
+++ b/docs/content/middlewares/compress.md
@@ -1,11 +1,11 @@
 # Compress

-Compressing the Response before Sending it to the Client
+Compress Responses before Sending them to the Client
 {: .subtitle }

 ![Compress](../assets/img/middleware/compress.png)

-The Compress middleware enables the gzip compression. 
+The Compress middleware uses gzip compression.

 ## Configuration Examples

@@ -57,23 +57,23 @@ http:
 ```

 !!! info
-    
-    Responses are compressed when:
-    
+
+    Responses are compressed when the following criteria are all met:
+
    * The response body is larger than `1400` bytes.
    * The `Accept-Encoding` request header contains `gzip`.
    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.

-    If Content-Type header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type. 
-    It will also set accordingly the `Content-Type` header with the detected MIME type.
-    
+    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+    It will also set the `Content-Type` header according to the detected MIME type.
+
 ## Configuration Options

 ### `excludedContentTypes`

-`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests to before compressing.
+`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.

-The requests with content types defined in `excludedContentTypes` are not compressed.
+The responses with content types defined in `excludedContentTypes` are not compressed.

 Content types are compared in a case-insensitive, whitespace-ignored manner.

--- a/docs/content/middlewares/contenttype.md
+++ b/docs/content/middlewares/contenttype.md
@@ -1,18 +1,19 @@

 # ContentType

-Handling ContentType auto-detection
+Handling Content-Type auto-detection
 {: .subtitle }

-The Content-Type middleware - or rather its unique `autoDetect` option -
+The Content-Type middleware - or rather its `autoDetect` option -
 specifies whether to let the `Content-Type` header,
-if it has not been set by the backend,
+if it has not been defined by the backend,
 be automatically set to a value derived from the contents of the response.

 As a proxy, the default behavior should be to leave the header alone,
 regardless of what the backend did with it.
-However, the historic default was to always auto-detect and set the header if it was nil,
-and it is going to be kept that way in order to support users currently relying on it.
+However, the historic default was to always auto-detect and set the header if it was not already defined,
+and altering this behavior would be a breaking change which would impact many users.
+
 This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.

 !!! info
@@ -21,7 +22,7 @@ This middleware exists to enable the correct behavior until at least the default
    is still to automatically set the `Content-Type` header.
    Therefore, given the default value of the `autoDetect` option (false),
    simply enabling this middleware for a router switches the router's behavior.
-    
+
    The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
    Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).

--- a/docs/content/middlewares/digestauth.md
+++ b/docs/content/middlewares/digestauth.md
@@ -1,11 +1,11 @@
 # DigestAuth

 Adding Digest Authentication
-{: .subtitle } 
+{: .subtitle }

 ![BasicAuth](../assets/img/middleware/digestauth.png)

-The DigestAuth middleware is a quick way to restrict access to your services to known users.
+The DigestAuth middleware restricts access to your services to known users.

 ## Configuration Examples

@@ -66,8 +66,8 @@ http:

 ## Configuration Options

-!!! tip 
-   
+!!! tip
+
    Use `htdigest` to generate passwords.

 ### `users`
@@ -75,9 +75,9 @@ http:
 The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.

 !!! note ""
-    
+
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
-    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

 ```yaml tab="Docker"
 labels:
@@ -146,7 +146,7 @@ The `usersFile` option is the path to an external file that contains the authori
 The file content is a list of `name:realm:encoded-password`.

 !!! note ""
-    
+
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 

@@ -215,7 +215,7 @@ http:

 ### `realm`

-You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 
+You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.

 ```yaml tab="Docker"
 labels:
--- a/docs/content/middlewares/errorpages.md
+++ b/docs/content/middlewares/errorpages.md
@@ -28,7 +28,7 @@ metadata:
 spec:
  errors:
    status:
-      - 500-599
+      - "500-599"
    query: /{status}.html
    service:
      name: whoami
@@ -85,28 +85,30 @@ http:
  # ... definition of error-handler-service and my-service
 ```

-!!! note "" 
+!!! note ""
+
    In this example, the error page URL is based on the status code (`query=/{status}.html`).

 ## Configuration Options

 ### `status`

-The `status` that will trigger the error page.
+The `status` option defines which status or range of statuses should result in an error page.

 The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
- 
-!!! note "" 

-    You can define either a status code like `500` or ranges with a syntax like `500-599`.
+!!! note ""
+
+    You can define either a status code as a number (`500`) or ranges by separating two codes with a dash (`500-599`).

 ### `service`

 The service that will serve the new requested error page.

-!!! note "" 
-    In kubernetes, you need to reference a kubernetes service instead of a traefik service.
+!!! note ""
+
+    In Kubernetes, you need to reference a Kubernetes Service instead of a Traefik service.

 ### `query`

-The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.
+The URL for the error page (hosted by `service`). You can use the `{status}` variable in the `query` option in order to insert the status code in the URL.
--- a/docs/content/middlewares/forwardauth.md
+++ b/docs/content/middlewares/forwardauth.md
@@ -1,12 +1,12 @@
 # ForwardAuth

-Using an External Service to Check for Credentials
+Using an External Service to Forward Authentication
 {: .subtitle }

 ![AuthForward](../assets/img/middleware/authforward.png)

-The ForwardAuth middleware delegate the authentication to an external service.
-If the service response code is 2XX, access is granted and the original request is performed.
+The ForwardAuth middleware delegates authentication to an external service.
+If the service answers with a 2XX code, access is granted, and the original request is performed.
 Otherwise, the response from the authentication server is returned.

 ## Configuration Examples
@@ -61,6 +61,18 @@ http:
        address: "https://example.com/auth"
 ```

+## Forward-Request Headers
+
+The following request properties are provided to the forward-auth target endpoint as `X-Forwarded-` headers.
+
+| Property          | Forward-Request Header |
+|-------------------|------------------------|
+| HTTP Method       | X-Forwarded-Method     |
+| Protocol          | X-Forwarded-Proto      |
+| Host              | X-Forwarded-Host       |
+| Request URI       | X-Forwarded-Uri        |
+| Source IP-Address | X-Forwarded-For        |
+
 ## Configuration Options

 ### `address`
@@ -113,7 +125,7 @@ http:

 ### `trustForwardHeader`

-Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
+Set the `trustForwardHeader` option to `true` to trust all `X-Forwarded-*` headers.

 ```yaml tab="Docker"
 labels:
@@ -164,7 +176,8 @@ http:

 ### `authResponseHeaders`

-The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
+The `authResponseHeaders` option is the list of headers to copy from the authentication server response and set on
+forwarded request, replacing any existing conflicting headers.

 ```yaml tab="Docker"
 labels:
@@ -217,6 +230,117 @@ http:
          - "X-Secret"
 ```

+### `authResponseHeadersRegex`
+
+The `authResponseHeadersRegex` option is the regex to match headers to copy from the authentication server response and
+set on forwarded request, after stripping all headers that match the regex.
+It allows partial matching of the regular expression against the header key.
+The start of string (`^`) and end of string (`$`) anchors should be used to ensure a full match against the header key.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    authResponseHeadersRegex: ^X-
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex": "^X-"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    authResponseHeadersRegex = "^X-"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        authResponseHeadersRegex: "^X-"
+```
+
+### `authRequestHeaders`
+
+The `authRequestHeaders` option is the list of the headers to copy from the request to the authentication server.
+It allows filtering headers that should not be passed to the authentication server.
+If not set or empty then all request headers are passed.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    authRequestHeaders:
+      - "Accept"
+      - "X-CustomHeader"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders": "Accept,X-CustomHeader"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    authRequestHeaders = "Accept,X-CustomHeader"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        authRequestHeaders:
+          - "Accept"
+          - "X-CustomHeader"
+```
+
 ### `tls`

 The `tls` option is the TLS configuration from Traefik to the authentication server.
@@ -287,12 +411,15 @@ http:

 #### `tls.caOptional`

-Policy used for the secured connection with TLS Client Authentication to the authentication server.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.

- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.

 ```yaml tab="Docker"
 labels:
@@ -346,7 +473,7 @@ http:

 #### `tls.cert`

-Public certificate used for the secured connection to the authentication server.
+The public certificate used for the secure connection to the authentication server.

 ```yaml tab="Docker"
 labels:
@@ -416,11 +543,12 @@ http:
 ```

 !!! info
-    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

 #### `tls.key`

-Private certificate used for the secure connection to the authentication server.
+The private certificate used for the secure connection to the authentication server.

 ```yaml tab="Docker"
 labels:
@@ -490,11 +618,12 @@ http:
 ```

 !!! info
-    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

 #### `tls.insecureSkipVerify`

-If `insecureSkipVerify` is `true`, TLS for the connection to authentication server accepts any certificate presented by the server and any host name in that certificate.
+If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.

 ```yaml tab="Docker"
 labels:
--- a/docs/content/middlewares/headers.md
+++ b/docs/content/middlewares/headers.md
@@ -1,17 +1,17 @@
-# Headers 
+# Headers

-Adding Headers to the Request / Response
+Managing Request/Response headers
 {: .subtitle }

 ![Headers](../assets/img/middleware/headers.png)

-The Headers middleware can manage the requests/responses headers.
+The Headers middleware manages the headers of requests and responses.

 ## Configuration Examples

 ### Adding Headers to the Request and the Response

-Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` to the response
+The following example adds the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` header to the response

 ```yaml tab="Docker"
 labels:
@@ -72,10 +72,8 @@ http:

 ### Adding and Removing Headers

-`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request,
-and the `X-Custom-Response-Header` header removed from the response.
-
-Please note that it is not possible to remove headers through the use of labels (Docker, Rancher, Marathon, ...) for now.
+In the following example, requests are proxied with an extra `X-Script-Name` header while their `X-Custom-Request-Header` header gets stripped,
+and responses are stripped of their `X-Custom-Response-Header` header.

 ```yaml tab="Docker"
 labels:
@@ -135,8 +133,8 @@ http:

 ### Using Security Headers

-Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured in a manner similar to the custom headers above.
-This functionality allows for some easy security features to quickly be set.
+Security-related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
+This functionality makes it possible to easily use security features by adding headers.

 ```yaml tab="Docker"
 labels:
@@ -173,14 +171,14 @@ labels:
  - "traefik.http.middlewares.testheader.headers.sslredirect=true"
 ```

-```toml tab="File (TOML)"    
+```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.testHeader.headers]
    frameDeny = true
    sslRedirect = true
 ```

-```yaml tab="File (YAML)"  
+```yaml tab="File (YAML)"
 http:
  middlewares:
    testHeader:
@@ -244,7 +242,7 @@ labels:
  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```

-```toml tab="File (TOML)"    
+```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.testHeader.headers]
    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
@@ -274,18 +272,20 @@ http:
 ### General

 !!! warning
-    If the custom header name is the same as one header name of the request or response, it will be replaced.
+
+    Custom headers will overwrite existing headers if they have identical names.

 !!! note ""
-    The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
+
+    The detailed documentation for security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).

 ### `customRequestHeaders`

-The `customRequestHeaders` option lists the Header names and values to apply to the request.
+The `customRequestHeaders` option lists the header names and values to apply to the request.

 ### `customResponseHeaders`

-The `customResponseHeaders` option lists the Header names and values to apply to the response.
+The `customResponseHeaders` option lists the header names and values to apply to the response.

 ### `accessControlAllowCredentials`

@@ -303,18 +303,27 @@ The  `accessControlAllowMethods` indicates which methods can be used during requ

 The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.

-A wildcard origin `*` can also be configured, and will match all requests.
-If this value is set by a backend server, it will be overwritten by Traefik
+A wildcard origin `*` can also be configured, and matches all requests.
+If this value is set by a backend service, it will be overwritten by Traefik.

-This value can contains a list of allowed origins.
+This value can contain a list of allowed origins.

-More information including how to use the settings can be found on:
+More information including how to use the settings can be found at:

 - [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
 - [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
 - [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)

-Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
+Traefik no longer supports the `null` value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
+
+### `accessControlAllowOriginListRegex`
+
+The `accessControlAllowOriginListRegex` option is the counterpart of the `accessControlAllowOriginList` option with regular expressions instead of origin values.
+It allows all origins that contain any match of a regular expression in the `accessControlAllowOriginList`.
+
+!!! tip
+
+    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).

 ### `accessControlExposeHeaders`

@@ -322,66 +331,66 @@ The `accessControlExposeHeaders` indicates which headers are safe to expose to t

 ### `accessControlMaxAge`

-The `accessControlMaxAge` indicates how long (in seconds) a preflight request can be cached.
+The `accessControlMaxAge` indicates how many seconds a preflight request can be cached for.

 ### `addVaryHeader`

-The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
+The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the `Vary` header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.

-### `allowedHosts` 
+### `allowedHosts`

 The `allowedHosts` option lists fully qualified domain names that are allowed.

-### `hostsProxyHeaders` 
+### `hostsProxyHeaders`

 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.

-### `sslRedirect` 
+### `sslRedirect`

-The `sslRedirect` is set to true, then only allow https requests.
+The `sslRedirect` only allow HTTPS requests when set to `true`.

 ### `sslTemporaryRedirect`
-                    
-Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).

-### `sslHost` 
+Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).

-The `sslHost` option is the host name that is used to redirect http requests to https.
+### `sslHost`

-### `sslProxyHeaders` 
+The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.

-The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request.
-Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
+### `sslProxyHeaders`

-### `sslForceHost` 
+The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
+It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).

-Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
+### `sslForceHost`

-### `stsSeconds` 
+Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.

-The `stsSeconds` is the max-age of the Strict-Transport-Security header.
-If set to 0, would NOT include the header.
+### `stsSeconds`

-### `stsIncludeSubdomains` 
+The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
+If set to `0`, the header is not set.

-The `stsIncludeSubdomains` is set to true, the `includeSubDomains` directive will be appended to the Strict-Transport-Security header.
+### `stsIncludeSubdomains`

-### `stsPreload` 
+If the `stsIncludeSubdomains` is set to `true`, the `includeSubDomains` directive is appended to the `Strict-Transport-Security` header.

-Set `stsPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
+### `stsPreload`
+
+Set `stsPreload` to `true` to have the `preload` flag appended to the `Strict-Transport-Security` header.

 ### `forceSTSHeader`

-Set `forceSTSHeader` to true, to add the STS header even when the connection is HTTP.
+Set `forceSTSHeader` to `true` to add the STS header even when the connection is HTTP.

-### `frameDeny` 
+### `frameDeny`

-Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
- 
-### `customFrameOptionsValue` 
+Set `frameDeny` to `true` to add the `X-Frame-Options` header with the value of `DENY`.
+
+### `customFrameOptionsValue`

 The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value.
-This overrides the FrameDeny option.
+This overrides the `FrameDeny` option.

 ### `contentTypeNosniff`

@@ -394,7 +403,7 @@ Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the val
 ### `customBrowserXSSValue`

 The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value.
-This overrides the BrowserXssFilter option.
+This overrides the `BrowserXssFilter` option.

 ### `contentSecurityPolicy`

@@ -402,11 +411,11 @@ The `contentSecurityPolicy` option allows the `Content-Security-Policy` header v

 ### `publicKey`

-The `publicKey` implements HPKP to prevent MITM attacks with forged certificates. 
+The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.

 ### `referrerPolicy`

-The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
+The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.

 ### `featurePolicy`

@@ -414,7 +423,6 @@ The `featurePolicy` allows sites to control browser features.

 ### `isDevelopment`

-Set `isDevelopment` to true when developing.
-The AllowedHosts, SSL, and STS options can cause some unwanted effects.
-Usually testing happens on http, not https, and on localhost, not your production domain.  
-If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.
+Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options.
+Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
+If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.
--- a/docs/content/middlewares/inflightreq.md
+++ b/docs/content/middlewares/inflightreq.md
@@ -5,7 +5,7 @@ Limiting the Number of Simultaneous In-Flight Requests

 ![InFlightReq](../assets/img/middleware/inflightreq.png)

-To proactively prevent services from being overwhelmed with high load, a limit on the number of simultaneous in-flight requests can be applied.
+To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous in-flight requests can be limited.

 ## Configuration Examples

@@ -45,7 +45,7 @@ labels:
 # Limiting to 10 simultaneous connections
 [http.middlewares]
  [http.middlewares.test-inflightreq.inFlightReq]
-    amount = 10 
+    amount = 10
 ```

 ```yaml tab="File (YAML)"
@@ -54,7 +54,7 @@ http:
  middlewares:
    test-inflightreq:
      inFlightReq:
-        amount: 10 
+        amount: 10
 ```

 ## Configuration Options
@@ -62,7 +62,7 @@ http:
 ### `amount`

 The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
-The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
+The middleware responds with `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).

 ```yaml tab="Docker"
 labels:
@@ -100,7 +100,7 @@ labels:
 # Limiting to 10 simultaneous connections
 [http.middlewares]
  [http.middlewares.test-inflightreq.inFlightReq]
-    amount = 10 
+    amount = 10
 ```

 ```yaml tab="File (YAML)"
@@ -109,29 +109,29 @@ http:
  middlewares:
    test-inflightreq:
      inFlightReq:
-        amount: 10 
+        amount: 10
 ```

 ### `sourceCriterion`
- 
-SourceCriterion defines what criterion is used to group requests as originating from a common source.
+
+The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
 The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
 If none are set, the default is to use the `requestHost`.

 #### `sourceCriterion.ipStrategy`

-The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.

 ##### `ipStrategy.depth`

-The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
+
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
+- `depth` is ignored if its value is less than or equal to 0.

- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is lesser than or equal to 0.
-    
 !!! example "Example of Depth & X-Forwarded-For"

-    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).

    | `X-Forwarded-For`                       | `depth` | clientIP     |
    |-----------------------------------------|---------|--------------|
@@ -190,7 +190,7 @@ http:

 ##### `ipStrategy.excludedIPs`

-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
+`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.

 !!! important "If `depth` is specified, `excludedIPs` is ignored."

@@ -259,7 +259,7 @@ http:

 #### `sourceCriterion.requestHeaderName`

-Requests having the same value for the given header are grouped as coming from the same source.
+Name of the header used to group incoming requests.

 ```yaml tab="Docker"
 labels:
--- a/docs/content/middlewares/ipwhitelist.md
+++ b/docs/content/middlewares/ipwhitelist.md
@@ -70,95 +70,105 @@ The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using

 ### `ipStrategy`

-The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.

 #### `ipStrategy.depth`

 The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).

+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
+- `depth` is ignored if its value is less than or equal to 0.
+
 !!! example "Examples of Depth & X-Forwarded-For"

-    ```yaml tab="Docker"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    labels:
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-    ```
-    
-    ```yaml tab="Kubernetes"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    apiVersion: traefik.containo.us/v1alpha1
-    kind: Middleware
-    metadata:
-      name: testIPwhitelist
-    spec:
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
+
+    | `X-Forwarded-For`                       | `depth` | clientIP     |
+    |-----------------------------------------|---------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+
+```yaml tab="Docker"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+```
+
+```yaml tab="Kubernetes"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: testIPwhitelist
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 127.0.0.1/32
+      - 192.168.1.7
+    ipStrategy:
+      depth: 2
+```
+
+```yaml tab="Consul Catalog"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+```
+
+```toml tab="File (TOML)"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+[http.middlewares]
+  [http.middlewares.test-ipwhitelist.ipWhiteList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+      depth = 2
+```
+
+```yaml tab="File (YAML)"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+http:
+  middlewares:
+    test-ipwhitelist:
      ipWhiteList:
        sourceRange:
-          - 127.0.0.1/32
-          - 192.168.1.7
+          - "127.0.0.1/32"
+          - "192.168.1.7"
        ipStrategy:
          depth: 2
-    ```
-    
-    ```yaml tab="Consul Catalog"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-    ```
-    
-    ```json tab="Marathon"
-    "labels": {
-      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
-    }
-    ```
-    
-    ```yaml tab="Rancher"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    labels:
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-    ```
-    
-    ```toml tab="File (TOML)"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    [http.middlewares]
-      [http.middlewares.test-ipwhitelist.ipWhiteList]
-        sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-        [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
-          depth = 2
-    ```
-    
-    ```yaml tab="File (YAML)"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    http:
-      middlewares:
-        test-ipwhitelist:
-          ipWhiteList:
-            sourceRange:
-              - "127.0.0.1/32"
-              - "192.168.1.7"
-            ipStrategy:
-              depth: 2
-    ```
-    
-    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
-    
-    ??? example "More examples"
-    
-        | `X-Forwarded-For`                       | `depth` | clientIP     |
-        |-----------------------------------------|---------|--------------|
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
-
-!!! info
-
-    - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
-    - `depth` is ignored if its value is lesser than or equal to 0.
+```

 #### `ipStrategy.excludedIPs`

+`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Example of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
@@ -215,17 +225,3 @@ http:
            - "127.0.0.1/32"
            - "192.168.1.7"
 ```
-
-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
-
-!!! important "If `depth` is specified, `excludedIPs` is ignored."
-
-!!! example "Examples of ExcludedIPs & X-Forwarded-For"
-
-    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
-    |-----------------------------------------|-----------------------|--------------|
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -11,13 +11,18 @@ There are several available middleware in Traefik, some can modify the request,

 Pieces of middleware can be combined in chains to fit every scenario.

+!!! warning "Provider Namespace"
+
+    Be aware of the concept of Providers Namespace described in the [Configuration Discovery](../providers/overview.md#provider-namespace) section.
+    It also applies to Middlewares.
+
 ## Configuration Example

 ```yaml tab="Docker"
 # As a Docker Label
 whoami:
  #  A container that exposes an API to show its IP address
-  image: containous/whoami
+  image: traefik/whoami
  labels:
    # Create a middleware named `foo-add-prefix`
    - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
@@ -25,7 +30,7 @@ whoami:
    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```

-```yaml tab="Kubernetes"
+```yaml tab="Kubernetes IngressRoute"
 # As a Kubernetes Traefik IngressRoute
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
@@ -128,78 +133,6 @@ http:
          - url: "http://127.0.0.1:80"
 ```

-## Provider Namespace
-
-When you declare a middleware, it lives in its provider's namespace.
-For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.
-
-If you use multiple providers and wish to reference a middleware declared in another provider
-(aka referencing a cross-provider middleware),
-then you'll have to append to the middleware name, the `@` separator, followed by the provider name.
-
-```text
-<resource-name>@<provider-name>
-```
-
-!!! important "Kubernetes Namespace"
-
-    As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
-    with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
-    In this case, since the definition of the middleware is not in kubernetes,
-    specifying a "kubernetes namespace" when referring to the resource does not make any sense,
-    and therefore this specification would be ignored even if present.
-
-!!! abstract "Referencing a Middleware from Another Provider"
-
-    Declaring the add-foo-prefix in the file provider.
-
-    ```toml tab="File (TOML)"
-    [http.middlewares]
-      [http.middlewares.add-foo-prefix.addPrefix]
-        prefix = "/foo"
-    ```
-    
-    ```yaml tab="File (YAML)"
-    http:
-      middlewares:
-        add-foo-prefix:
-          addPrefix:
-            prefix: "/foo"
-    ```
-
-    Using the add-foo-prefix middleware from other providers:
-
-    ```yaml tab="Docker"
-    your-container: #
-      image: your-docker-image
-
-      labels:
-        # Attach add-foo-prefix@file middleware (declared in file)
-        - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
-    ```
-
-    ```yaml tab="Kubernetes"
-    apiVersion: traefik.containo.us/v1alpha1
-    kind: IngressRoute
-    metadata:
-      name: ingressroutestripprefix
-
-    spec:
-      entryPoints:
-        - web
-      routes:
-        - match: Host(`example.com`)
-          kind: Rule
-          services:
-            - name: whoami
-              port: 80
-          middlewares:
-            - name: add-foo-prefix@file
-            # namespace: bar
-            # A namespace specification such as above is ignored
-            # when the cross-provider syntax is used.
-    ```
-
 ## Available Middlewares

 | Middleware                                | Purpose                                           | Area                        |
--- a/docs/content/middlewares/passtlsclientcert.md
+++ b/docs/content/middlewares/passtlsclientcert.md
@@ -7,7 +7,7 @@ Adding Client Certificates in a Header
 TODO: add schema
 -->

-PassTLSClientCert adds in header the selected data from the passed client tls certificate.
+PassTLSClientCert adds the selected data from the passed client TLS certificate to a header.

 ## Configuration Examples

@@ -86,7 +86,7 @@ http:
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
    ```
-    
+
    ```yaml tab="Kubernetes"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    apiVersion: traefik.containo.us/v1alpha1
@@ -116,7 +116,7 @@ http:
            serialNumber: true
            domainComponent: true
    ```
-    
+
    ```yaml tab="Consul Catalog"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
@@ -137,7 +137,7 @@ http:
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
    ```
-        
+
    ```json tab="Marathon"
    "labels": {
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
@@ -159,7 +159,7 @@ http:
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
    }
    ```
-    
+
    ```yaml tab="Rancher"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    labels:
@@ -240,7 +240,7 @@ http:

 ### General

-PassTLSClientCert can add two headers to the request: 
+PassTLSClientCert can add two headers to the request:

 - `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
 - `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
@@ -251,9 +251,9 @@ PassTLSClientCert can add two headers to the request:
    * These options only work accordingly to the [MutualTLS configuration](../https/tls.md#client-authentication-mtls).
    That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.

-In the following example, you can see a complete certificate. We will use each part of it to explain the middleware options.
+The following example shows a complete certificate and explains each of the middleware options.

-??? example "A complete client tls certificate"
+??? example "A complete client TLS certificate"

    ```
    Certificate:
@@ -292,16 +292,16 @@ In the following example, you can see a complete certificate. We will use each p
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
-                X509v3 Basic Constraints: 
+                X509v3 Basic Constraints:
                    CA:FALSE
-                X509v3 Extended Key Usage: 
+                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
-                X509v3 Subject Key Identifier: 
+                X509v3 Subject Key Identifier:
                    94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
-                X509v3 Authority Key Identifier: 
+                X509v3 Authority Key Identifier:
                    keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
-    
-                X509v3 Subject Alternative Name: 
+
+                X509v3 Subject Alternative Name:
                    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
        Signature Algorithm: sha1WithRSAEncryption
             76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
@@ -359,9 +359,9 @@ In the following example, you can see a complete certificate. We will use each p

 ### `pem`

-The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
+The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escaped certificate.

-In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
+In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters:

 ??? example "The data used by the pem option"

@@ -403,23 +403,24 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
    ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
    -----END CERTIFICATE-----
    ```
-    
+
 !!! info "Extracted data"
-    
-    The delimiters and `\n` will be removed.  
+
+    The delimiters and `\n` will be removed.
    If there are more than one certificate, they are separated by a "`,`".

 !!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"

-    The header size limit of web servers is commonly between 4kb and 8kb.  
+    The header size limit of web servers is commonly between 4kb and 8kb.
    You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).

 ### `info`

-The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
-The value of the header will be an escaped concatenation of all the selected certificate details.
+The `info` option selects the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.

-The following example shows an unescaped result that uses all the available fields: 
+The value of the header is an escaped concatenation of all the selected certificate details.
+
+The following example shows an unescaped result that uses all the available fields:

 ```text
 Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
@@ -433,14 +434,14 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO

 Set the `info.notAfter` option to `true` to add the `Not After` information from the `Validity` part.

-The data are taken from the following certificate part:      
+The data is taken from the following certificate part:

 ```text
    Validity
-        Not After : Dec  5 11:10:16 2020 GMT            
+        Not After : Dec  5 11:10:16 2020 GMT
 ```

-The escape `notAfter` info part will be like:
+The escaped `notAfter` info part is formatted as below:

 ```text
 NA="1607166616"
@@ -450,14 +451,14 @@ NA="1607166616"

 Set the `info.notBefore` option to `true` to add the `Not Before` information from the `Validity` part.

-The data are taken from the following certificate part:
+The data is taken from the following certificate part:

 ```text
 Validity
    Not Before: Dec  6 11:10:16 2018 GMT
 ```

-The escape `notBefore` info part will be like:
+The escaped `notBefore` info part is formatted as below:

 ```text
 NB="1544094616"
@@ -467,28 +468,28 @@ NB="1544094616"

 Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.

-The data are taken from the following certificate part:
+The data is taken from the following certificate part:

 ```text
- X509v3 Subject Alternative Name: 
+ X509v3 Subject Alternative Name:
    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
 ```

-The escape SANs info part will be like:
+The escape SANs info part is formatted as below:

 ```text
 SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```

-!!! info "multiple values"
+!!! info "Multiple values"

-    All the SANs data are separated by a `,`.
+    The SANs are separated by a `,`.

 #### `info.subject`

-The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
+The `info.subject` selects the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.

-The data are taken from the following certificate part :
+The data is taken from the following certificate part:

 ```text
 Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
@@ -496,9 +497,11 @@ Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=

 ##### `info.subject.country`

-Set the `info.subject.country` option to true to add the `country` information into the subject.  
-The data are taken from the subject part with the `C` key. 
-The escape country info in the subject part will be like :
+Set the `info.subject.country` option to `true` to add the `country` information into the subject.
+
+The data is taken from the subject part with the `C` key.
+
+The escape country info in the subject part is formatted as below:

 ```text
 C=FR,C=US
@@ -506,11 +509,11 @@ C=FR,C=US

 ##### `info.subject.province`

-Set the `info.subject.province` option to true to add the `province` information into the subject.
-  
-The data are taken from the subject part with the `ST` key.
+Set the `info.subject.province` option to `true` to add the `province` information into the subject.

-The escape province info in the subject part will be like :
+The data is taken from the subject part with the `ST` key.
+
+The escape province info in the subject part is formatted as below:

 ```text
 ST=Cheese org state,ST=Cheese com state
@@ -518,11 +521,11 @@ ST=Cheese org state,ST=Cheese com state

 ##### `info.subject.locality`

-Set the `info.subject.locality` option to true to add the `locality` information into the subject.
-  
-The data are taken from the subject part with the `L` key.
+Set the `info.subject.locality` option to `true` to add the `locality` information into the subject.

-The escape locality info in the subject part will be like :
+The data is taken from the subject part with the `L` key.
+
+The escape locality info in the subject part is formatted as below:

 ```text
 L=TOULOUSE,L=LYON
@@ -530,11 +533,11 @@ L=TOULOUSE,L=LYON

 ##### `info.subject.organization`

-Set the `info.subject.organization` option to true to add the `organization` information into the subject.
-  
-The data are taken from the subject part with the `O` key.
+Set the `info.subject.organization` option to `true` to add the `organization` information into the subject.

-The escape organization info in the subject part will be like :
+The data is taken from the subject part with the `O` key.
+
+The escape organization info in the subject part is formatted as below:

 ```text
 O=Cheese,O=Cheese 2
@@ -542,11 +545,11 @@ O=Cheese,O=Cheese 2

 ##### `info.subject.commonName`

-Set the `info.subject.commonName` option to true to add the `commonName` information into the subject.
-  
-The data are taken from the subject part with the `CN` key.
+Set the `info.subject.commonName` option to `true` to add the `commonName` information into the subject.

-The escape common name info in the subject part will be like :
+The data is taken from the subject part with the `CN` key.
+
+The escape common name info in the subject part is formatted as below:

 ```text
 CN=*.example.com
@@ -554,11 +557,11 @@ CN=*.example.com

 ##### `info.subject.serialNumber`

-Set the `info.subject.serialNumber` option to true to add the `serialNumber` information into the subject.
-  
-The data are taken from the subject part with the `SN` key.
+Set the `info.subject.serialNumber` option to `true` to add the `serialNumber` information into the subject.

-The escape serial number info in the subject part will be like :
+The data is taken from the subject part with the `SN` key.
+
+The escape serial number info in the subject part is formatted as below:

 ```text
 SN=1234567890
@@ -566,11 +569,11 @@ SN=1234567890

 ##### `info.subject.domainComponent`

-Set the `info.subject.domainComponent` option to true to add the `domainComponent` information into the subject.
-  
-The data are taken from the subject part with the `DC` key.
+Set the `info.subject.domainComponent` option to `true` to add the `domainComponent` information into the subject.

-The escape domaincomponent info in the subject part will be like :
+The data is taken from the subject part with the `DC` key.
+
+The escape domain component info in the subject part is formatted as below:

 ```text
 DC=org,DC=cheese
@@ -578,9 +581,9 @@ DC=org,DC=cheese

 #### `info.issuer`

-The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
+The `info.issuer` selects the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.

-The data are taken from the following certificate part :
+The data is taken from the following certificate part:

 ```text
 Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
@@ -588,9 +591,11 @@ Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=S

 ##### `info.issuer.country`

-Set the `info.issuer.country` option to true to add the `country` information into the issuer.  
-The data are taken from the issuer part with the `C` key. 
-The escape country info in the issuer part will be like :
+Set the `info.issuer.country` option to `true` to add the `country` information into the issuer.
+
+The data is taken from the issuer part with the `C` key.
+
+The escape country info in the issuer part is formatted as below:

 ```text
 C=FR,C=US
@@ -598,11 +603,11 @@ C=FR,C=US

 ##### `info.issuer.province`

-Set the `info.issuer.province` option to true to add the `province` information into the issuer.
-  
-The data are taken from the issuer part with the `ST` key.
+Set the `info.issuer.province` option to `true` to add the `province` information into the issuer.

-The escape province info in the issuer part will be like :
+The data is taken from the issuer part with the `ST` key.
+
+The escape province info in the issuer part is formatted as below:

 ```text
 ST=Signing State,ST=Signing State 2
@@ -610,11 +615,11 @@ ST=Signing State,ST=Signing State 2

 ##### `info.issuer.locality`

-Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
-  
-The data are taken from the issuer part with the `L` key.
+Set the `info.issuer.locality` option to `true` to add the `locality` information into the issuer.

-The escape locality info in the issuer part will be like :
+The data is taken from the issuer part with the `L` key.
+
+The escape locality info in the issuer part is formatted as below:

 ```text
 L=TOULOUSE,L=LYON
@@ -622,11 +627,11 @@ L=TOULOUSE,L=LYON

 ##### `info.issuer.organization`

-Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
-  
-The data are taken from the issuer part with the `O` key.
+Set the `info.issuer.organization` option to `true` to add the `organization` information into the issuer.

-The escape organization info in the issuer part will be like :
+The data is taken from the issuer part with the `O` key.
+
+The escape organization info in the issuer part is formatted as below:

 ```text
 O=Cheese,O=Cheese 2
@@ -634,11 +639,11 @@ O=Cheese,O=Cheese 2

 ##### `info.issuer.commonName`

-Set the `info.issuer.commonName` option to true to add the `commonName` information into the issuer.
-  
-The data are taken from the issuer part with the `CN` key.
+Set the `info.issuer.commonName` option to `true` to add the `commonName` information into the issuer.

-The escape common name info in the issuer part will be like :
+The data is taken from the issuer part with the `CN` key.
+
+The escape common name info in the issuer part is formatted as below:

 ```text
 CN=Simple Signing CA 2
@@ -646,11 +651,11 @@ CN=Simple Signing CA 2

 ##### `info.issuer.serialNumber`

-Set the `info.issuer.serialNumber` option to true to add the `serialNumber` information into the issuer.
-  
-The data are taken from the issuer part with the `SN` key.
+Set the `info.issuer.serialNumber` option to `true` to add the `serialNumber` information into the issuer.

-The escape serial number info in the issuer part will be like :
+The data is taken from the issuer part with the `SN` key.
+
+The escape serial number info in the issuer part is formatted as below:

 ```text
 SN=1234567890
@@ -658,11 +663,11 @@ SN=1234567890

 ##### `info.issuer.domainComponent`

-Set the `info.issuer.domainComponent` option to true to add the `domainComponent` information into the issuer.
-  
-The data are taken from the issuer part with the `DC` key.
+Set the `info.issuer.domainComponent` option to `true` to add the `domainComponent` information into the issuer.

-The escape domain component info in the issuer part will be like :
+The data is taken from the issuer part with the `DC` key.
+
+The escape domain component info in the issuer part is formatted as below:

 ```text
 DC=org,DC=cheese
--- a/docs/content/middlewares/ratelimit.md
+++ b/docs/content/middlewares/ratelimit.md
@@ -3,7 +3,7 @@
 To Control the Number of Requests Going to a Service
 {: .subtitle }

-The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows one to define what fair is.
+The RateLimit middleware ensures that services will receive a _fair_ amount of requests, and allows one to define what fair is.

 ## Configuration Example

@@ -74,7 +74,7 @@ http:

 ### `average`

-`average` is the maximum rate, by default in requests by second, allowed for the given source.
+`average` is the maximum rate, by default in requests per second, allowed from a given source.

 It defaults to `0`, which means no rate limiting.

@@ -219,7 +219,7 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```

 ```json tab="Marathon"
@@ -230,7 +230,7 @@ spec:

 ```yaml tab="Rancher"
 labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```

 ```toml tab="File (TOML)"
@@ -248,25 +248,25 @@ http:
 ```

 ### `sourceCriterion`
- 
-SourceCriterion defines what criterion is used to group requests as originating from a common source.
+
+The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
 The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
 If none are set, the default is to use the request's remote address field (as an `ipStrategy`).

 #### `sourceCriterion.ipStrategy`

-The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.

 ##### `ipStrategy.depth`

-The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).

- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is lesser than or equal to 0.
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
+- `depth` is ignored if its value is less than or equal to 0.

 !!! example "Example of Depth & X-Forwarded-For"

-    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).

    | `X-Forwarded-For`                       | `depth` | clientIP     |
    |-----------------------------------------|---------|--------------|
@@ -274,8 +274,71 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |

+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    sourceCriterion:
+      ipStrategy:
+        depth: 2
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
+      depth = 2
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        sourceCriterion:
+          ipStrategy:
+            depth: 2
+```
+
 ##### `ipStrategy.excludedIPs`

+`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Example of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
@@ -329,23 +392,9 @@ http:
              - "192.168.1.7"
 ```

-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
-
-!!! important "If `depth` is specified, `excludedIPs` is ignored."
-
-!!! example "Example of ExcludedIPs & X-Forwarded-For"
-
-    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
-    |-----------------------------------------|-----------------------|--------------|
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
-
 #### `sourceCriterion.requestHeaderName`

-Requests having the same value for the given header are grouped as coming from the same source.
+Name of the header used to group incoming requests.

 ```yaml tab="Docker"
 labels:
--- a/docs/content/middlewares/redirectregex.md
+++ b/docs/content/middlewares/redirectregex.md
@@ -7,7 +7,7 @@ Redirecting the Client to a Different Location
 TODO: add schema
 -->

-RegexRedirect redirect a request from an url to another with regex matching and replacement.
+The RedirectRegex redirects a request using regex matching and replacement.

 ## Configuration Examples

@@ -73,6 +73,10 @@ http:

 ## Configuration Options

+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
 ### `permanent`

 Set the `permanent` option to `true` to apply a permanent redirection.
@@ -80,15 +84,11 @@ Set the `permanent` option to `true` to apply a permanent redirection.
 ### `regex`

 The `regex` option is the regular expression to match and capture elements from the request URL.
-
-!!! warning
-
-    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
-
-!!! tip
-
-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
    
 ### `replacement`

 The `replacement` option defines how to modify the URL to have the new target URL.
+
+!!! warning
+
+    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
--- a/docs/content/middlewares/redirectscheme.md
+++ b/docs/content/middlewares/redirectscheme.md
@@ -7,7 +7,7 @@ Redirecting the Client to a Different Scheme/Port
 TODO: add schema
 -->

-RedirectScheme redirect request from a scheme to another.
+RedirectScheme redirects requests from a scheme/port to another.

 ## Configuration Examples

@@ -135,7 +135,7 @@ http:

 ### `scheme`

-The `scheme` option defines the scheme of the new url.
+The `scheme` option defines the scheme of the new URL.

 ```yaml tab="Docker"
 # Redirect to https
@@ -190,7 +190,7 @@ http:

 ### `port`

-The `port` option defines the port of the new url.
+The `port` option defines the port of the new URL.

 ```yaml tab="Docker"
 # Redirect to https
--- a/docs/content/middlewares/replacepath.md
+++ b/docs/content/middlewares/replacepath.md
@@ -7,18 +7,18 @@ Updating the Path Before Forwarding the Request
 TODO: add schema
 -->

-Replace the path of the request url.
+Replace the path of the request URL.

 ## Configuration Examples

 ```yaml tab="Docker"
-# Replace the path by /foo
+# Replace the path with /foo
 labels:
  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```

 ```yaml tab="Kubernetes"
-# Replace the path by /foo
+# Replace the path with /foo
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
@@ -29,7 +29,7 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Replace the path by /foo
+# Replace the path with /foo
 - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```

@@ -40,20 +40,20 @@ spec:
 ```

 ```yaml tab="Rancher"
-# Replace the path by /foo
+# Replace the path with /foo
 labels:
  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```

 ```toml tab="File (TOML)"
-# Replace the path by /foo
+# Replace the path with /foo
 [http.middlewares]
  [http.middlewares.test-replacepath.replacePath]
    path = "/foo"
 ```

 ```yaml tab="File (YAML)"
-# Replace the path by /foo
+# Replace the path with /foo
 http:
  middlewares:
    test-replacepath:
@@ -67,9 +67,9 @@ http:

 The ReplacePath middleware will:

- replace the actual path by the specified one.
+- replace the actual path with the specified one.
 - store the original path in a `X-Replaced-Path` header.

 ### `path`

-The `path` option defines the path to use as replacement in the request url.
+The `path` option defines the path to use as replacement in the request URL.
--- a/docs/content/middlewares/replacepathregex.md
+++ b/docs/content/middlewares/replacepathregex.md
@@ -7,7 +7,7 @@ Updating the Path Before Forwarding the Request (Using a Regex)
 TODO: add schema
 -->

-The ReplaceRegex replace a path from an url to another with regex matching and replacement.
+The ReplaceRegex replaces the path of a URL using regex matching and replacement.

 ## Configuration Examples

@@ -51,7 +51,7 @@ labels:
 ```

 ```toml tab="File (TOML)"
-# Redirect with domain replacement
+# Replace path with regex
 [http.middlewares]
  [http.middlewares.test-replacepathregex.replacePathRegex]
    regex = "^/foo/(.*)"
@@ -59,7 +59,7 @@ labels:
 ```

 ```yaml tab="File (YAML)"
-# Redirect with domain replacement
+# Replace path with regex
 http:
  middlewares:
    test-replacepathregex:
@@ -74,21 +74,21 @@ http:

 The ReplacePathRegex middleware will:

- replace the matching path by the specified one.
+- replace the matching path with the specified one.
 - store the original path in a `X-Replaced-Path` header.

+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or [Regex101](https://regex101.com/r/58sIgx/2).
+
 ### `regex`

 The `regex` option is the regular expression to match and capture the path from the request URL.
+    
+### `replacement`
+
+The `replacement` option defines the replacement path format, which can include captured variables.

 !!! warning

    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
-
-!!! tip
-
-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-    
-### `replacement`
-
-The `replacement` option defines how to modify the path to have the new target path.
--- a/docs/content/middlewares/retry.md
+++ b/docs/content/middlewares/retry.md
@@ -7,19 +7,21 @@ Retrying until it Succeeds
 TODO: add schema
 -->

-The Retry middleware is in charge of reissuing a request a given number of times to a backend server if that server does not reply.
-To be clear, as soon as the server answers, the middleware stops retrying, regardless of the response status.
+The Retry middleware reissues requests a given number of times to a backend server if that server does not reply.
+As soon as the server answers, the middleware stops retrying, regardless of the response status.
+The Retry middleware has an optional configuration to enable an exponential backoff.

 ## Configuration Examples

 ```yaml tab="Docker"
-# Retry to send request 4 times
+# Retry 4 times with exponential backoff
 labels:
  - "traefik.http.middlewares.test-retry.retry.attempts=4"
+  - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```

 ```yaml tab="Kubernetes"
-# Retry to send request 4 times
+# Retry 4 times with exponential backoff
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
@@ -27,45 +29,58 @@ metadata:
 spec:
  retry:
    attempts: 4
+    initialInterval: 100ms
 ```

 ```yaml tab="Consul Catalog"
-# Retry to send request 4 times
+# Retry 4 times with exponential backoff
 - "traefik.http.middlewares.test-retry.retry.attempts=4"
+- "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-retry.retry.attempts": "4"
+  "traefik.http.middlewares.test-retry.retry.attempts": "4",
+  "traefik.http.middlewares.test-retry.retry.initialinterval": "100ms",
 }
 ```

 ```yaml tab="Rancher"
-# Retry to send request 4 times
+# Retry 4 times with exponential backoff
 labels:
  - "traefik.http.middlewares.test-retry.retry.attempts=4"
+  - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```

 ```toml tab="File (TOML)"
-# Retry to send request 4 times
+# Retry 4 times with exponential backoff
 [http.middlewares]
  [http.middlewares.test-retry.retry]
-     attempts = 4
+    attempts = 4
+    initialInterval = "100ms"
 ```

 ```yaml tab="File (YAML)"
-# Retry to send request 4 times
+# Retry 4 times with exponential backoff
 http:
  middlewares:
    test-retry:
      retry:
-       attempts: 4
+        attempts: 4
+        initialInterval: 100ms
 ```

 ## Configuration Options

-### `attempts` 
+### `attempts`

 _mandatory_

 The `attempts` option defines how many times the request should be retried.
+
+### `initialInterval`
+
+The `initialInterval` option defines the first wait time in the exponential backoff series. The maximum interval is
+calculated as twice the `initialInterval`. If unspecified, requests will be retried immediately.
+
+The value of initialInterval should be provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
--- a/docs/content/middlewares/stripprefix.md
+++ b/docs/content/middlewares/stripprefix.md
@@ -69,36 +69,59 @@ http:

 ### General

-The StripPrefix middleware will:
-
- strip the matching path prefix.
- store the matching path prefix in a `X-Forwarded-Prefix` header.
+The StripPrefix middleware strips the matching path prefix and stores it in a `X-Forwarded-Prefix` header.

 !!! tip
-    
-    Use a `StripPrefix` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
+
+    Use a `StripPrefix` middleware if your backend listens on the root path (`/`) but should be exposed on a specific prefix.

 ### `prefixes`

 The `prefixes` option defines the prefixes to strip from the request URL.

-For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.
+For instance, `/products` also matches `/products/shoes` and `/products/shirts`.

-Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
-
-If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.  
-Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
-
-The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
+If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
+Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).

 ### `forceSlash`

 _Optional, Default=true_

+The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
+
+This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
+
+It is recommended to explicitly set `forceSlash` to `false`.
+
+??? info "Behavior examples"
+
+    - `forceSlash=true`
+
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | `/`    |
+    | `/foo`     | `/foo`          | `/`    |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | `/`    |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |
+
+    - `forceSlash=false`
+
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | empty  |
+    | `/foo`     | `/foo`          | empty  |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | empty  |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |
+
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceslash=false"
+  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
 ```

 ```yaml tab="Kubernetes"
@@ -116,7 +139,7 @@ spec:
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
-  "traefik.http.middlewares.example.stripprefix.forceslash": "false"
+  "traefik.http.middlewares.example.stripprefix.forceSlash": "false"
 }
 ```

@@ -142,33 +165,3 @@ http:
          - "/foobar"
        forceSlash: false
 ```
-
-The `forceSlash` option makes sure that the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
-
-This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
-
-It's recommended to explicitly set `forceSlash` to `false`.
-
-??? info "Behavior examples"
-    
-    - `forceSlash=true`
-    
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | `/`    |
-    | `/foo`     | `/foo`          | `/`    |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | `/`    |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-    
-    - `forceSlash=false`
-    
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | empty  |
-    | `/foo`     | `/foo`          | empty  |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | empty  |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
--- a/docs/content/middlewares/stripprefixregex.md
+++ b/docs/content/middlewares/stripprefixregex.md
@@ -57,14 +57,11 @@ http:

 ### General

-The StripPrefixRegex middleware will:
-
- strip the matching path prefix.
- store the matching path prefix in a `X-Forwarded-Prefix` header.
+The StripPrefixRegex middleware strips the matching path prefix and stores it in a `X-Forwarded-Prefix` header.

 !!! tip
-    
-    Use a `stripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
+
+    Use a `stripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be exposed on a specific prefix.

 ### `regex`

@@ -74,12 +71,7 @@ The `regex` option is the regular expression to match the path prefix from the r

    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).

-For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.  
+For instance, `/products` also matches `/products/shoes` and `/products/shirts`.

-Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.  
-
-If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.  
-
-Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
-
-The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
+If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
+Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -10,7 +10,7 @@ feature by feature, of how the configuration looked like in v1, and how it now l

 !!! info "Migration Helper"

-    We created a tool to help during the migration: [traefik-migration-tool](https://github.com/containous/traefik-migration-tool)
+    We created a tool to help during the migration: [traefik-migration-tool](https://github.com/traefik/traefik-migration-tool)

    This tool allows to:

@@ -104,7 +104,7 @@ Then any router can refer to an instance of the wanted middleware.

    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the Middleware and IngressRoute kinds.
-    # https://docs.traefik.io/v2.2/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
    metadata:
@@ -275,7 +275,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o

    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
-    # https://docs.traefik.io/v2.2/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.containo.us/v1alpha1
    kind: TLSOption
    metadata:
@@ -385,7 +385,7 @@ To apply a redirection:
    
    entryPoints:
      web:
-        address: 80
+        address: ":80"
        http:
          redirections:
            entrypoint:
@@ -393,7 +393,7 @@ To apply a redirection:
              scheme: https
    
      websecure:
-        address: 443
+        address: ":443"
    ```

 !!! example "HTTP to HTTPS redirection per domain"
@@ -453,7 +453,7 @@ To apply a redirection:
            - name: whoami
              port: 80
          middlewares:
-            - name: https_redirect
+            - name: https-redirect
    
    ---
    apiVersion: traefik.containo.us/v1alpha1
@@ -476,7 +476,7 @@ To apply a redirection:
    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
    metadata:
-      name: https_redirect
+      name: https-redirect
    spec:
      redirectScheme:
        scheme: https
@@ -528,7 +528,7 @@ To apply a redirection:
          tls: {}
    
      middlewares:
-        https_redirect:
+        https-redirect:
          redirectScheme:
            scheme: https
            permanent: true
@@ -1145,4 +1145,4 @@ Supported [providers](../providers/overview.md), for now:
 - Now, configuration elements can be referenced between different providers by using the provider namespace notation: `@<provider>`.
  For instance, a router named `myrouter` in a File Provider can refer to a service named `myservice` defined in Docker Provider with the following notation: `myservice@docker`.
 - Middlewares are applied in the same order as their declaration in router.
- If you have any questions feel free to join our [community forum](https://community.containo.us).
+- If you have any questions feel free to join our [community forum](https://community.traefik.io).
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -1,17 +1,5 @@
 # Migration: Steps needed between the versions

-## v2.2.2 to v2.2.5
-
-### InsecureSNI removal
-
-In `v2.2.2` we introduced a new flag (`insecureSNI`) which was available as a global option to disable domain fronting.
-Since `v2.2.5` this global option has been removed, and you should not use it anymore.
-
-### HostSNI rule matcher removal
-
-In `v2.2.2` we introduced a new rule matcher (`HostSNI`) which was allowing to match the Server Name Indication at the router level.
-Since `v2.2.5` this rule has been removed, and you should not use it anymore.
-
 ## v2.0 to v2.1

 ### Kubernetes CRD
@@ -314,3 +302,52 @@ providers:
 --entryPoints.websecure.address=:443
 --providers.kubernetesIngress=true
 ```
+
+## v2.2.2 to v2.2.5
+
+### InsecureSNI removal
+
+In `v2.2.2` we introduced a new flag (`insecureSNI`) which was available as a global option to disable domain fronting.
+Since `v2.2.5` this global option has been removed, and you should not use it anymore.
+
+### HostSNI rule matcher removal
+
+In `v2.2.2` we introduced a new rule matcher (`HostSNI`) for HTTP routers which was allowing to match the Server Name Indication at the router level.
+Since `v2.2.5` this rule has been removed for HTTP routers, and you should not use it anymore.
+
+## v2.2 to v2.3
+
+### X.509 CommonName Deprecation
+
+The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present, is now disabled by default.
+
+It means that if one is using https with your backend servers, and a certificate with only a CommonName,
+Traefik will not try to match the server name indication with the CommonName anymore.
+
+It can be temporarily re-enabled by adding the value `x509ignoreCN=0` to the `GODEBUG` environment variable.
+
+More information: https://golang.org/doc/go1.15#commonname
+
+### File Provider
+
+The file parser has been changed, since v2.3 the unknown options/fields in a dynamic configuration file are treated as errors.
+
+### IngressClass
+
+In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced.
+In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated. 
+
+## v2.4.7 to v2.4.8
+
+### Non-ASCII Domain Names
+
+In `v2.4.8` we introduced a new check on domain names used in HTTP router rule `Host` and `HostRegexp` expressions,
+and in TCP router rule `HostSNI` expression.
+This check ensures that provided domain names don't contain non-ASCII characters. 
+If not, an error is raised, and the associated router will be shown as invalid in the dashboard.
+
+This new behavior is intended to show what was failing silently previously and to help troubleshooting configuration issues.
+It doesn't change the support for non-ASCII domain names in routers rules, which is not part of the Traefik feature set so far.
+
+In order to use non-ASCII domain names in a router's rule, one should use the Punycode form of the domain name.
+For more information, please read the [HTTP routers rule](../routing/routers/index.md#rule) part or [TCP router rules](../routing/routers/index.md#rule_1) part of the documentation.
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -26,6 +26,20 @@ accessLog: {}
 By default access logs are written to the standard output.
 To write the logs into a log file, use the `filePath` option.

+```toml tab="File (TOML)"
+[accessLog]
+  filePath = "/path/to/access.log"
+```
+
+```yaml tab="File (YAML)"
+accessLog:
+  filePath: "/path/to/access.log"
+```
+
+```bash tab="CLI"
+--accesslog.filepath=/path/to/access.log
+```
+
 ### `format`
 
 By default, logs are written using the Common Log Format (CLF).
@@ -60,7 +74,6 @@ accessLog:

 ```bash tab="CLI"
 # Configuring a buffer of 100 lines
--accesslog=true
 --accesslog.filepath=/path/to/access.log
 --accesslog.bufferingsize=100
 ```
@@ -74,7 +87,7 @@ The available filters are:

 - `statusCodes`, to limit the access logs to requests with a status codes in the specified range
 - `retryAttempts`, to keep the access logs when at least one retry has happened
- `minDuration`, to keep access logs when requests take longer than the specified duration
+- `minDuration`, to keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration))

 ```toml tab="File (TOML)"
 # Configuring Multiple Filters
@@ -103,7 +116,6 @@ accessLog:

 ```bash tab="CLI"
 # Configuring Multiple Filters
--accesslog=true
 --accesslog.filepath=/path/to/access.log
 --accesslog.format=json
 --accesslog.filters.statuscodes=200,300-302
@@ -163,7 +175,6 @@ accessLog:

 ```bash tab="CLI"
 # Limiting the Logs to Specific Fields
--accesslog=true
 --accesslog.filepath=/path/to/access.log
 --accesslog.format=json
 --accesslog.fields.defaultmode=keep
@@ -198,7 +209,7 @@ accessLog:
    | `RequestScheme`         | The HTTP scheme requested `http` or `https`.                                                                                                                        |
    | `RequestLine`           | `RequestMethod` + `RequestPath` + `RequestProtocol`                                                                                                                 |
    | `RequestContentSize`    | The number of bytes in the request entity (a.k.a. body) sent by the client.                                                                                         |
-    | `OriginDuration`        | The time taken by the origin server ('upstream') to return its response.                                                                                            |
+    | `OriginDuration`        | The time taken (in nanoseconds) by the origin server ('upstream') to return its response.                                                                                            |
    | `OriginContentSize`     | The content length specified by the origin server, or 0 if unspecified.                                                                                             |
    | `OriginStatus`          | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent.     |
    | `OriginStatusLine`      | `OriginStatus` + Status code explanation                                                                                                                            |
@@ -207,7 +218,7 @@ accessLog:
    | `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
    | `RequestCount`          | The number of requests received since the Traefik instance started.                                                                                                 |
    | `GzipRatio`             | The response body compression ratio achieved.                                                                                                                       |
-    | `Overhead`              | The processing time overhead caused by Traefik.                                                                                                                     |
+    | `Overhead`              | The processing time overhead (in nanoseconds) caused by Traefik.                                                                                                                     |
    | `RetryAttempts`         | The amount of attempts the request was retried.                                                                                                                     |

 ## Log Rotation
@@ -217,3 +228,31 @@ This allows the logs to be rotated and processed by an external program, such as

 !!! warning
    This does not work on Windows due to the lack of USR signals.
+
+## Time Zones
+
+Traefik will timestamp each log line in UTC time by default.
+
+It is possible to configure the Traefik to timestamp in a specific timezone by ensuring the following configuration has been made in your environment:
+
+1. Provide time zone data to `/etc/localtime` or `/usr/share/zoneinfo` (based on your distribution) or set the environment variable TZ to the desired timezone
+2. Specify the field `StartLocal` by dropping the field named `StartUTC` (available on the default Common Log Format (CLF) as well as JSON)
+
+Example utilizing Docker Compose:
+
+```yaml
+version: "3.7"
+
+services:
+  traefik:
+    image: traefik:v2.2
+    environment:
+      - TZ=US/Alaska
+    command:
+      - --accesslog.fields.names.StartUTC=drop
+      - --providers.docker
+    ports:
+      - 80:80
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+```
--- a/docs/content/observability/tracing/jaeger.md
+++ b/docs/content/observability/tracing/jaeger.md
@@ -185,6 +185,29 @@ tracing:
 --tracing.jaeger.traceContextHeaderName=uber-trace-id
 ```

+### disableAttemptReconnecting
+
+_Optional, Default=true_
+
+Disable the UDP connection helper that periodically re-resolves the agent's hostname and reconnects if there was a change.
+Enabling the re-resolving of UDP address make the client more robust in Kubernetes deployments.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    disableAttemptReconnecting = false
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    disableAttemptReconnecting: false
+```
+
+```bash tab="CLI"
+--tracing.jaeger.disableAttemptReconnecting=false
+```
+
 ### `collector`
 #### `endpoint`

--- a/docs/content/operations/ping.md
+++ b/docs/content/operations/ping.md
@@ -81,3 +81,28 @@ ping:
 ```bash tab="CLI"
 --ping.manualrouting=true
 ```
+
+### `terminatingStatusCode`
+
+_Optional, Default=503_
+
+During the period in which Traefik is gracefully shutting down, the ping handler
+returns a 503 status code by default. If Traefik is behind e.g. a load-balancer
+doing health checks (such as the Kubernetes LivenessProbe), another code might
+be expected as the signal for graceful termination. In which case, the
+terminatingStatusCode can be used to set the code returned by the ping
+handler during termination.
+
+```toml tab="File (TOML)"
+[ping]
+  terminatingStatusCode = 204
+```
+
+```yaml tab="File (YAML)"
+ping:
+  terminatingStatusCode: 204
+```
+
+```bash tab="CLI"
+--ping.terminatingStatusCode=204
+```
--- a/docs/content/plugins/index.md
+++ b/docs/content/plugins/index.md
@@ -0,0 +1,49 @@
+# Plugins and Traefik Pilot
+
+Traefik Pilot is a software-as-a-service (SaaS) platform that connects to Traefik to extend its capabilities.
+It offers a number of features to enhance observability and control of Traefik through a global control plane and dashboard, including:
+
+* Metrics for network activity of Traefik proxies and groups of proxies
+* Alerts for service health issues and security vulnerabilities
+* Plugins that extend the functionality of Traefik
+
+!!! important "Learn More About Traefik Pilot"
+    This section is intended only as a brief overview for Traefik users who are not familiar with Traefik Pilot. 
+    To explore all that Traefik Pilot has to offer, please consult the [Traefik Pilot Documentation](https://doc.traefik.io/traefik-pilot/)
+
+!!! Note "Prerequisites"
+    Traefik Pilot is compatible with Traefik Proxy 2.3 or later.
+
+## Connecting to Traefik Pilot
+
+To connect your Traefik proxies to Traefik Pilot, login or create an account at the [Traefik Pilot homepage](https://pilot.traefik.io) and choose **Register New Traefik Instance**.
+
+To complete the connection, Traefik Pilot will issue a token that must be added to your Traefik static configuration, according to the instructions provided by the Traefik Pilot dashboard.
+For more information, consult the [Quick Start Guide](https://doc.traefik.io/traefik-pilot/connecting/)
+
+Health and security alerts for registered Traefik instances can be enabled from the Preferences in your [Traefik Pilot Profile](https://pilot.traefik.io/profile).
+
+## Plugins
+
+Plugins are available to any Traefik proxies that are connected to Traefik Pilot.
+They are a powerful feature for extending Traefik with custom features and behaviors.
+
+You can browse community-contributed plugins from the catalog in the [Traefik Pilot Dashboard](https://pilot.traefik.io/plugins).
+
+To add a new plugin to a Traefik instance, you must modify that instance's static configuration.
+The code to be added is provided for you when you choose **Install the Plugin** from the Traefik Pilot dashboard.
+To learn more about Traefik plugins, consult the [documentation](https://doc.traefik.io/traefik-pilot/plugins/overview/).
+
+!!! danger "Experimental Features"
+    Plugins can potentially modify the behavior of Traefik in unforeseen ways.
+    Exercise caution when adding new plugins to production Traefik instances.
+
+## Build Your Own Plugins
+
+Traefik users can create their own plugins and contribute them to the Traefik Pilot catalog to share them with the community.
+
+Traefik plugins are loaded dynamically. 
+They need not be compiled, and no complex toolchain is necessary to build them. 
+The experience of implementing a Traefik plugin is comparable to writing a web browser extension.
+
+To learn more and see code for example Traefik plugins, please see the [developer documentation](https://doc.traefik.io/traefik-pilot/plugins/plugin-dev/).
--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@@ -16,12 +16,12 @@ Attach tags to your services and let Traefik do the rest!
    ```toml tab="File (TOML)"
    [providers.consulCatalog]
    ```
-    
+
    ```yaml tab="File (YAML)"
    providers:
      consulCatalog: {}
    ```
-    
+
    ```bash tab="CLI"
    --providers.consulcatalog=true
    ```
@@ -29,7 +29,7 @@ Attach tags to your services and let Traefik do the rest!
    Attaching tags to services

    ```yaml
-    - traefik.http.services.my-service.rule=Host(`example.com`)
+    - traefik.http.routers.my-router.rule=Host(`example.com`)
    ```

 ## Routing Configuration
@@ -42,6 +42,8 @@ See the dedicated section in [routing](../routing/providers/consul-catalog.md).

 _Optional, Default=15s_

+Defines the polling interval.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  refreshInterval = "30s"
@@ -60,12 +62,12 @@ providers:
 # ...
 ```

-Defines the polling interval.
-
 ### `prefix`

 _required, Default="traefik"_

+The prefix for Consul Catalog tags defining Traefik labels.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  prefix = "test"
@@ -84,12 +86,18 @@ providers:
 # ...
 ```

-The prefix for Consul Catalog tags defining traefik labels.
-
 ### `requireConsistent`

 _Optional, Default=false_

+Forces the read to be fully consistent.
+
+!!! note ""
+
+    It is more expensive due to an extra round-trip but prevents ever performing a stale read.
+
+    For more information, see the consul [documentation on consistency](https://www.consul.io/api-docs/features/consistency).
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  requireConsistent = true
@@ -108,12 +116,18 @@ providers:
 # ...
 ```

-Forces the read to be fully consistent.
-
 ### `stale`

 _Optional, Default=false_

+Use stale consistency for catalog reads.
+
+!!! note ""
+
+    This makes reads very fast and scalable at the cost of a higher likelihood of stale values.
+
+    For more information, see the consul [documentation on consistency](https://www.consul.io/api-docs/features/consistency).
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  stale = true
@@ -132,12 +146,12 @@ providers:
 # ...
 ```

-Use stale consistency for catalog reads.
-
 ### `cache`

 _Optional, Default=false_

+Use local agent caching for catalog reads.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  cache = true
@@ -156,20 +170,20 @@ providers:
 # ...
 ```

-Use local agent caching for catalog reads.
-
 ### `endpoint`

 Defines the Consul server endpoint.

 #### `address`

-_Optional, Default="http://127.0.0.1:8500"_
+Defines the address of the Consul server.
+
+_Optional, Default="127.0.0.1:8500"_

 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  [providers.consulCatalog.endpoint]
-    address = "http://127.0.0.1:8500"
+    address = "127.0.0.1:8500"
    # ...
 ```

@@ -177,21 +191,21 @@ _Optional, Default="http://127.0.0.1:8500"_
 providers:
  consulCatalog:
    endpoint:
-      address: http://127.0.0.1:8500
+      address: 127.0.0.1:8500
    # ...
 ```

 ```bash tab="CLI"
--providers.consulcatalog.endpoint.address=http://127.0.0.1:8500
+--providers.consulcatalog.endpoint.address=127.0.0.1:8500
 # ...
 ```

-Defines the address of the Consul server.
-
 #### `scheme`

 _Optional, Default=""_

+Defines the URI scheme for the Consul server.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  [providers.consulCatalog.endpoint]
@@ -212,12 +226,13 @@ providers:
 # ...
 ```

-Defines the URI scheme for the Consul server.
-
 #### `datacenter`

 _Optional, Default=""_

+Defines the datacenter to use.
+If not provided in Traefik, Consul uses the default agent datacenter.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  [providers.consulCatalog.endpoint]
@@ -238,13 +253,12 @@ providers:
 # ...
 ```

-Defines the Data center to use.
-If not provided, the default agent data center is used.
-
 #### `token`

 _Optional, Default=""_

+Token is used to provide a per-request ACL token which overwrites the agent's default token.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  [providers.consulCatalog.endpoint]
@@ -265,12 +279,13 @@ providers:
 # ...
 ```

-Token is used to provide a per-request ACL token which overrides the agent's default token.
-
 #### `endpointWaitTime`

 _Optional, Default=""_

+Limits the duration for which a Watch can block.
+If not provided, the agent default values will be used.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  [providers.consulCatalog.endpoint]
@@ -291,18 +306,17 @@ providers:
 # ...
 ```

-WaitTime limits how long a Watch will block.
-If not provided, the agent default values will be used
-
 #### `httpAuth`

 _Optional_

-Used to authenticate http client with HTTP Basic Authentication.
+Used to authenticate the HTTP client using HTTP Basic Authentication.

 ##### `username`

-_Optional_
+_Optional, Default=""_
+
+Username to use for HTTP Basic Authentication.

 ```toml tab="File (TOML)"
 [providers.consulCatalog.endpoint.httpAuth]
@@ -321,11 +335,11 @@ providers:
 --providers.consulcatalog.endpoint.httpauth.username=test
 ```

-Username to use for HTTP Basic Authentication
-
 ##### `password`

-_Optional_
+_Optional, Default=""_
+
+Password to use for HTTP Basic Authentication.

 ```toml tab="File (TOML)"
 [providers.consulCatalog.endpoint.httpAuth]
@@ -344,8 +358,6 @@ providers:
 --providers.consulcatalog.endpoint.httpauth.password=test
 ```

-Password to use for HTTP Basic Authentication
-
 #### `tls`

 _Optional_
@@ -356,6 +368,8 @@ Defines TLS options for Consul server endpoint.

 _Optional_

+`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog.endpoint.tls]
  ca = "path/to/ca.crt"
@@ -373,12 +387,20 @@ providers:
 --providers.consulcatalog.endpoint.tls.ca=path/to/ca.crt
 ```

-`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
-
 ##### `caOptional`

 _Optional_

+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
+
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog.endpoint.tls]
  caOptional = true
@@ -396,17 +418,14 @@ providers:
 --providers.consulcatalog.endpoint.tls.caoptional=true
 ```

-Policy followed for the secured connection with TLS Client Authentication to Consul.
-Requires `tls.ca` to be defined.
-
- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
-
 ##### `cert`

 _Optional_

+`cert` is the path to the public certificate to use for Consul communication.
+
+When using this option, setting the `key` option is required.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog.endpoint.tls]
  cert = "path/to/foo.cert"
@@ -427,13 +446,14 @@ providers:
 --providers.consulcatalog.endpoint.tls.key=path/to/foo.key
 ```

-`cert` is the path to the public certificate for Consul communication.
-If this is set then you need to also set `key.
-
 ##### `key`

 _Optional_

+`key` is the path to the private key for Consul communication.
+
+When using this option, setting the `cert` option is required.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog.endpoint.tls]
  cert = "path/to/foo.cert"
@@ -454,13 +474,12 @@ providers:
 --providers.consulcatalog.endpoint.tls.key=path/to/foo.key
 ```

-`key` is the path to the private key for Consul communication.
-If this is set then you need to also set `cert`.
-
 ##### `insecureSkipVerify`

 _Optional_

+If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog.endpoint.tls]
  insecureSkipVerify = true
@@ -478,12 +497,15 @@ providers:
 --providers.consulcatalog.endpoint.tls.insecureskipverify=true
 ```

-If `insecureSkipVerify` is `true`, TLS for the connection to Consul server accepts any certificate presented by the server and any host name in that certificate.
-
 ### `exposedByDefault`

 _Optional, Default=true_

+Expose Consul Catalog services by default in Traefik.
+If set to `false`, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  exposedByDefault = false
@@ -502,15 +524,20 @@ providers:
 # ...
 ```

-Expose Consul Catalog services by default in Traefik.
-If set to false, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
 ### `defaultRule`

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

+The default host rule for all services.
+
+For a given service, if no routing rule was defined by a tag, it is defined by this `defaultRule` instead.
+The `defaultRule` must be set to a valid [Go template](https://golang.org/pkg/text/template/),
+and can include [sprig template functions](http://masterminds.github.io/sprig/).
+The service name can be accessed with the `Name` identifier,
+and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
+
+The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
@@ -529,20 +556,49 @@ providers:
 # ...
 ```

-The default host rule for all services.
-
-For a given service if no routing rule was defined by a tag, it is defined by this defaultRule instead.
-It must be a valid [Go template](https://golang.org/pkg/text/template/),
-augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
-The service name can be accessed as the `Name` identifier,
-and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
-
-The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
-
 ### `constraints`

 _Optional, Default=""_

+The `constraints` option can be set to an expression that Traefik matches against the service tags to determine whether
+to create any route for that service. If none of the service tags match the expression, no route for that service is
+created. If the expression is empty, all detected services are included.
+
+The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
+as well as the usual boolean logic, as shown in examples below.
+
+??? example "Constraints Expression Examples"
+
+    ```toml
+    # Includes only services having the tag `a.tag.name=foo`
+    constraints = "Tag(`a.tag.name=foo`)"
+    ```
+
+    ```toml
+    # Excludes services having any tag `a.tag.name=foo`
+    constraints = "!Tag(`a.tag.name=foo`)"
+    ```
+
+    ```toml
+    # With logical AND.
+    constraints = "Tag(`a.tag.name`) && Tag(`another.tag.name`)"
+    ```
+
+    ```toml
+    # With logical OR.
+    constraints = "Tag(`a.tag.name`) || Tag(`another.tag.name`)"
+    ```
+
+    ```toml
+    # With logical AND and OR, with precedence set by parentheses.
+    constraints = "Tag(`a.tag.name`) && (Tag(`another.tag.name`) || Tag(`yet.another.tag.name`))"
+    ```
+
+    ```toml
+    # Includes only services having a tag matching the `a\.tag\.t.+` regular expression.
+    constraints = "TagRegex(`a\.tag\.t.+`)"
+    ```
+
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
  constraints = "Tag(`a.tag.name`)"
@@ -561,43 +617,4 @@ providers:
 # ...
 ```

-Constraints is an expression that Traefik matches against the service's tags to determine whether to create any route for that service.
-That is to say, if none of the service's tags match the expression, no route for that service is created.
-If the expression is empty, all detected services are included.
-
-The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
-as well as the usual boolean logic, as shown in examples below.
-
-??? example "Constraints Expression Examples"
-
-    ```toml
-    # Includes only services having the tag `a.tag.name=foo`
-    constraints = "Tag(`a.tag.name=foo`)"
-    ```
-    
-    ```toml
-    # Excludes services having any tag `a.tag.name=foo`
-    constraints = "!Tag(`a.tag.name=foo`)"
-    ```
-    
-    ```toml
-    # With logical AND.
-    constraints = "Tag(`a.tag.name`) && Tag(`another.tag.name`)"
-    ```
-    
-    ```toml
-    # With logical OR.
-    constraints = "Tag(`a.tag.name`) || Tag(`another.tag.name`)"
-    ```
-    
-    ```toml
-    # With logical AND and OR, with precedence set by parentheses.
-    constraints = "Tag(`a.tag.name`) && (Tag(`another.tag.name`) || Tag(`yet.another.tag.name`))"
-    ```
-    
-    ```toml
-    # Includes only services having a tag matching the `a\.tag\.t.+` regular expression.
-    constraints = "TagRegex(`a\.tag\.t.+`)"
-    ```
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
--- a/docs/content/providers/consul.md
+++ b/docs/content/providers/consul.md
@@ -35,10 +35,10 @@ providers:

 ### `rootKey`

-Defines the root key of the configuration.
-
 _Required, Default="traefik"_

+Defines the root key of the configuration.
+
 ```toml tab="File (TOML)"
 [providers.consul]
  rootKey = "traefik"
@@ -56,10 +56,10 @@ providers:

 ### `username`

-Defines a username to connect with Consul.
-
 _Optional, Default=""_

+Defines a username to connect to Consul with.
+
 ```toml tab="File (TOML)"
 [providers.consul]
  # ...
@@ -81,7 +81,7 @@ providers:

 _Optional, Default=""_

-Defines a password to connect with Consul.
+Defines a password with which to connect to Consul.

 ```toml tab="File (TOML)"
 [providers.consul]
@@ -106,7 +106,7 @@ _Optional_

 #### `tls.ca`

-Certificate Authority used for the secured connection to Consul.
+Certificate Authority used for the secure connection to Consul.

 ```toml tab="File (TOML)"
 [providers.consul.tls]
@@ -126,12 +126,15 @@ providers:

 #### `tls.caOptional`

-Policy followed for the secured connection with TLS Client Authentication to Consul.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.

- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.

 ```toml tab="File (TOML)"
 [providers.consul.tls]
@@ -151,7 +154,7 @@ providers:

 #### `tls.cert`

-Public certificate used for the secured connection to Consul.
+Public certificate used for the secure connection to Consul.

 ```toml tab="File (TOML)"
 [providers.consul.tls]
@@ -174,7 +177,7 @@ providers:

 #### `tls.key`

-Private certificate used for the secured connection to Consul.
+Private certificate used for the secure connection to Consul.

 ```toml tab="File (TOML)"
 [providers.consul.tls]
@@ -197,7 +200,7 @@ providers:

 #### `tls.insecureSkipVerify`

-If `insecureSkipVerify` is `true`, TLS for the connection to Consul accepts any certificate presented by the server and any host name in that certificate.
+If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.

 ```toml tab="File (TOML)"
 [providers.consul.tls]
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -11,23 +11,24 @@ Traefik works with both [Docker (standalone) Engine](https://docs.docker.com/eng
 and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).

 !!! tip "The Quick Start Uses Docker"
-    If you haven't already, maybe you'd like to go through the [quick start](../getting-started/quick-start.md) that uses the docker provider!
+
+    If you have not already read it, maybe you would like to go through the [quick start guide](../getting-started/quick-start.md) that uses the Docker provider.

 ## Configuration Examples

 ??? example "Configuring Docker & Deploying / Exposing Services"

    Enabling the docker provider
-    
+
    ```toml tab="File (TOML)"
    [providers.docker]
    ```
-    
+
    ```yaml tab="File (YAML)"
    providers:
      docker: {}
    ```
-    
+
    ```bash tab="CLI"
    --providers.docker=true
    ```
@@ -55,19 +56,22 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
      endpoint = "tcp://127.0.0.1:2377"
      swarmMode = true
    ```
-    
+
    ```yaml tab="File (YAML)"
    providers:
      docker:
        # swarm classic (1.12-)
-        # endpoint = "tcp://127.0.0.1:2375"
+        # endpoint: "tcp://127.0.0.1:2375"
        # docker swarm mode (1.12+)
-        endpoint: "tcp://127.0.0.1:2375"
+        endpoint: "tcp://127.0.0.1:2377"
        swarmMode: true
    ```
-    
+
    ```bash tab="CLI"
-    --providers.docker.endpoint=tcp://127.0.0.1:2375
+    # swarm classic (1.12-)
+    # --providers.docker.endpoint=tcp://127.0.0.1:2375
+    # docker swarm mode (1.12+)
+    --providers.docker.endpoint=tcp://127.0.0.1:2377
    --providers.docker.swarmMode=true
    ```

@@ -95,21 +99,22 @@ See the list of labels in the dedicated [routing](../routing/providers/docker.md
 By default, Traefik watches for [container level labels](https://docs.docker.com/config/labels-custom-metadata/) on a standalone Docker Engine.

 When using Docker Compose, labels are specified by the directive
-[`labels`](https://docs.docker.com/compose/compose-file/#labels) from the
-["services" objects](https://docs.docker.com/compose/compose-file/#service-configuration-reference).
+[`labels`](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels) from the
+["services" objects](https://docs.docker.com/compose/compose-file/compose-file-v3/#service-configuration-reference).

 !!! tip "Not Only Docker"
+
    Please note that any tool like Nomad, Terraform, Ansible, etc.
    that is able to define a Docker container with labels can work
-    with Traefik & the Docker provider.
+    with Traefik and the Docker provider.

 ### Port Detection

 Traefik retrieves the private IP and port of containers from the Docker API.

-Ports detection works as follows:
+Port detection works as follows:

- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) only one port,
+- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) a single port,
  then Traefik uses this port for private communication.
 - If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) multiple ports,
  or does not expose any port, then you must manually specify which port Traefik should use for communication 
@@ -123,12 +128,11 @@ the IP address of the host is resolved as follows:

 <!-- TODO: verify and document the swarm mode case with container.Node.IPAddress coming from the API -->
 - try a lookup of `host.docker.internal`
- otherwise fall back to `127.0.0.1`
+- if the lookup was unsuccessful, fall back to `127.0.0.1`

-On Linux, (and until [github.com/moby/moby/pull/40007](https://github.com/moby/moby/pull/40007) is included in a release),
-for `host.docker.internal` to be defined, it should be provided as an `extra_host` to the Traefik container,
-using the `--add-host` flag. For example, to set it to the IP address of the bridge interface (docker0 by default):
-`--add-host=host.docker.internal:172.17.0.1`
+On Linux, for versions of Docker older than 20.10.0, for `host.docker.internal` to be defined, it should be provided
+as an `extra_host` to the Traefik container, using the `--add-host` flag. For example, to set it to the IP address of
+the bridge interface (`docker0` by default): `--add-host=host.docker.internal:172.17.0.1`

 ### Docker API Access

@@ -141,10 +145,11 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
    Accessing the Docker API without any restriction is a security concern:
    If Traefik is attacked, then the attacker might get access to the underlying host.
    {: #security-note }
-    
-    As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)):
+
+    As explained in the [Docker Daemon Attack Surface documentation](https://docs.docker.com/engine/security/#docker-daemon-attack-surface):

    !!! quote
+
        [...] only **trusted** users should be allowed to control your Docker daemon [...]

    ??? success "Solutions"
@@ -152,7 +157,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
        Expose the Docker socket over TCP or SSH, instead of the default Unix socket file.
        It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:

-        - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
+        - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/protect-access/)
        - Authorize and filter requests to restrict possible actions with [the TecnativaDocker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy).
        - Authorization with the [Docker Authorization Plugin Mechanism](https://web.archive.org/web/20190920092526/https://docs.docker.com/engine/extend/plugins_authorization/)
        - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
@@ -162,13 +167,14 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
        - SSH public key authentication (SSH is supported with Docker > 18.09)

    ??? info "More Resources and Examples"
+
        - ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c)
-        - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.containo.us/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
+        - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
        - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
        - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
        - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
        - [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
-        - [Traefik issue GH-4174 about security with Docker socket](https://github.com/containous/traefik/issues/4174)
+        - [Traefik issue GH-4174 about security with Docker socket](https://github.com/traefik/traefik/issues/4174)
        - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
        - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
        - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
@@ -183,23 +189,23 @@ set the [`swarmMode`](#swarmmode) directive to `true`.
 While in Swarm Mode, Traefik uses labels found on services, not on individual containers.

 Therefore, if you use a compose file with Swarm Mode, labels should be defined in the
-[`deploy`](https://docs.docker.com/compose/compose-file/#labels-1) part of your service.
+[`deploy`](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels-1) part of your service.

-This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file)).
+This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/compose-file-v3/)).

 ### Port Detection

 Docker Swarm does not provide any [port detection](#port-detection) information to Traefik.

-Therefore you **must** specify the port to use for communication by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
+Therefore, you **must** specify the port to use for communication by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
 (Check the reference for this label in the [routing section for Docker](../routing/providers/docker.md#port)).

 ### Docker API Access

 Docker Swarm Mode follows the same rules as Docker [API Access](#docker-api-access).

-As the Swarm API is only exposed on the [manager nodes](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#manager-nodes), you should schedule Traefik on the Swarm manager nodes by default,
-by deploying Traefik with a [constraint](https://success.docker.com/article/using-contraints-and-labels-to-control-the-placement-of-containers) on the node's "role":
+Since the Swarm API is only exposed on the [manager nodes](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#manager-nodes),
+these are the nodes that Traefik should be scheduled on by deploying Traefik with a constraint on the node "role":

 ```shell tab="With Docker CLI"
 docker service create \
@@ -220,13 +226,13 @@ services:
 ```

 !!! tip "Scheduling Traefik on Worker Nodes"
-    
+
    Following the guidelines given in the previous section ["Docker API Access"](#docker-api-access),
    if you expose the Docker API through TCP, then Traefik can be scheduled on any node if the TCP
    socket is reachable.
-    
+
    Please consider the security implications by reading the [Security Note](#security-note).
-    
+
    A good example can be found on [Bret Fisher's repository](https://github.com/BretFisher/dogvscat/blob/master/stack-proxy-global.yml#L124).

 ## Provider Configuration
@@ -235,21 +241,6 @@ services:

 _Required, Default="unix:///var/run/docker.sock"_

-```toml tab="File (TOML)"
-[providers.docker]
-  endpoint = "unix:///var/run/docker.sock"
-```
-
-```yaml tab="File (YAML)"
-providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
-```
-
-```bash tab="CLI"
--providers.docker.endpoint=unix:///var/run/docker.sock
-```
-
 See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API Access](#docker-api-access_1) for more information.

 ??? example "Using the docker.sock"
@@ -261,7 +252,7 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A

    services:
      traefik:
-         image: traefik:v2.2 # The official v2 Traefik docker image
+         image: traefik:v2.4 # The official v2 Traefik docker image
         ports:
           - "80:80"
         volumes:
@@ -275,14 +266,14 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
      endpoint = "unix:///var/run/docker.sock"
      # ...
    ```
-    
+
    ```yaml tab="File (YAML)"
    providers:
      docker:
        endpoint: "unix:///var/run/docker.sock"
         # ...
    ```
-    
+
    ```bash tab="CLI"
    --providers.docker.endpoint=unix:///var/run/docker.sock
    # ...
@@ -299,23 +290,66 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
      endpoint = "ssh://traefik@192.168.2.5:2022"
      # ...
    ```
-    
+
    ```yaml tab="File (YAML)"
    providers:
      docker:
        endpoint: "ssh://traefik@192.168.2.5:2022"
         # ...
    ```
-    
+
    ```bash tab="CLI"
    --providers.docker.endpoint=ssh://traefik@192.168.2.5:2022
    # ...
    ```

+```toml tab="File (TOML)"
+[providers.docker]
+  endpoint = "unix:///var/run/docker.sock"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+```
+
+```bash tab="CLI"
+--providers.docker.endpoint=unix:///var/run/docker.sock
+```
+
 ### `useBindPortIP`

 _Optional, Default=false_

+Traefik routes requests to the IP/port of the matching container.
+When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
+
+When used in conjunction with the `traefik.http.services.<name>.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
+Traefik tries to find a binding on port `traefik.http.services.<name>.loadbalancer.server.port`.
+If it cannot find such a binding, Traefik falls back on the internal network IP of the container,
+but still uses the `traefik.http.services.<name>.loadbalancer.server.port` that is set in the label.
+
+??? example "Examples of `usebindportip` in different situations."
+
+    | port label         | Container's binding                                | Routes to      |
+    |--------------------|----------------------------------------------------|----------------|
+    |          -         |           -                                        | IntIP:IntPort  |
+    |          -         | ExtPort:IntPort                                    | IntIP:IntPort  |
+    |          -         | ExtIp:ExtPort:IntPort                              | ExtIp:ExtPort  |
+    | LblPort            |           -                                        | IntIp:LblPort  |
+    | LblPort            | ExtIp:ExtPort:LblPort                              | ExtIp:ExtPort  |
+    | LblPort            | ExtIp:ExtPort:OtherPort                            | IntIp:LblPort  |
+    | LblPort            | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
+
+    !!! info ""
+        In the above table:
+
+        - `ExtIp` stands for "external IP found in the binding"
+        - `IntIp` stands for "internal network container's IP",
+        - `ExtPort` stands for "external Port found in the binding"
+        - `IntPort` stands for "internal network container's port."
+
 ```toml tab="File (TOML)"
 [providers.docker]
  useBindPortIP = true
@@ -334,38 +368,15 @@ providers:
 # ...
 ```

-Traefik routes requests to the IP/Port of the matching container.
-When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
-
-When used in conjunction with the `traefik.http.services.<name>.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
-Traefik tries to find a binding on port `traefik.http.services.<name>.loadbalancer.server.port`.
-If it can't find such a binding, Traefik falls back on the internal network IP of the container,
-but still uses the `traefik.http.services.<name>.loadbalancer.server.port` that is set in the label.
-
-??? example "Examples of `usebindportip` in different situations."
-
-    | port label         | Container's binding                                | Routes to      |
-    |--------------------|----------------------------------------------------|----------------|
-    |          -         |           -                                        | IntIP:IntPort  |
-    |          -         | ExtPort:IntPort                                    | IntIP:IntPort  |
-    |          -         | ExtIp:ExtPort:IntPort                              | ExtIp:ExtPort  |
-    | LblPort            |           -                                        | IntIp:LblPort  |
-    | LblPort            | ExtIp:ExtPort:LblPort                              | ExtIp:ExtPort  |
-    | LblPort            | ExtIp:ExtPort:OtherPort                            | IntIp:LblPort  |
-    | LblPort            | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
-
-    !!! info ""
-        In the above table:
-        
-        - `ExtIp` stands for "external IP found in the binding"
-        - `IntIp` stands for "internal network container's IP",
-        - `ExtPort` stands for "external Port found in the binding"
-        - `IntPort` stands for "internal network container's port."
-
 ### `exposedByDefault`

 _Optional, Default=true_

+Expose containers by default through Traefik.
+If set to `false`, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ```toml tab="File (TOML)"
 [providers.docker]
  exposedByDefault = false
@@ -384,14 +395,13 @@ providers:
 # ...
 ```

-Expose containers by default through Traefik.
-If set to false, containers that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
 ### `network`

-_Optional, Default=empty_
+_Optional, Default=""_
+
+Defines a default docker network to use for connections to all containers.
+
+This option can be overridden on a per-container basis with the `traefik.docker.network` label.

 ```toml tab="File (TOML)"
 [providers.docker]
@@ -411,14 +421,17 @@ providers:
 # ...
 ```

-Defines a default docker network to use for connections to all containers.
-
-This option can be overridden on a container basis with the `traefik.docker.network` label.
-
 ### `defaultRule`

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

+The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
+
+It must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
+[sprig template functions](http://masterminds.github.io/sprig/).
+The container service name can be accessed with the `Name` identifier,
+and the template has access to all the labels defined on this container.
+
 ```toml tab="File (TOML)"
 [providers.docker]
  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
@@ -437,16 +450,12 @@ providers:
 # ...
 ```

-For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
-It must be a valid [Go template](https://golang.org/pkg/text/template/),
-augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
-The container service name can be accessed as the `Name` identifier,
-and the template has access to all the labels defined on this container.
-
 ### `swarmMode`

 _Optional, Default=false_

+Enables the Swarm Mode (instead of standalone Docker).
+
 ```toml tab="File (TOML)"
 [providers.docker]
  swarmMode = true
@@ -465,12 +474,12 @@ providers:
 # ...
 ```

-Activates the Swarm Mode (instead of standalone Docker).
-
 ### `swarmModeRefreshSeconds`

 _Optional, Default=15_

+Defines the polling interval (in seconds) for Swarm Mode.
+
 ```toml tab="File (TOML)"
 [providers.docker]
  swarmModeRefreshSeconds = 30
@@ -489,12 +498,36 @@ providers:
 # ...
 ```

-Defines the polling interval (in seconds) in Swarm Mode.
+### `httpClientTimeout`
+
+_Optional, Default=0_
+
+Defines the client timeout (in seconds) for HTTP connections. If its value is `0`, no timeout is set.
+
+```toml tab="File (TOML)"
+[providers.docker]
+  httpClientTimeout = 300
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    httpClientTimeout: 300
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.httpClientTimeout=300
+# ...
+```

 ### `watch`

 _Optional, Default=true_

+Watch Docker Swarm events.
+
 ```toml tab="File (TOML)"
 [providers.docker]
  watch = false
@@ -513,12 +546,51 @@ providers:
 # ...
 ```

-Watch Docker Swarm events.
-
 ### `constraints`

 _Optional, Default=""_

+The `constraints` option can be set to an expression that Traefik matches against the container tags to determine whether
+to create any route for that container. If none of the container tags match the expression, no route for that container is
+created. If the expression is empty, all detected containers are included.
+
+The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
+as well as the usual boolean logic, as shown in examples below.
+
+??? example "Constraints Expression Examples"
+
+    ```toml
+    # Includes only containers having a label with key `a.label.name` and value `foo`
+    constraints = "Label(`a.label.name`, `foo`)"
+    ```
+
+    ```toml
+    # Excludes containers having any label with key `a.label.name` and value `foo`
+    constraints = "!Label(`a.label.name`, `value`)"
+    ```
+
+    ```toml
+    # With logical AND.
+    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
+    ```
+
+    ```toml
+    # With logical OR.
+    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
+    ```
+
+    ```toml
+    # With logical AND and OR, with precedence set by parentheses.
+    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
+    ```
+
+    ```toml
+    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
+    ```
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ```toml tab="File (TOML)"
 [providers.docker]
  constraints = "Label(`a.label.name`,`foo`)"
@@ -537,53 +609,13 @@ providers:
 # ...
 ```

-Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
-That is to say, if none of the container's labels match the expression, no route for the container is created.
-If the expression is empty, all detected containers are included.
-
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
-
-??? example "Constraints Expression Examples"
-
-    ```toml
-    # Includes only containers having a label with key `a.label.name` and value `foo`
-    constraints = "Label(`a.label.name`, `foo`)"
-    ```
-    
-    ```toml
-    # Excludes containers having any label with key `a.label.name` and value `foo`
-    constraints = "!Label(`a.label.name`, `value`)"
-    ```
-    
-    ```toml
-    # With logical AND.
-    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
-    ```
-    
-    ```toml
-    # With logical OR.
-    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
-    ```
-    
-    ```toml
-    # With logical AND and OR, with precedence set by parentheses.
-    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
-    ```
-    
-    ```toml
-    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegex(`a.label.name`, `a.+`)"
-    ```
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
 ### `tls`

 _Optional_

 #### `tls.ca`

-Certificate Authority used for the secured connection to Docker.
+Certificate Authority used for the secure connection to Docker.

 ```toml tab="File (TOML)"
 [providers.docker.tls]
@@ -603,12 +635,15 @@ providers:

 #### `tls.caOptional`

-Policy followed for the secured connection with TLS Client Authentication to Docker.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.

- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.

 ```toml tab="File (TOML)"
 [providers.docker.tls]
@@ -628,7 +663,7 @@ providers:

 #### `tls.cert`

-Public certificate used for the secured connection to Docker.
+Public certificate used for the secure connection to Docker.

 ```toml tab="File (TOML)"
 [providers.docker.tls]
@@ -651,7 +686,7 @@ providers:

 #### `tls.key`

-Private certificate used for the secured connection to Docker.
+Private certificate used for the secure connection to Docker.

 ```toml tab="File (TOML)"
 [providers.docker.tls]
@@ -674,7 +709,7 @@ providers:

 #### `tls.insecureSkipVerify`

-If `insecureSkipVerify` is `true`, TLS for the connection to Docker accepts any certificate presented by the server and any host name in that certificate.
+If `insecureSkipVerify` is `true`, the TLS connection to Docker accepts any certificate presented by the server regardless of the hostnames it covers.

 ```toml tab="File (TOML)"
 [providers.docker.tls]
--- a/docs/content/providers/ecs.md
+++ b/docs/content/providers/ecs.md
@@ -0,0 +1,222 @@
+# Traefik & AWS ECS
+
+A Story of Labels & Elastic Containers
+{: .subtitle }
+
+Attach labels to your ECS containers and let Traefik do the rest!
+
+## Configuration Examples
+
+??? example "Configuring ECS provider"
+
+    Enabling the ECS provider:
+
+    ```toml tab="File (TOML)"
+    [providers.ecs]
+    ```
+
+    ```yaml tab="File (YAML)"
+    providers:
+      ecs: {}
+    ```
+
+    ```bash tab="CLI"
+    --providers.ecs=true
+    ```
+
+## Policy
+
+Traefik needs the following policy to read ECS information:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "TraefikECSReadAccess",
+            "Effect": "Allow",
+            "Action": [
+                "ecs:ListClusters",
+                "ecs:DescribeClusters",
+                "ecs:ListTasks",
+                "ecs:DescribeTasks",
+                "ecs:DescribeContainerInstances",
+                "ecs:DescribeTaskDefinition",
+                "ec2:DescribeInstances"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}
+```
+
+## Provider Configuration
+
+### `autoDiscoverClusters`
+
+_Optional, Default=false_
+
+Search for services in cluster list.
+
+- If set to `true` service discovery is disabled on configured clusters, but enabled for all other clusters.
+- If set to `false` service discovery is enabled on configured clusters only.
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  autoDiscoverClusters = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    autoDiscoverClusters: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.autoDiscoverClusters=true
+# ...
+```
+
+### `clusters`
+
+_Optional, Default=["default"]_
+
+Search for services in cluster list.
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  clusters = ["default"]
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    clusters:
+      - default
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.clusters=default
+# ...
+```
+
+### `exposedByDefault`
+
+_Optional, Default=true_
+
+Expose ECS services by default in Traefik.
+
+If set to `false`, services that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  exposedByDefault = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    exposedByDefault: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.exposedByDefault=false
+# ...
+```
+
+### `defaultRule`
+
+_Optional, Default=```Host(`{{ normalize .Name }}`)```_
+
+The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
+
+It must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
+[sprig template functions](http://masterminds.github.io/sprig/).
+The container service name can be accessed with the `Name` identifier,
+and the template has access to all the labels defined on this container.
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
+# ...
+```
+
+### `refreshSeconds`
+
+_Optional, Default=15_
+
+Polling interval (in seconds).
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  refreshSeconds = 15
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    refreshSeconds: 15
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.refreshSeconds=15
+# ...
+```
+
+### Credentials
+
+_Optional_
+
+If `region` is not provided, it is resolved from the EC2 metadata endpoint for EC2 tasks.
+In a FARGATE context it is resolved from the `AWS_REGION` environment variable.
+
+If `accessKeyID` and `secretAccessKey` are not provided, credentials are resolved in the following order:
+
+- Using the environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
+- Using shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
+- Using EC2 instance role or ECS task role
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  region = "us-east-1"
+  accessKeyID = "abc"
+  secretAccessKey = "123"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    region: us-east-1
+    accessKeyID: "abc"
+    secretAccessKey: "123"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.region="us-east-1"
+--providers.ecs.accessKeyID="abc"
+--providers.ecs.secretAccessKey="123"
+# ...
+```
--- a/docs/content/providers/etcd.md
+++ b/docs/content/providers/etcd.md
@@ -3,7 +3,7 @@
 A Story of KV store & Containers
 {: .subtitle }

-Store your configuration in Etcd and let Traefik do the rest!
+Store your configuration in etcd and let Traefik do the rest!

 ## Routing Configuration

@@ -15,7 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).

 _Required, Default="127.0.0.1:2379"_

-Defines how to access to Etcd.
+Defines how to access etcd.

 ```toml tab="File (TOML)"
 [providers.etcd]
@@ -35,10 +35,10 @@ providers:

 ### `rootKey`

-Defines the root key of the configuration.
-
 _Required, Default="traefik"_

+Defines the root key of the configuration.
+
 ```toml tab="File (TOML)"
 [providers.etcd]
  rootKey = "traefik"
@@ -56,10 +56,10 @@ providers:

 ### `username`

-Defines a username to connect with Etcd.
-
 _Optional, Default=""_

+Defines a username with which to connect to etcd.
+
 ```toml tab="File (TOML)"
 [providers.etcd]
  # ...
@@ -81,7 +81,7 @@ providers:

 _Optional, Default=""_

-Defines a password to connect with Etcd.
+Defines a password with which to connect to etcd.

 ```toml tab="File (TOML)"
 [providers.etcd]
@@ -106,7 +106,7 @@ _Optional_

 #### `tls.ca`

-Certificate Authority used for the secured connection to Etcd.
+Certificate Authority used for the secure connection to etcd.

 ```toml tab="File (TOML)"
 [providers.etcd.tls]
@@ -126,12 +126,15 @@ providers:

 #### `tls.caOptional`

-Policy followed for the secured connection with TLS Client Authentication to Etcd.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.

- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.

 ```toml tab="File (TOML)"
 [providers.etcd.tls]
@@ -151,7 +154,7 @@ providers:

 #### `tls.cert`

-Public certificate used for the secured connection to Etcd.
+Public certificate used for the secure connection to etcd.

 ```toml tab="File (TOML)"
 [providers.etcd.tls]
@@ -174,7 +177,7 @@ providers:

 #### `tls.key`

-Private certificate used for the secured connection to Etcd.
+Private certificate used for the secure connection to etcd.

 ```toml tab="File (TOML)"
 [providers.etcd.tls]
@@ -197,7 +200,7 @@ providers:

 #### `tls.insecureSkipVerify`

-If `insecureSkipVerify` is `true`, TLS for the connection to Etcd accepts any certificate presented by the server and any host name in that certificate.
+If `insecureSkipVerify` is `true`, the TLS connection to etcd accepts any certificate presented by the server regardless of the hostnames it covers.

 ```toml tab="File (TOML)"
 [providers.etcd.tls]
--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@@ -1,43 +1,43 @@
 # Traefik & File

 Good Old Configuration File
-{: .subtitle } 
+{: .subtitle }

 The file provider lets you define the [dynamic configuration](./overview.md) in a TOML or YAML file.
-You can write one of these mutually exclusive configuration elements:

-* In [a dedicated file](#filename)
-* In [several dedicated files](#directory)
+It supports providing configuration through a [single configuration file](#filename) or [multiple separate files](#directory).

 !!! info
-    The file provider is the default format used throughout the documentation to show samples of the configuration for many features. 
+
+    The file provider is the default format used throughout the documentation to show samples of the configuration for many features.

 !!! tip
-    The file provider can be a good location for common elements you'd like to re-use from other providers; e.g. declaring whitelist middlewares, basic authentication, ...
+
+    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring whitelist middlewares, basic authentication, ...)

 ## Configuration Examples

 ??? example "Declaring Routers, Middlewares & Services"

    Enabling the file provider:
-    
+
    ```toml tab="File (TOML)"
    [providers.file]
      directory = "/path/to/dynamic/conf"
    ```
-    
+
    ```yaml tab="File (YAML)"
    providers:
      file:
        directory: "/path/to/dynamic/conf"
    ```
-    
+
    ```bash tab="CLI"
    --providers.file.directory=/path/to/dynamic/conf
    ```
-    
+
    Declaring Routers, Middlewares & Services:
-    
+
    ```toml tab="TOML"
    [http]
      # Add the router
@@ -47,14 +47,14 @@ You can write one of these mutually exclusive configuration elements:
          middlewares = ["my-basic-auth"]
          service = "service-foo"
          rule = "Path(`/foo`)"
-      
+
      # Add the middleware
-      [http.middlewares]    
+      [http.middlewares]
        [http.middlewares.my-basic-auth.basicAuth]
          users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
                    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
          usersFile = "etc/traefik/.htpasswd"
-      
+
      # Add the service
      [http.services]
        [http.services.service-foo]
@@ -64,7 +64,7 @@ You can write one of these mutually exclusive configuration elements:
            [[http.services.service-foo.loadBalancer.servers]]
              url = "http://bar/"
    ```
-    
+
    ```yaml tab="YAML"
    http:
      # Add the router
@@ -76,7 +76,7 @@ You can write one of these mutually exclusive configuration elements:
          - my-basic-auth
          service: service-foo
          rule: Path(`/foo`)
-      
+
      # Add the middleware
      middlewares:
        my-basic-auth:
@@ -85,7 +85,7 @@ You can write one of these mutually exclusive configuration elements:
            - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
            - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
            usersFile: etc/traefik/.htpasswd
-      
+
      # Add the service
      services:
        service-foo:
@@ -98,31 +98,32 @@ You can write one of these mutually exclusive configuration elements:

 ## Provider Configuration

-If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../reference/dynamic-configuration/file.md) references and the [static configuration](../reference/static-configuration/overview.md).
+For an overview of all the options that can be set with the file provider, see the [dynamic configuration](../reference/dynamic-configuration/file.md) and [static configuration](../reference/static-configuration/overview.md) references.

 !!! warning "Limitations"

    With the file provider, Traefik listens for file system notifications to update the dynamic configuration.
-    
+
    If you use a mounted/bound file system in your orchestrator (like docker or kubernetes), the way the files are linked may be a source of errors.
    If the link between the file systems is broken, when a source file/directory is changed/renamed, nothing will be reported to the linked file/directory, so the file system notifications will be neither triggered nor caught. 
-    
-    For example, in docker, if the host file is renamed, the link to the mounted file will be broken and the container's file will not be updated.
-    To avoid this kind of issue, a good practice is to:
-        
+
+    For example, in Docker, if the host file is renamed, the link to the mounted file is broken and the container's file is no longer updated.
+    To avoid this kind of issue, it is recommended to:
+
    * set the Traefik [**directory**](#directory) configuration with the parent directory
    * mount/bind the parent directory

-    As it is very difficult to listen to all file system notifications, Traefik use [fsnotify](https://github.com/fsnotify/fsnotify).
+    As it is very difficult to listen to all file system notifications, Traefik uses [fsnotify](https://github.com/fsnotify/fsnotify).
    If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.
-    
+
 ### `filename`

 Defines the path to the configuration file.

 !!! warning ""
-    `filename` and `directory` are mutually exclusive.
-    The recommendation is to use `directory`.
+
+    The `filename` and `directory` options are mutually exclusive.
+    It is recommended to use `directory`.

 ```toml tab="File (TOML)"
 [providers]
@@ -145,8 +146,9 @@ providers:
 Defines the path to the directory that contains the configuration files.

 !!! warning ""
-    `filename` and `directory` are mutually exclusive.
-    The recommendation is to use `directory`.
+
+    The `filename` and `directory` options are mutually exclusive.
+    It is recommended to use `directory`.

 ```toml tab="File (TOML)"
 [providers]
@@ -166,7 +168,7 @@ providers:

 ### `watch`

-Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.  
+Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.
 It works with both the `filename` and the `directory` options.

 ```toml tab="File (TOML)"
@@ -191,63 +193,62 @@ providers:
 ### Go Templating

 !!! warning
+
    Go Templating only works with dedicated dynamic configuration files.
    Templating does not work in the Traefik main static configuration file.

-Traefik supports using Go templating to automatically generate repetitive portions of configuration files.
-These sections must be valid [Go templates](https://golang.org/pkg/text/template/),
-augmented with the [Sprig template functions](http://masterminds.github.io/sprig/).
+Traefik supports using Go templating to automatically generate repetitive sections of configuration files.
+These sections must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
+[sprig template functions](http://masterminds.github.io/sprig/).

-To illustrate, it's possible to easily define multiple routers, services, and TLS certificates as described in the following examples:
+To illustrate, it is possible to easily define multiple routers, services, and TLS certificates as described in the following examples:

 ??? example "Configuring Using Templating"
-    
+
    ```toml tab="TOML"
    # template-rules.toml
    [http]
-    
+
      [http.routers]
      {{ range $i, $e := until 100 }}
        [http.routers.router{{ $e }}-{{ env "MY_ENV_VAR" }}]
        # ...
-      {{ end }}  
-      
-      
+      {{ end }}
+
      [http.services]
      {{ range $i, $e := until 100 }}
          [http.services.service{{ $e }}]
          # ...
-      {{ end }}  
-      
+      {{ end }}
+
    [tcp]
-    
+
      [tcp.routers]
      {{ range $i, $e := until 100 }}
        [tcp.routers.router{{ $e }}]
        # ...
-      {{ end }}  
-      
-      
+      {{ end }}
+
      [tcp.services]
      {{ range $i, $e := until 100 }}
          [http.services.service{{ $e }}]
          # ...
-      {{ end }}  
-    
+      {{ end }}
+
    {{ range $i, $e := until 10 }}
    [[tls.certificates]]
      certFile = "/etc/traefik/cert-{{ $e }}.pem"
      keyFile = "/etc/traefik/cert-{{ $e }}.key"
-      store = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
+      stores = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
    {{ end }}
-    
+
    [tls.config]
    {{ range $i, $e := until 10 }}
      [tls.config.TLS{{ $e }}]
      # ...
    {{ end }}
    ```
-    
+
    ```yaml tab="YAML"
    http:
      routers:
@@ -255,26 +256,26 @@ To illustrate, it's possible to easily define multiple routers, services, and TL
        router{{ $e }}-{{ env "MY_ENV_VAR" }}:
          # ...
        {{end}}
-    
+
      services:
        {{range $i, $e := until 100 }}
        application{{ $e }}:
          # ...
        {{end}}
-    
+
    tcp:
      routers:
        {{range $i, $e := until 100 }}
        router{{ $e }}:
          # ...
        {{end}}
-    
+
      services:
        {{range $i, $e := until 100 }}
        service{{ $e }}:
          # ...
        {{end}}
-    
+
    tls:
      certificates:
      {{ range $i, $e := until 10 }}
--- a/docs/content/providers/http.md
+++ b/docs/content/providers/http.md
@@ -0,0 +1,191 @@
+# Traefik & HTTP
+
+Provide your [dynamic configuration](./overview.md) via an HTTP(S) endpoint and let Traefik do the rest!
+
+## Routing Configuration
+
+The HTTP provider uses the same configuration as the [File Provider](./file.md) in YAML or JSON format.
+
+## Provider Configuration
+
+### `endpoint`
+
+_Required_
+
+Defines the HTTP(S) endpoint to poll.
+
+```toml tab="File (TOML)"
+[providers.http]
+  endpoint = "http://127.0.0.1:9000/api"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    endpoint:
+      - "http://127.0.0.1:9000/api"
+```
+
+```bash tab="CLI"
+--providers.http.endpoint=http://127.0.0.1:9000/api
+```
+
+### `pollInterval`
+
+_Optional, Default="5s"_
+
+Defines the polling interval.
+
+```toml tab="File (TOML)"
+[providers.http]
+  pollInterval = "5s"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    pollInterval: "5s"
+```
+
+```bash tab="CLI"
+--providers.http.pollInterval=5s
+```
+
+### `pollTimeout`
+
+_Optional, Default="5s"_
+
+Defines the polling timeout when connecting to the configured endpoint.
+
+```toml tab="File (TOML)"
+[providers.http]
+  pollTimeout = "5s"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    pollTimeout: "5s"
+```
+
+```bash tab="CLI"
+--providers.http.pollTimeout=5s
+```
+
+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+Certificate Authority used for the secure connection to the configured endpoint.
+
+```toml tab="File (TOML)"
+[providers.http.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.http.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the configured endpoint.
+
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
+
+```toml tab="File (TOML)"
+[providers.http.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.http.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+Public certificate used for the secure connection to the configured endpoint.
+
+```toml tab="File (TOML)"
+[providers.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.http.tls.cert=path/to/foo.cert
+--providers.http.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+Private certificate used for the secure connection to the configured endpoint.
+
+```toml tab="File (TOML)"
+[providers.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.http.tls.cert=path/to/foo.cert
+--providers.http.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+If `insecureSkipVerify` is `true`, the TLS connection to the endpoint accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```toml tab="File (TOML)"
+[providers.http.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  http:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.http.tls.insecureSkipVerify=true
+```
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -3,10 +3,11 @@
 The Kubernetes Ingress Controller, The Custom Resource Way.
 {: .subtitle }

-Traefik used to support Kubernetes only through the [Kubernetes Ingress provider](./kubernetes-ingress.md), which is a Kubernetes Ingress controller in the strict sense of the term.
+In early versions, Traefik supported Kubernetes only through the [Kubernetes Ingress provider](./kubernetes-ingress.md), which is a Kubernetes Ingress controller in the strict sense of the term.

 However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
-we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
+the Traefik engineering team developed a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+(CRD) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.

 ## Configuration Requirements

@@ -17,8 +18,8 @@ we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/co
    * Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment 
        * Enable the kubernetesCRD provider
        * Apply the needed kubernetesCRD provider [configuration](#provider-configuration)
-    * Add all needed traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
- 
+    * Add all necessary Traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
+
 ??? example "Initializing Resource Definition and RBAC"

    ```yaml tab="Traefik Resource Definition"
@@ -37,13 +38,11 @@ Traefik uses [Custom Resource Definition](https://kubernetes.io/docs/concepts/ex
 Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are:

 * The usage of `name` **and** `namespace` to refer to another Kubernetes resource.
-* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensible data like:
-    * TLS certificate.
-    * Authentication data.
+* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensitive data (TLS certificates and credentials).
 * The structure of the configuration.
-* The obligation to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).
+* The requirement to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).

-The Traefik CRD are building blocks which you can assemble according to your needs.
+The Traefik CRDs are building blocks that you can assemble according to your needs.
 See the list of CRDs in the dedicated [routing section](../routing/providers/kubernetes-crd.md).

 ## LetsEncrypt Support with the Custom Resource Definition Provider
@@ -51,23 +50,36 @@ See the list of CRDs in the dedicated [routing section](../routing/providers/kub
 By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
 For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.

-When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
-Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
-Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+When using a single instance of Traefik with Let's Encrypt, you should encounter no issues. However, this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik Proxy 2.0 with Let's Encrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request and subsequent responses.
+Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance that feature was dropped in 2.0.

-If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+If you need Let's Encrypt with HA in a Kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/), which includes distributed Let's Encrypt as a supported feature.

-If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
-When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
-When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot interface directly with the CRDs _yet_, but this is being worked on by our team.
+If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+When using Cert-Manager to manage certificates, it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs.
 A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
-Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once created, Cert-Manager will keep the certificate renewed.
+Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once the certificates are created, Cert-Manager keeps them renewed.

 ## Provider Configuration

 ### `endpoint`

-_Optional, Default=empty_
+_Optional, Default=""_
+
+The Kubernetes server endpoint URL.
+
+When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
+
+The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+Both are mounted automatically when deployed inside Kubernetes.
+
+The endpoint may be specified to override the environment variable values inside a cluster.
+
+When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
+In this case, the endpoint is required.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.

 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
@@ -78,7 +90,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
  kubernetesCRD:
-    endpoint = "http://localhost:8080"
+    endpoint: "http://localhost:8080"
    # ...
 ```

@@ -86,22 +98,11 @@ providers:
 --providers.kubernetescrd.endpoint=http://localhost:8080
 ```

-The Kubernetes server endpoint as URL.
-
-When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
-
-The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
-Both are provided mounted automatically when deployed inside Kubernetes.
-
-The endpoint may be specified to override the environment variable values inside a cluster.
-
-When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
-In this case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
-
 ### `token`

-_Optional, Default=empty_
+_Optional, Default=""_
+
+Bearer token used for the Kubernetes client configuration.

 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
@@ -112,7 +113,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
  kubernetesCRD:
-    token = "mytoken"
+    token: "mytoken"
    # ...
 ```

@@ -120,11 +121,12 @@ providers:
 --providers.kubernetescrd.token=mytoken
 ```

-Bearer token used for the Kubernetes client configuration.
-
 ### `certAuthFilePath`

-_Optional, Default=empty_
+_Optional, Default=""_
+
+Path to the certificate authority file.
+Used for the Kubernetes client configuration.

 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
@@ -143,12 +145,12 @@ providers:
 --providers.kubernetescrd.certauthfilepath=/my/ca.crt
 ```

-Path to the certificate authority file.
-Used for the Kubernetes client configuration.
-
 ### `namespaces`

-_Optional, Default: all namespaces (empty array)_
+_Optional, Default: []_
+
+Array of namespaces to watch.
+If left empty, watches all namespaces if the value of `namespaces`.

 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
@@ -169,37 +171,46 @@ providers:
 --providers.kubernetescrd.namespaces=default,production
 ```

-Array of namespaces to watch.
-
 ### `labelselector`

-_Optional,Default: empty (process all resources)_
+_Optional, Default: ""_
+
+A label selector can be defined to filter on specific resource objects only,
+this applies only to Traefik [Custom Resources](../routing/providers/kubernetes-crd.md#custom-resource-definition-crd)
+and has no effect on Kubernetes `Secrets`, `Endpoints` and `Services`.
+If left empty, Traefik processes all resource objects in the configured namespaces.
+
+See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
+
+!!! warning
+
+    Because the label selector is applied to all Traefik Custom Resources, they all must match the filter.

 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
-  labelselector = "A and not B"
+  labelselector = "app=traefik"
  # ...
 ```

 ```yaml tab="File (YAML)"
 providers:
  kubernetesCRD:
-    labelselector: "A and not B"
+    labelselector: "app=traefik"
    # ...
 ```

 ```bash tab="CLI"
--providers.kubernetescrd.labelselector="A and not B"
+--providers.kubernetescrd.labelselector="app=traefik"
 ```

-By default, Traefik processes all resource objects in the configured namespaces.
-A label selector can be defined to filter on specific resource objects only.
-
-See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
-
 ### `ingressClass`

-_Optional, Default: empty_
+_Optional, Default: ""_
+
+Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.
+
+If the parameter is set, only resources containing an annotation with the same value are processed.
+Otherwise, resources missing the annotation, having an empty value, or the value `traefik` are processed.

 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
@@ -218,14 +229,17 @@ providers:
 --providers.kubernetescrd.ingressclass=traefik-internal
 ```

-Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.
-
-If the parameter is non-empty, only resources containing an annotation with the same value are processed.
-Otherwise, resources missing the annotation, having an empty value, or the value `traefik` are processed.
-
 ### `throttleDuration`

-_Optional, Default: 0 (no throttling)_
+_Optional, Default: 0_
+
+The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
+a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
+
+If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
+
+The value of `throttleDuration` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).

 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
@@ -244,6 +258,33 @@ providers:
 --providers.kubernetescrd.throttleDuration=10s
 ```

-## Further
+### `allowCrossNamespace`

-Also see the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
+_Optional, Default: true_
+
+If the parameter is set to `false`, IngressRoutes are not able to reference any resources in other namespaces than theirs.
+
+!!! warning "Deprecation"
+
+    Please note that the default value for this option will be set to `false` in a future version.
+
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  allowCrossNamespace = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    allowCrossNamespace: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.allowCrossNamespace=false
+```
+
+## Full Example
+
+For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@@ -0,0 +1,263 @@
+# Traefik & Kubernetes with Gateway API
+
+The Kubernetes Gateway API, The Experimental Way.
+{: .subtitle }
+
+Gateway API is the evolution of Kubernetes APIs that relate to `Services`, such as `Ingress`.
+The Gateway API project is part of Kubernetes, working under SIG-NETWORK.
+
+The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
+specifications from the Kubernetes Special Interest Groups (SIGs).
+
+This provider is proposed as an experimental feature and partially supports the Gateway API [v0.2.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.2.0) specification.
+
+!!! warning "Enabling The Experimental Kubernetes Gateway Provider"
+
+    Since this provider is still experimental, it needs to be activated in the experimental section of the static configuration.
+
+    ```toml tab="File (TOML)"
+    [experimental]
+      kubernetesGateway = true
+
+    [providers.kubernetesGateway]
+    #...
+    ```
+
+    ```yaml tab="File (YAML)"
+    experimental:
+      kubernetesGateway: true
+
+    providers:
+      kubernetesGateway: {}
+      #...
+    ```
+
+    ```bash tab="CLI"
+    --experimental.kubernetesgateway=true --providers.kubernetesgateway=true #...
+    ```
+
+## Configuration Requirements
+
+!!! tip "All Steps for a Successful Deployment"
+
+    * Add/update the Kubernetes Gateway API [definitions](../reference/dynamic-configuration/kubernetes-gateway.md#definitions).
+    * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources.
+    * Add all needed Kubernetes Gateway API [resources](../reference/dynamic-configuration/kubernetes-gateway.md#resources).
+
+## Examples
+
+??? example "Kubernetes Gateway Provider Basic Example"
+
+    ```yaml tab="Gateway API"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml"
+    ```
+
+    ```yaml tab="Whoami Service"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-whoami-svc.yml"
+    ```
+
+    ```yaml tab="Traefik Service"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml"
+    ```
+
+    ```yaml tab="Gateway API CRDs"
+    # All resources definition must be declared
+    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gatewayclasses.yaml"
+    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gateways.yaml"
+    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_httproutes.yaml"
+    ```
+
+    ```yaml tab="RBAC"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml"
+    ```
+
+The Kubernetes Gateway API project provides several [guides](https://gateway-api.sigs.k8s.io/guides/) on how to use the APIs.
+These guides can help you to go further than the example above.
+The [getting started guide](https://gateway-api.sigs.k8s.io/getting-started/) details how to install the CRDs from their repository.
+
+!!! note ""
+
+    Keep in mind that the Traefik Gateway provider only supports the `v0.1.0`.
+
+For now, the Traefik Gateway Provider can be used while following the below guides:
+
+* [Simple Gateway](https://gateway-api.sigs.k8s.io/simple-gateway/)
+* [HTTP routing](https://gateway-api.sigs.k8s.io/http-routing/)
+* [TLS](https://gateway-api.sigs.k8s.io/tls/) (Partial support: only on listeners with terminate mode)
+
+## Resource Configuration
+
+When using Kubernetes Gateway API as a provider, Traefik uses Kubernetes
+[Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+to retrieve its routing configuration.
+
+All concepts can be found in the official API concepts [documentation](https://gateway-api.sigs.k8s.io/api-overview/).
+Traefik implements the following resources:
+
+* `GatewayClass` defines a set of Gateways that share a common configuration and behaviour.
+* `Gateway` describes how traffic can be translated to Services within the cluster.
+* `HTTPRoute` define HTTP rules for mapping requests from a Gateway to Kubernetes Services.
+
+## Provider Configuration
+
+### `endpoint`
+
+_Optional, Default=""_
+
+The Kubernetes server endpoint URL.
+
+When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
+
+The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+Both are mounted automatically when deployed inside Kubernetes.
+
+The endpoint may be specified to override the environment variable values inside a cluster.
+
+When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
+In this case, the endpoint is required.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  endpoint = "http://localhost:8080"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    endpoint: "http://localhost:8080"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.endpoint=http://localhost:8080
+```
+
+### `token`
+
+_Optional, Default=""_
+
+Bearer token used for the Kubernetes client configuration.
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  token = "mytoken"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    token: "mytoken"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.token=mytoken
+```
+
+### `certAuthFilePath`
+
+_Optional, Default=""_
+
+Path to the certificate authority file.
+Used for the Kubernetes client configuration.
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  certAuthFilePath = "/my/ca.crt"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    certAuthFilePath: "/my/ca.crt"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.certauthfilepath=/my/ca.crt
+```
+
+### `namespaces`
+
+_Optional, Default: []_
+
+Array of namespaces to watch.
+If left empty, watches all namespaces if the value of `namespaces`.
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  namespaces = ["default", "production"]
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    namespaces:
+    - "default"
+    - "production"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.namespaces=default,production
+```
+
+### `labelselector`
+
+_Optional, Default: ""_
+
+A label selector can be defined to filter on specific GatewayClass objects only.
+If left empty, Traefik processes all GatewayClass objects in the configured namespaces.
+
+See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  labelselector = "app=traefik"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    labelselector: "app=traefik"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.labelselector="app=traefik"
+```
+
+### `throttleDuration`
+
+_Optional, Default: 0_
+
+The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
+a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
+
+If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
+
+The value of `throttleDuration` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  throttleDuration = "10s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    throttleDuration: "10s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.throttleDuration=10s
+```
--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -4,7 +4,7 @@ The Kubernetes Ingress Controller.
 {: .subtitle }

 The Traefik Kubernetes Ingress provider is a Kubernetes Ingress controller; that is to say,
-it manages access to a cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
+it manages access to cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.

 ## Routing Configuration

@@ -12,7 +12,7 @@ See the dedicated section in [routing](../routing/providers/kubernetes-ingress.m

 ## Enabling and Using the Provider

-As usual, the provider is enabled through the static configuration:
+You can enable the provider in the static configuration:

 ```toml tab="File (TOML)"
 [providers.kubernetesIngress]
@@ -29,7 +29,7 @@ providers:

 The provider then watches for incoming ingresses events, such as the example below,
 and derives the corresponding dynamic configuration from it,
-which in turn will create the resulting routers, services, handlers, etc.
+which in turn creates the resulting routers, services, handlers, etc.

 ```yaml tab="File (YAML)"
 kind: Ingress
@@ -61,26 +61,39 @@ without additional configuration.
 For this reason, users can run multiple instances of Traefik at the same time to achieve HA,
 as is a common pattern in the kubernetes ecosystem.

-When using a single instance of Traefik with LetsEncrypt, no issues should be encountered,
-however this could be a single point of failure.
-Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled,
-because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
-Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this,
-but due to sub-optimal performance was dropped as a feature in 2.0.
+When using a single instance of Traefik Proxy with Let's Encrypt, you should encounter no issues.
+However, this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with Let's Encrypt enabled,
+because there is no way to ensure that the correct instance of Traefik receives the challenge request, and subsequent responses.
+Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this,
+but due to sub-optimal performance that feature was dropped in 2.0.

-If you require LetsEncrypt with HA in a kubernetes environment,
-we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+If you need Let's Encrypt with high availability in a Kubernetes environment,
+we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) which includes distributed Let's Encrypt as a supported feature.

-If you are wanting to continue to run Traefik Community Edition,
+If you want to keep using Traefik Proxy,
 LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
 When using Cert-Manager to manage certificates,
-it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).

 ## Provider Configuration

 ### `endpoint`

-_Optional, Default=empty_
+_Optional, Default=""_
+
+The Kubernetes server endpoint URL.
+
+When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
+
+The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+Both are mounted automatically when deployed inside Kubernetes.
+
+The endpoint may be specified to override the environment variable values inside a cluster.
+
+When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
+In this case, the endpoint is required.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.

 ```toml tab="File (TOML)"
 [providers.kubernetesIngress]
@@ -91,7 +104,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
  kubernetesIngress:
-    endpoint = "http://localhost:8080"
+    endpoint: "http://localhost:8080"
    # ...
 ```

@@ -99,21 +112,11 @@ providers:
 --providers.kubernetesingress.endpoint=http://localhost:8080
 ```

-The Kubernetes server endpoint as URL, which is only used when the behavior based on environment variables described below does not apply.
-
-When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
-
-The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
-They are both provided automatically as mounts in the pod where Traefik is deployed.
-
-When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
-In which case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication
-and authorization of the associated kubeconfig.
-
 ### `token`

-_Optional, Default=empty_
+_Optional, Default=""_
+
+Bearer token used for the Kubernetes client configuration.

 ```toml tab="File (TOML)"
 [providers.kubernetesIngress]
@@ -124,7 +127,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
  kubernetesIngress:
-    token = "mytoken"
+    token: "mytoken"
    # ...
 ```

@@ -132,11 +135,12 @@ providers:
 --providers.kubernetesingress.token=mytoken
 ```

-Bearer token used for the Kubernetes client configuration.
-
 ### `certAuthFilePath`

-_Optional, Default=empty_
+_Optional, Default=""_
+
+Path to the certificate authority file.
+Used for the Kubernetes client configuration.

 ```toml tab="File (TOML)"
 [providers.kubernetesIngress]
@@ -155,35 +159,12 @@ providers:
 --providers.kubernetesingress.certauthfilepath=/my/ca.crt
 ```

-Path to the certificate authority file.
-Used for the Kubernetes client configuration.
-
-### `disablePassHostHeaders`
-
-_Optional, Default=false_
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
-  disablePassHostHeaders = true
-  # ...
-```
-
-```yaml tab="File (YAML)"
-providers:
-  kubernetesIngress:
-    disablePassHostHeaders: true
-    # ...
-```
-
-```bash tab="CLI"
--providers.kubernetesingress.disablepasshostheaders=true
-```
-
-Whether to disable PassHost Headers.
-
 ### `namespaces`

-_Optional, Default: all namespaces (empty array)_
+_Optional, Default: []_
+
+Array of namespaces to watch.
+If left empty, watches all namespaces if the value of `namespaces`.

 ```toml tab="File (TOML)"
 [providers.kubernetesIngress]
@@ -204,37 +185,74 @@ providers:
 --providers.kubernetesingress.namespaces=default,production
 ```

-Array of namespaces to watch.
-
 ### `labelSelector`

-_Optional,Default: empty (process all Ingresses)_
+_Optional, Default: ""_
+
+A label selector can be defined to filter on specific Ingress objects only.
+If left empty, Traefik processes all Ingress objects in the configured namespaces.
+
+See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.

 ```toml tab="File (TOML)"
 [providers.kubernetesIngress]
-  labelSelector = "A and not B"
+  labelSelector = "app=traefik"
  # ...
 ```

 ```yaml tab="File (YAML)"
 providers:
  kubernetesIngress:
-    labelselector: "A and not B"
+    labelselector: "app=traefik"
    # ...
 ```

 ```bash tab="CLI"
--providers.kubernetesingress.labelselector="A and not B"
+--providers.kubernetesingress.labelselector="app=traefik"
 ```

-By default, Traefik processes all Ingress objects in the configured namespaces.
-A label selector can be defined to filter on specific Ingress objects only.
-
-See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
-
 ### `ingressClass`

-_Optional, Default: empty_
+_Optional, Default: ""_
+
+Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
+
+If the parameter is set, only Ingresses containing an annotation with the same value are processed.
+Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
+
+!!! info "Kubernetes 1.18+"
+
+    If the Kubernetes cluster version is 1.18+,
+    the new `IngressClass` resource can be leveraged to identify Ingress objects that should be processed.
+    In that case, Traefik will look for an `IngressClass` in the cluster with the controller value equal to *traefik.io/ingress-controller*. 
+
+    Please see [this article](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/) for more information or the example below.
+
+    ```yaml tab="IngressClass"
+    apiVersion: networking.k8s.io/v1beta1
+    kind: IngressClass
+    metadata:
+      name: traefik-lb
+    spec:
+      controller: traefik.io/ingress-controller
+    ```
+
+    ```yaml tab="Ingress"
+    apiVersion: "networking.k8s.io/v1beta1"
+    kind: "Ingress"
+    metadata:
+      name: "example-ingress"
+    spec:
+      ingressClassName: "traefik-lb"
+      rules:
+      - host: "*.example.com"
+        http:
+          paths:
+          - path: "/example"
+            backend:
+              serviceName: "example-service"
+              servicePort: 80
+    ```

 ```toml tab="File (TOML)"
 [providers.kubernetesIngress]
@@ -253,16 +271,13 @@ providers:
 --providers.kubernetesingress.ingressclass=traefik-internal
 ```

-Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
-
-If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
-Otherwise, Ingresses missing the annotation, having an empty value, or with the value `traefik` are processed.
-
 ### `ingressEndpoint`

 #### `hostname`

-_Optional, Default: empty_
+_Optional, Default: ""_
+
+Hostname used for Kubernetes Ingress endpoints.

 ```toml tab="File (TOML)"
 [providers.kubernetesIngress.ingressEndpoint]
@@ -282,11 +297,11 @@ providers:
 --providers.kubernetesingress.ingressendpoint.hostname=example.net
 ```

-Hostname used for Kubernetes Ingress endpoints.
-
 #### `ip`

-_Optional, Default: empty_
+_Optional, Default: ""_
+
+IP used for Kubernetes Ingress endpoints.

 ```toml tab="File (TOML)"
 [providers.kubernetesIngress.ingressEndpoint]
@@ -306,11 +321,12 @@ providers:
 --providers.kubernetesingress.ingressendpoint.ip=1.2.3.4
 ```

-IP used for Kubernetes Ingress endpoints.
-
 #### `publishedService`

-_Optional, Default: empty_
+_Optional, Default: ""_
+
+Published Kubernetes Service to copy status from.
+Format: `namespace/servicename`.

 ```toml tab="File (TOML)"
 [providers.kubernetesIngress.ingressEndpoint]
@@ -330,12 +346,17 @@ providers:
 --providers.kubernetesingress.ingressendpoint.publishedservice=namespace/foo-service
 ```

-Published Kubernetes Service to copy status from.
-Format: `namespace/servicename`.
-
 ### `throttleDuration`

-_Optional, Default: 0 (no throttling)_
+_Optional, Default: 0_
+
+The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
+a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
+
+If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
+
+The value of `throttleDuration` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).

 ```toml tab="File (TOML)"
 [providers.kubernetesIngress]
@@ -356,5 +377,5 @@ providers:

 ### Further

-If one wants to know more about the various aspects of the Ingress spec that Traefik supports,
-many examples of Ingresses definitions are located in the tests [data](https://github.com/containous/traefik/tree/v2.2/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+To learn more about the various aspects of the Ingress specification that Traefik supports,
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.4/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
--- a/docs/content/providers/marathon.md
+++ b/docs/content/providers/marathon.md
@@ -3,28 +3,28 @@
 Traefik can be configured to use Marathon as a provider.
 {: .subtitle }

-See also [Marathon user guide](../user-guides/marathon.md).
+For additional information, refer to [Marathon user guide](../user-guides/marathon.md).

 ## Configuration Examples

 ??? example "Configuring Marathon & Deploying / Exposing Applications"

-    Enabling the marathon provider
+    Enabling the Marathon provider

    ```toml tab="File (TOML)"
    [providers.marathon]
    ```
-    
+
    ```yaml tab="File (YAML)"
    providers:
      marathon: {}
    ```
-    
+
    ```bash tab="CLI"
    --providers.marathon=true
    ```

-    Attaching labels to marathon applications
+    Attaching labels to Marathon applications

    ```json
 	{
@@ -32,7 +32,7 @@ See also [Marathon user guide](../user-guides/marathon.md).
 		"container": {
 			"type": "DOCKER",
 			"docker": {
-				"image": "containous/whoami",
+				"image": "traefik/whoami",
 				"network": "BRIDGE",
 				"portMappings": [
 					{
@@ -59,6 +59,8 @@ See the dedicated section in [routing](../routing/providers/marathon.md).

 _Optional_

+Enables Marathon basic authentication.
+
 ```toml tab="File (TOML)"
 [providers.marathon.basic]
  httpBasicAuthUser = "foo"
@@ -78,12 +80,14 @@ providers:
 --providers.marathon.basic.httpbasicpassword=bar
 ```

-Enables Marathon basic authentication.
-
 ### `dcosToken`

 _Optional_

+Datacenter Operating System (DCOS) Token for DCOS environment.
+
+If set, it overrides the Authorization header.
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  dcosToken = "xxxxxx"
@@ -101,14 +105,20 @@ providers:
 --providers.marathon.dcosToken=xxxxxx
 ```

-DCOSToken for DCOS environment.
-
-If set, it overrides the Authorization header.
-
 ### `defaultRule`

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

+The default host rule for all services.
+
+For a given application, if no routing rule was defined by a label, it is defined by this `defaultRule` instead.
+
+It must be a valid [Go template](https://golang.org/pkg/text/template/),
+and can include [sprig template functions](http://masterminds.github.io/sprig/).
+
+The app ID can be accessed with the `Name` identifier,
+and the template has access to all the labels defined on this Marathon application.
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
@@ -127,18 +137,16 @@ providers:
 # ...
 ```

-For a given application if no routing rule was defined by a label, it is defined by this defaultRule instead.
-
-It must be a valid [Go template](https://golang.org/pkg/text/template/),
-augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
-
-The app ID can be accessed as the Name identifier,
-and the template has access to all the labels defined on this Marathon application.
-
 ### `dialerTimeout`

 _Optional, Default=5s_

+Amount of time the Marathon provider should wait before timing out,
+when trying to open a TCP connection to a Marathon master.
+
+The value of `dialerTimeout` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  dialerTimeout = "10s"
@@ -156,18 +164,14 @@ providers:
 --providers.marathon.dialerTimeout=10s
 ```

-Overrides DialerTimeout.
-
-Amount of time the Marathon provider should wait before timing out,
-when trying to open a TCP connection to a Marathon master.
-
-Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
-or directly as a number of seconds.
-
 ### `endpoint`

 _Optional, Default=http://127.0.0.1:8080_

+Marathon server endpoint.
+
+You can optionally specify multiple endpoints.
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
@@ -185,14 +189,16 @@ providers:
 --providers.marathon.endpoint=http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080
 ```

-Marathon server endpoint.
-
-You can optionally specify multiple endpoints:
-
 ### `exposedByDefault`

 _Optional, Default=true_

+Exposes Marathon applications by default through Traefik.
+
+If set to `false`, applications that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  exposedByDefault = false
@@ -211,16 +217,63 @@ providers:
 # ...
 ```

-Exposes Marathon applications by default through Traefik.
-
-If set to false, applications that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
 ### `constraints`

 _Optional, Default=""_

+The `constraints` option can be set to an expression that Traefik matches against the application labels to determine whether
+to create any route for that application. If none of the application labels match the expression, no route for that application is
+created. In addition, the expression is also matched against the application constraints, such as described
+in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
+If the expression is empty, all detected applications are included.
+
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic.
+In addition, to match against Marathon constraints, the function `MarathonConstraint("field:operator:value")` can be used, where the field, operator, and value parts are concatenated in a single string using the `:` separator.
+
+??? example "Constraints Expression Examples"
+
+    ```toml
+    # Includes only applications having a label with key `a.label.name` and value `foo`
+    constraints = "Label(`a.label.name`, `foo`)"
+    ```
+
+    ```toml
+    # Excludes applications having any label with key `a.label.name` and value `foo`
+    constraints = "!Label(`a.label.name`, `value`)"
+    ```
+
+    ```toml
+    # With logical AND.
+    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
+    ```
+
+    ```toml
+    # With logical OR.
+    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
+    ```
+
+    ```toml
+    # With logical AND and OR, with precedence set by parentheses.
+    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
+    ```
+
+    ```toml
+    # Includes only applications having a label with key `a.label.name` and a value matching the `a.+` regular expression.
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
+    ```
+
+    ```toml
+    # Includes only applications having a Marathon constraint with field `A`, operator `B`, and value `C`.
+    constraints = "MarathonConstraint(`A:B:C`)"
+    ```
+
+    ```toml
+    # Uses both Marathon constraint and application label with logical operator.
+    constraints = "MarathonConstraint(`A:B:C`) && Label(`a.label.name`, `value`)"
+    ```
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  constraints = "Label(`a.label.name`,`foo`)"
@@ -239,62 +292,14 @@ providers:
 # ...
 ```

-Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
-That is to say, if none of the application's labels match the expression, no route for the application is created.
-In addition, the expression also matched against the application's constraints, such as described in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
-If the expression is empty, all detected applications are included.
-
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")`, as well as the usual boolean logic.
-In addition, to match against marathon constraints, the function `MarathonConstraint("field:operator:value")` can be used, where the field, operator, and value parts are joined together in a single string with the `:` separator.
-
-??? example "Constraints Expression Examples"
-
-    ```toml
-    # Includes only applications having a label with key `a.label.name` and value `foo`
-    constraints = "Label(`a.label.name`, `foo`)"
-    ```
-    
-    ```toml
-    # Excludes applications having any label with key `a.label.name` and value `foo`
-    constraints = "!Label(`a.label.name`, `value`)"
-    ```
-    
-    ```toml
-    # With logical AND.
-    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
-    ```
-    
-    ```toml
-    # With logical OR.
-    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
-    ```
-    
-    ```toml
-    # With logical AND and OR, with precedence set by parentheses.
-    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
-    ```
-    
-    ```toml
-    # Includes only applications having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegex(`a.label.name`, `a.+`)"
-    ```
-
-    ```toml
-    # Includes only applications having a Marathon constraint with field `A`, operator `B`, and value `C`.
-    constraints = "MarathonConstraint(`A:B:C`)"
-    ```
-
-    ```toml
-    # Uses both Marathon constraint and application label with logical operator.
-    constraints = "MarathonConstraint(`A:B:C`) && Label(`a.label.name`, `value`)"
-    ```
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
 ### `forceTaskHostname`

 _Optional, Default=false_

+By default, the task IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
+otherwise, the name of the host running the task is used.
+The latter behavior can be enforced by setting this option to `true`.
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  forceTaskHostname = true
@@ -313,14 +318,14 @@ providers:
 # ...
 ```

-By default, a task's IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
-otherwise, the name of the host running the task is used.
-The latter behavior can be enforced by enabling this switch.
-
 ### `keepAlive`

 _Optional, Default=10s_

+Set the TCP Keep Alive duration for the Marathon HTTP Client.
+The value of `keepAlive` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  keepAlive = "30s"
@@ -339,14 +344,16 @@ providers:
 # ...
 ```

-Set the TCP Keep Alive interval for the Marathon HTTP Client.
-Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
-or directly as a number of seconds.
-
 ### `respectReadinessChecks`

 _Optional, Default=false_

+Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
+Enabling `respectReadinessChecks` causes Traefik to filter out tasks whose readiness checks have not succeeded.
+Note that the checks are only valid during deployments.
+
+See the Marathon guide for details.
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  respectReadinessChecks = true
@@ -365,16 +372,16 @@ providers:
 # ...
 ```

-Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
-Enabling respectReadinessChecks causes Traefik to filter out tasks whose readiness checks have not succeeded.
-Note that the checks are only valid at deployment times.
-
-See the Marathon guide for details.
-
 ### `responseHeaderTimeout`

 _Optional, Default=60s_

+Amount of time the Marathon provider should wait before timing out when waiting for the first response header
+from a Marathon master.
+
+The value of `responseHeaderTimeout` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  responseHeaderTimeout = "66s"
@@ -393,19 +400,13 @@ providers:
 # ...
 ```

-Overrides ResponseHeaderTimeout.
-Amount of time the Marathon provider should wait before timing out,
-when waiting for the first response header from a Marathon master.
-
-Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration), or directly as a number of seconds.
-
 ### `tls`

 _Optional_

 #### `tls.ca`

-Certificate Authority used for the secured connection to Marathon.
+Certificate Authority used for the secure connection to Marathon.

 ```toml tab="File (TOML)"
 [providers.marathon.tls]
@@ -425,12 +426,15 @@ providers:

 #### `tls.caOptional`

-Policy followed for the secured connection to Marathon with TLS Client Authentication.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.

- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.

 ```toml tab="File (TOML)"
 [providers.marathon.tls]
@@ -450,7 +454,7 @@ providers:

 #### `tls.cert`

-Public certificate used for the secured connection to Marathon.
+Public certificate used for the secure connection to Marathon.

 ```toml tab="File (TOML)"
 [providers.marathon.tls]
@@ -473,7 +477,7 @@ providers:

 #### `tls.key`

-Private certificate used for the secured connection to Marathon.
+Private certificate used for the secure connection to Marathon.

 ```toml tab="File (TOML)"
 [providers.marathon.tls]
@@ -496,7 +500,7 @@ providers:

 #### `tls.insecureSkipVerify`

-If `insecureSkipVerify` is `true`, TLS for the connection to Marathon accepts any certificate presented by the server and any host name in that certificate.
+If `insecureSkipVerify` is `true`, the TLS connection to Marathon accepts any certificate presented by the server regardless of the hostnames it covers.

 ```toml tab="File (TOML)"
 [providers.marathon.tls]
@@ -518,6 +522,12 @@ providers:

 _Optional, Default=5s_

+Amount of time the Marathon provider should wait before timing out,
+when waiting for the TLS handshake to complete.
+
+The value of `tlsHandshakeTimeout` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  responseHeaderTimeout = "10s"
@@ -536,17 +546,12 @@ providers:
 # ...
 ```

-Overrides TLSHandshakeTimeout.
-
-Amount of time the Marathon provider should wait before timing out,
-when waiting for the TLS handshake to complete.
-Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
-or directly as a number of seconds.
-
 ### `trace`

 _Optional, Default=false_

+Displays additional provider logs when available.
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  trace = true
@@ -565,12 +570,12 @@ providers:
 # ...
 ```

-Displays additional provider logs (if available).
-
 ### `watch`

 _Optional, Default=true_

+When set to `true`, watches for Marathon changes.
+
 ```toml tab="File (TOML)"
 [providers.marathon]
  watch = false
@@ -588,5 +593,3 @@ providers:
 --providers.marathon.watch=false
 # ...
 ```
-
-Enables watching for Marathon changes.
--- a/docs/content/providers/overview.md
+++ b/docs/content/providers/overview.md
@@ -7,60 +7,167 @@ Traefik's Many Friends

 Configuration discovery in Traefik is achieved through _Providers_.

-The _providers_ are existing infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores. 
-The idea is that Traefik will query the providers' API in order to find relevant information about routing,
-and each time Traefik detects a change, it dynamically updates the routes.
-
-Deploy and forget is Traefik's credo.
+The _providers_ are infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores.
+The idea is that Traefik queries the provider APIs in order to find relevant information about routing,
+and when Traefik detects a change, it dynamically updates the routes.

 ## Orchestrators

-Even if each provider is different, we can categorize them in four groups:
+While each provider is different, you can think of each as belonging to one of four categories:

- Label based (each deployed container has a set of labels attached to it)
- Key-Value based (each deployed container updates a key-value store with relevant information)
- Annotation based (a separate object, with annotations, defines the characteristics of the container)
- File based (the good old configuration file)
+- Label-based: each deployed container has a set of labels attached to it
+- Key-Value-based: each deployed container updates a key-value store with relevant information
+- Annotation-based: a separate object, with annotations, defines the characteristics of the container
+- File-based: uses files to define configuration

-## Supported Providers 
+## Provider Namespace

-Below is the list of the currently supported providers in Traefik. 
+When you declare certain objects in the Traefik dynamic configuration,
+such as middleware, services, TLS options or server transports, they reside in their provider's namespace.
+For example, if you declare a middleware using a Docker label, it resides in the Docker provider namespace.
+
+If you use multiple providers and wish to reference such an object declared in another provider
+(e.g. referencing a cross-provider object like middleware), then the object name should be suffixed by the `@`
+separator, and the provider name.
+
+```text
+<resource-name>@<provider-name>
+```
+
+!!! important "Kubernetes Namespace"
+
+    As Kubernetes also has its own notion of namespace,
+    one should not confuse the _provider namespace_ with the _Kubernetes Namespace_ of a resource when in the context of cross-provider usage.
+
+    In this case, since the definition of a Traefik dynamic configuration object is not in Kubernetes,
+    specifying a Kubernetes Namespace when referring to the resource does not make any sense.
+
+    On the other hand, if you were to declare a middleware as a Custom Resource in Kubernetes and use the non-CRD Ingress objects,
+    you would have to add the Kubernetes Namespace of the middleware to the annotation like this `<middleware-namespace>-<middleware-name>@kubernetescrd`.
+
+!!! abstract "Referencing a Traefik Dynamic Configuration Object from Another Provider"
+
+    Declaring the add-foo-prefix in the file provider.
+
+    ```toml tab="File (TOML)"
+    [http.middlewares]
+      [http.middlewares.add-foo-prefix.addPrefix]
+        prefix = "/foo"
+    ```
+
+    ```yaml tab="File (YAML)"
+    http:
+      middlewares:
+        add-foo-prefix:
+          addPrefix:
+            prefix: "/foo"
+    ```
+
+    Using the add-foo-prefix middleware from other providers:
+
+    ```yaml tab="Docker"
+    your-container: #
+      image: your-docker-image
+
+      labels:
+        # Attach add-foo-prefix@file middleware (declared in file)
+        - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
+    ```
+
+    ```yaml tab="Kubernetes Ingress Route"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: ingressroutestripprefix
+
+    spec:
+      entryPoints:
+        - web
+      routes:
+        - match: Host(`example.com`)
+          kind: Rule
+          services:
+            - name: whoami
+              port: 80
+          middlewares:
+            - name: add-foo-prefix@file
+            # namespace: bar
+            # A namespace specification such as above is ignored
+            # when the cross-provider syntax is used.
+    ```
+
+    ```yaml tab="Kubernetes Ingress"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: stripprefix
+      namespace: appspace
+    spec:
+      stripPrefix:
+        prefixes:
+          - /stripit
+
+    ---
+    apiVersion: networking.k8s.io/v1
+    kind: Ingress
+    metadata:
+      name: ingress
+      namespace: appspace
+      annotations:
+        # referencing a middleware from Kubernetes CRD provider: 
+        # <middleware-namespace>-<middleware-name>@kubernetescrd
+        "traefik.ingress.kubernetes.io/router.middlewares": appspace-stripprefix@kubernetescrd
+    spec:
+      # ... regular ingress definition
+    ```
+
+## Supported Providers
+
+Below is the list of the currently supported providers in Traefik.

 | Provider                              | Type         | Configuration Type         |
 |---------------------------------------|--------------|----------------------------|
 | [Docker](./docker.md)                 | Orchestrator | Label                      |
 | [Kubernetes](./kubernetes-crd.md)     | Orchestrator | Custom Resource or Ingress |
 | [Consul Catalog](./consul-catalog.md) | Orchestrator | Label                      |
+| [ECS](./ecs.md)                       | Orchestrator | Label                      |
 | [Marathon](./marathon.md)             | Orchestrator | Label                      |
 | [Rancher](./rancher.md)               | Orchestrator | Label                      |
 | [File](./file.md)                     | Manual       | TOML/YAML format           |
 | [Consul](./consul.md)                 | KV           | KV                         |
-| [etcd](./etcd.md)                     | KV           | KV                         |
-| [Redis](./redis.md)                   | KV           | KV                         |
+| [Etcd](./etcd.md)                     | KV           | KV                         |
 | [ZooKeeper](./zookeeper.md)           | KV           | KV                         |
+| [Redis](./redis.md)                   | KV           | KV                         |
+| [HTTP](./http.md)                     | Manual       | JSON format                |

 !!! info "More Providers"

-    The current version of Traefik doesn't support (yet) every provider.
-    See the [previous version (v1.7)](https://docs.traefik.io/v1.7/) for more providers.
+    The current version of Traefik does not yet support every provider that Traefik v1.7 did.
+    See the [previous version (v1.7)](https://doc.traefik.io/traefik/v1.7/) for more providers.

-### Configuration reload frequency
+### Configuration Reload Frequency
+
+#### `providers.providersThrottleDuration`
+
+_Optional, Default: 2s_

 In some cases, some providers might undergo a sudden burst of changes,
 which would generate a lot of configuration change events.
 If Traefik took them all into account,
-that would trigger a lot more configuration reloads than what is necessary,
+that would trigger a lot more configuration reloads than is necessary,
 or even useful.

 In order to mitigate that, the `providers.providersThrottleDuration` option can be set.
 It is the duration that Traefik waits for, after a configuration reload,
 before taking into account any new configuration refresh event.
-If any event arrives during that duration, only the most recent one is taken into account,
-and all the previous others are dropped.
+If multiple events occur within this time, only the most recent one is taken into account,
+and all others are discarded.

 This option cannot be set per provider,
-but the throttling algorithm applies independently to each of them.
-It defaults to 2 seconds.
+but the throttling algorithm applies to each of them independently.
+
+The value of `providers.providersThrottleDuration` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).

 ```toml tab="File (TOML)"
 [providers]
@@ -82,17 +189,18 @@ TODO (document TCP VS HTTP dynamic configuration)

 ## Restrict the Scope of Service Discovery

-By default Traefik will create routes for all detected containers.
+By default, Traefik creates routes for all detected containers.

-If you want to limit the scope of Traefik's service discovery,
+If you want to limit the scope of the Traefik service discovery,
 i.e. disallow route creation for some containers,
 you can do so in two different ways:
-either with the generic configuration option `exposedByDefault`,
-or with a finer granularity mechanism based on constraints.
+
+- the generic configuration option `exposedByDefault`,
+- a finer granularity mechanism based on constraints.

 ### `exposedByDefault` and `traefik.enable`

-List of providers that support that feature:
+List of providers that support these features:

 - [Docker](./docker.md#exposedbydefault)
 - [Consul Catalog](./consul-catalog.md#exposedbydefault)
@@ -109,3 +217,4 @@ List of providers that support constraints:
 - [Marathon](./marathon.md#constraints)
 - [Kubernetes CRD](./kubernetes-crd.md#labelselector)
 - [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
+- [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)
--- a/docs/content/providers/rancher.md
+++ b/docs/content/providers/rancher.md
@@ -8,25 +8,25 @@ A Story of Labels, Services & Containers
 Attach labels to your services and let Traefik do the rest!

 !!! important "This provider is specific to Rancher 1.x."
-    
+
    Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
-    As such, Rancher 2.x users should utilize the [Kubernetes provider](./kubernetes-crd.md) directly.
+    As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](./kubernetes-crd.md) directly.

 ## Configuration Examples

 ??? example "Configuring Rancher & Deploying / Exposing Services"

-    Enabling the rancher provider
+    Enabling the Rancher provider

    ```toml tab="File (TOML)"
    [providers.rancher]
    ```
-    
+
    ```yaml tab="File (YAML)"
    providers:
      rancher: {}
    ```
-    
+
    ```bash tab="CLI"
    --providers.rancher=true
    ```
@@ -45,16 +45,17 @@ See the dedicated section in [routing](../routing/providers/rancher.md).
 ## Provider Configuration

 ??? tip "Browse the Reference"
-    If you're in a hurry, maybe you'd rather go through the configuration reference:
-    
+
+    For an overview of all the options that can be set with the Rancher provider, see the following snippets:
+
    ```toml tab="File (TOML)"
    --8<-- "content/providers/rancher.toml"
    ```
-    
+
    ```yaml tab="File (YAML)"
    --8<-- "content/providers/rancher.yml"
    ```
-    
+
    ```bash tab="CLI"
    --8<-- "content/providers/rancher.txt"
    ```
@@ -63,6 +64,11 @@ See the dedicated section in [routing](../routing/providers/rancher.md).

 _Optional, Default=true_

+Expose Rancher services by default in Traefik.
+If set to `false`, services that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ```toml tab="File (TOML)"
 [providers.rancher]
  exposedByDefault = false
@@ -81,15 +87,21 @@ providers:
 # ...
 ```

-Expose Rancher services by default in Traefik.
-If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
 ### `defaultRule`

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

+The default host rule for all services.
+
+The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
+
+It must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
+[sprig template functions](http://masterminds.github.io/sprig/).
+The service name can be accessed with the `Name` identifier,
+and the template has access to all the labels defined on this container.
+
+This option can be overridden on a container basis with the `traefik.http.routers.Router1.rule` label.
+
 ```toml tab="File (TOML)"
 [providers.rancher]
  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
@@ -108,20 +120,12 @@ providers:
 # ...
 ```

-The default host rule for all services.
-
-For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
-It must be a valid [Go template](https://golang.org/pkg/text/template/),
-augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
-The service name can be accessed as the `Name` identifier,
-and the template has access to all the labels defined on this container.
-
-This option can be overridden on a container basis with the `traefik.http.routers.Router1.rule` label.
-
 ### `enableServiceHealthFilter`

 _Optional, Default=true_

+Filter out services with unhealthy states and inactive states.
+
 ```toml tab="File (TOML)"
 [providers.rancher]
  enableServiceHealthFilter = false
@@ -140,12 +144,12 @@ providers:
 # ...
 ```

-Filter services with unhealthy states and inactive states.
-
 ### `refreshSeconds`

 _Optional, Default=15_

+Defines the polling interval (in seconds).
+
 ```toml tab="File (TOML)"
 [providers.rancher]
  refreshSeconds = 30
@@ -164,12 +168,13 @@ providers:
 # ...
 ```

-Defines the polling interval (in seconds).
-
 ### `intervalPoll`

 _Optional, Default=false_

+Poll the Rancher metadata service for changes every `rancher.refreshSeconds`,
+which is less accurate than the default long polling technique which provides near instantaneous updates to Traefik.
+
 ```toml tab="File (TOML)"
 [providers.rancher]
  intervalPoll = true
@@ -188,12 +193,11 @@ providers:
 # ...
 ```

-Poll the Rancher metadata service for changes every `rancher.refreshSeconds`,
-which is less accurate than the default long polling technique which will provide near instantaneous updates to Traefik.
-
 ### `prefix`

-_Optional, Default=/latest_
+_Optional, Default="/latest"_
+
+Prefix used for accessing the Rancher metadata service.

 ```toml tab="File (TOML)"
 [providers.rancher]
@@ -213,12 +217,51 @@ providers:
 # ...
 ```

-Prefix used for accessing the Rancher metadata service
-
 ### `constraints`

 _Optional, Default=""_

+The `constraints` option can be set to an expression that Traefik matches against the container labels to determine whether
+to create any route for that container. If none of the container tags match the expression, no route for that container is
+created. If the expression is empty, all detected containers are included.
+
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as
+the usual boolean logic, as shown in examples below.
+
+??? example "Constraints Expression Examples"
+
+    ```toml
+    # Includes only containers having a label with key `a.label.name` and value `foo`
+    constraints = "Label(`a.label.name`, `foo`)"
+    ```
+
+    ```toml
+    # Excludes containers having any label with key `a.label.name` and value `foo`
+    constraints = "!Label(`a.label.name`, `value`)"
+    ```
+
+    ```toml
+    # With logical AND.
+    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
+    ```
+
+    ```toml
+    # With logical OR.
+    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
+    ```
+
+    ```toml
+    # With logical AND and OR, with precedence set by parentheses.
+    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
+    ```
+
+    ```toml
+    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
+    ```
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ```toml tab="File (TOML)"
 [providers.rancher]
  constraints = "Label(`a.label.name`,`foo`)"
@@ -236,43 +279,3 @@ providers:
 --providers.rancher.constraints=Label(`a.label.name`,`foo`)
 # ...
 ```
-
-Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
-That is to say, if none of the container's labels match the expression, no route for the container is created.
-If the expression is empty, all detected containers are included.
-
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
-
-??? example "Constraints Expression Examples"
-
-    ```toml
-    # Includes only containers having a label with key `a.label.name` and value `foo`
-    constraints = "Label(`a.label.name`, `foo`)"
-    ```
-    
-    ```toml
-    # Excludes containers having any label with key `a.label.name` and value `foo`
-    constraints = "!Label(`a.label.name`, `value`)"
-    ```
-    
-    ```toml
-    # With logical AND.
-    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
-    ```
-    
-    ```toml
-    # With logical OR.
-    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
-    ```
-    
-    ```toml
-    # With logical AND and OR, with precedence set by parentheses.
-    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
-    ```
-    
-    ```toml
-    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegex(`a.label.name`, `a.+`)"
-    ```
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
--- a/docs/content/providers/redis.md
+++ b/docs/content/providers/redis.md
@@ -35,10 +35,10 @@ providers:

 ### `rootKey`

-Defines the root key of the configuration.
-
 _Required, Default="traefik"_

+Defines the root key of the configuration.
+
 ```toml tab="File (TOML)"
 [providers.redis]
  rootKey = "traefik"
@@ -56,10 +56,10 @@ providers:

 ### `username`

-Defines a username to connect with Redis.
-
 _Optional, Default=""_

+Defines a username to connect with Redis.
+
 ```toml tab="File (TOML)"
 [providers.redis]
  # ...
@@ -106,7 +106,7 @@ _Optional_

 #### `tls.ca`

-Certificate Authority used for the secured connection to Redis.
+Certificate Authority used for the secure connection to Redis.

 ```toml tab="File (TOML)"
 [providers.redis.tls]
@@ -126,12 +126,15 @@ providers:

 #### `tls.caOptional`

-Policy followed for the secured connection with TLS Client Authentication to Redis.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis.

- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.

 ```toml tab="File (TOML)"
 [providers.redis.tls]
@@ -151,7 +154,7 @@ providers:

 #### `tls.cert`

-Public certificate used for the secured connection to Redis.
+Public certificate used for the secure connection to Redis.

 ```toml tab="File (TOML)"
 [providers.redis.tls]
@@ -174,7 +177,7 @@ providers:

 #### `tls.key`

-Private certificate used for the secured connection to Redis.
+Private certificate used for the secure connection to Redis.

 ```toml tab="File (TOML)"
 [providers.redis.tls]
@@ -197,7 +200,7 @@ providers:

 #### `tls.insecureSkipVerify`

-If `insecureSkipVerify` is `true`, TLS for the connection to Redis accepts any certificate presented by the server and any host name in that certificate.
+If `insecureSkipVerify` is `true`, the TLS connection to Redis accepts any certificate presented by the server regardless of the hostnames it covers.

 ```toml tab="File (TOML)"
 [providers.redis.tls]
--- a/docs/content/providers/zookeeper.md
+++ b/docs/content/providers/zookeeper.md
@@ -1,6 +1,6 @@
 # Traefik & ZooKeeper

-A Story of KV store & Containers
+A Story of KV Store & Containers
 {: .subtitle }

 Store your configuration in ZooKeeper and let Traefik do the rest!
@@ -35,10 +35,10 @@ providers:

 ### `rootKey`

-Defines the root key of the configuration.
-
 _Required, Default="traefik"_

+Defines the root key of the configuration.
+
 ```toml tab="File (TOML)"
 [providers.zooKeeper]
  rootKey = "traefik"
@@ -56,10 +56,10 @@ providers:

 ### `username`

-Defines a username to connect with ZooKeeper.
-
 _Optional, Default=""_

+Defines a username to connect with ZooKeeper.
+
 ```toml tab="File (TOML)"
 [providers.zooKeeper]
  # ...
@@ -106,7 +106,7 @@ _Optional_

 #### `tls.ca`

-Certificate Authority used for the secured connection to ZooKeeper.
+Certificate Authority used for the secure connection to ZooKeeper.

 ```toml tab="File (TOML)"
 [providers.zooKeeper.tls]
@@ -126,12 +126,15 @@ providers:

 #### `tls.caOptional`

-Policy followed for the secured connection with TLS Client Authentication to ZooKeeper.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper.

- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.

 ```toml tab="File (TOML)"
 [providers.zooKeeper.tls]
@@ -151,7 +154,7 @@ providers:

 #### `tls.cert`

-Public certificate used for the secured connection to ZooKeeper.
+Public certificate used for the secure connection to ZooKeeper.

 ```toml tab="File (TOML)"
 [providers.zooKeeper.tls]
@@ -174,7 +177,7 @@ providers:

 #### `tls.key`

-Private certificate used for the secured connection to ZooKeeper.
+Private certificate used for the secure connection to ZooKeeper.

 ```toml tab="File (TOML)"
 [providers.zooKeeper.tls]
@@ -197,7 +200,7 @@ providers:

 #### `tls.insecureSkipVerify`

-If `insecureSkipVerify` is `true`, TLS for the connection to ZooKeeper accepts any certificate presented by the server and any host name in that certificate.
+If `insecureSkipVerify` is `true`, the TLS connection to Zookeeper accepts any certificate presented by the server regardless of the hostnames it covers.

 ```toml tab="File (TOML)"
 [providers.zooKeeper.tls]
--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@@ -24,6 +24,8 @@
 - "traefik.http.middlewares.middleware08.errors.status=foobar, foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.address=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.authresponseheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.authrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.ca=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.cert=foobar"
@@ -35,6 +37,7 @@
 - "traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin=foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlist=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlistregex=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolmaxage=42"
 - "traefik.http.middlewares.middleware10.headers.addvaryheader=true"
@@ -91,26 +94,28 @@
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.province=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.serialnumber=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.pem=true"
- "traefik.http.middlewares.middleware14.ratelimit.average=42"
- "traefik.http.middlewares.middleware14.ratelimit.burst=42"
- "traefik.http.middlewares.middleware14.ratelimit.period=42"
- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.depth=42"
- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requestheadername=foobar"
- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requesthost=true"
- "traefik.http.middlewares.middleware15.redirectregex.permanent=true"
- "traefik.http.middlewares.middleware15.redirectregex.regex=foobar"
- "traefik.http.middlewares.middleware15.redirectregex.replacement=foobar"
- "traefik.http.middlewares.middleware16.redirectscheme.permanent=true"
- "traefik.http.middlewares.middleware16.redirectscheme.port=foobar"
- "traefik.http.middlewares.middleware16.redirectscheme.scheme=foobar"
- "traefik.http.middlewares.middleware17.replacepath.path=foobar"
- "traefik.http.middlewares.middleware18.replacepathregex.regex=foobar"
- "traefik.http.middlewares.middleware18.replacepathregex.replacement=foobar"
- "traefik.http.middlewares.middleware19.retry.attempts=42"
- "traefik.http.middlewares.middleware20.stripprefix.forceslash=true"
- "traefik.http.middlewares.middleware20.stripprefix.prefixes=foobar, foobar"
- "traefik.http.middlewares.middleware21.stripprefixregex.regex=foobar, foobar"
+- "traefik.http.middlewares.middleware14.plugin.foobar.foo=bar"
+- "traefik.http.middlewares.middleware15.ratelimit.average=42"
+- "traefik.http.middlewares.middleware15.ratelimit.burst=42"
+- "traefik.http.middlewares.middleware15.ratelimit.period=42"
+- "traefik.http.middlewares.middleware15.ratelimit.sourcecriterion.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware15.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware15.ratelimit.sourcecriterion.requestheadername=foobar"
+- "traefik.http.middlewares.middleware15.ratelimit.sourcecriterion.requesthost=true"
+- "traefik.http.middlewares.middleware16.redirectregex.permanent=true"
+- "traefik.http.middlewares.middleware16.redirectregex.regex=foobar"
+- "traefik.http.middlewares.middleware16.redirectregex.replacement=foobar"
+- "traefik.http.middlewares.middleware17.redirectscheme.permanent=true"
+- "traefik.http.middlewares.middleware17.redirectscheme.port=foobar"
+- "traefik.http.middlewares.middleware17.redirectscheme.scheme=foobar"
+- "traefik.http.middlewares.middleware18.replacepath.path=foobar"
+- "traefik.http.middlewares.middleware19.replacepathregex.regex=foobar"
+- "traefik.http.middlewares.middleware19.replacepathregex.replacement=foobar"
+- "traefik.http.middlewares.middleware20.retry.attempts=42"
+- "traefik.http.middlewares.middleware20.retry.initialinterval=42"
+- "traefik.http.middlewares.middleware21.stripprefix.forceslash=true"
+- "traefik.http.middlewares.middleware21.stripprefix.prefixes=foobar, foobar"
+- "traefik.http.middlewares.middleware22.stripprefixregex.regex=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
 - "traefik.http.routers.router0.middlewares=foobar, foobar"
 - "traefik.http.routers.router0.priority=42"
@@ -150,10 +155,11 @@
 - "traefik.http.services.service01.loadbalancer.sticky.cookie=true"
 - "traefik.http.services.service01.loadbalancer.sticky.cookie.httponly=true"
 - "traefik.http.services.service01.loadbalancer.sticky.cookie.name=foobar"
- "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
 - "traefik.http.services.service01.loadbalancer.sticky.cookie.samesite=foobar"
+- "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
 - "traefik.http.services.service01.loadbalancer.server.port=foobar"
 - "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
+- "traefik.http.services.service01.loadbalancer.serverstransport=foobar"
 - "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
 - "traefik.tcp.routers.tcprouter0.rule=foobar"
 - "traefik.tcp.routers.tcprouter0.service=foobar"
@@ -178,6 +184,7 @@
 - "traefik.tcp.routers.tcprouter1.tls.passthrough=true"
 - "traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay=42"
 - "traefik.tcp.services.tcpservice01.loadbalancer.server.port=foobar"
+- "traefik.tcp.services.tcpservice01.loadbalancer.proxyprotocol.version=42"
 - "traefik.udp.routers.udprouter0.entrypoints=foobar, foobar"
 - "traefik.udp.routers.udprouter0.service=foobar"
 - "traefik.udp.routers.udprouter1.entrypoints=foobar, foobar"
--- a/Show More
+++ b/Show More