fix: doc requirements

Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -1,82 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-
----
-<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
-
-### Do you want to request a *feature* or report a *bug*?
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
-- the Traefik community forum: https://community.containo.us/
-
--->
-
-Bug
-
-<!--
-
-The configurations between 1.X and 2.X are NOT compatible.
-Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.
-
--->
-
-### What did you do?
-
-<!--
-
-HOW TO WRITE A GOOD BUG REPORT?
-
-- Respect the issue template as much as possible.
-- The title should be short and descriptive.
-- Explain the conditions which led you to report this issue: the context.
-- The context should lead to something, an idea or a problem that you’re facing.
-- Remain clear and concise.
-- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
--->
-
-### What did you expect to see?
-
-
-
-### What did you see instead?
-
-
-
-### Output of `traefik version`: (_What version of Traefik are you using?_)
-
-<!--
-`latest` is not considered as a valid version.
-
-For the Traefik Docker image:
-    docker run [IMAGE] version
-    ex: docker run traefik version
-
--->
-
-```
-(paste your output here)
-```
-
-### What is your environment & configuration (arguments, toml, provider, platform, ...)?
-
-```toml
-# (paste your configuration here)
-```
-
-<!--
-Add more configuration information here.
--->
-
-
-### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
-
-```
-(paste your output here)
-```

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -1,35 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-
----
-<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
-
-### Do you want to request a *feature* or report a *bug*?
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
-- the Traefik community forum: https://community.containo.us/
-
--->
-
-Feature
-
-### What did you expect to see?
-
-<!--
-
-HOW TO WRITE A GOOD ISSUE?
-
-- Respect the issue template as much as possible.
-- The title should be short and descriptive.
-- Explain the conditions which led you to report this issue: the context.
-- The context should lead to something, an idea or a problem that you’re facing.
-- Remain clear and concise.
-- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
--->

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,80 @@
+name: Bug Report (Traefik)
+description: Create a report to help us improve.
+body:
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Welcome!
+      description: |
+        The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
+        - the Traefik community forum: https://community.containo.us/
+
+        The configurations between 1.X and 2.X are NOT compatible. Please have a look [here](https://doc.traefik.io/traefik/getting-started/configuration-overview/).
+
+        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+      options:
+        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
+          required: true
+        - label: Yes, I've searched similar issues on the [Traefik community forum](https://community.containo.us) and didn't find any.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: What did you do?
+      description: |
+        How to write a good bug report?
+
+        - Respect the issue template as much as possible.
+        - The title should be short and descriptive.
+        - Explain the conditions which led you to report this issue: the context.
+        - The context should lead to something, an idea or a problem that you’re facing.
+        - Remain clear and concise.
+        - Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+      placeholder: What did you do?
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What did you see instead?
+      placeholder: What did you see instead?
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What version of Traefik are you using?
+      description: |
+        `latest` is not considered as a valid version.
+
+        Output of `traefik version`.
+
+        For the Traefik Docker image (`docker run [IMAGE] version`), example:
+        ```console
+        $ docker run traefik version
+        ```
+      placeholder: Paste your output here.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What is your environment & configuration?
+      description: arguments, toml, provider, platform, ...
+      placeholder: Add information here.
+      value: |
+        ```yaml
+        # (paste your configuration here)
+        ```
+
+        Add more configuration information here.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: If applicable, please paste the log output in DEBUG level
+      description: "`--log.level=DEBUG` switch."
+      placeholder: Paste your output here.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Traefik Community Support
+    url: https://community.traefik.io/
+    about: If you have a question, or are looking for advice, please post on our Discuss forum! The community loves to chime in to help. Happy Coding!
+  - name: Traefik Helm Chart Issues
+    url: https://github.com/traefik/traefik-helm-chart
+    about: Are you submitting an issue or feature enhancement for the Traefik helm chart? Please post in the traefik-helm-chart GitHub Issues.

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -0,0 +1,33 @@
+name: Feature Request (Traefik)
+description: Suggest an idea for this project.
+body:
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Welcome!
+      description: |
+        The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
+        - the Traefik community forum: https://community.containo.us/
+
+        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+      options:
+        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
+          required: true
+        - label: Yes, I've searched similar issues on the [Traefik community forum](https://community.containo.us) and didn't find any.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: What did you expect to see?
+      description: |
+        How to write a good issue?
+
+        - Respect the issue template as much as possible.
+        - The title should be short and descriptive.
+        - Explain the conditions which led you to report this issue: the context.
+        - The context should lead to something, an idea or a problem that you’re facing.
+        - Remain clear and concise.
+        - Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+      placeholder: What did you expect to see?
+    validations:
+      required: true

.github/workflows/build.yaml

@@ -0,0 +1,82 @@
+name: Build Binaries
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.16
+  CGO_ENABLED: 0
+  PRE_TARGET: ""
+
+jobs:
+
+  build-webui:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Build webui
+        run: |
+          make generate-webui
+          tar czvf webui.tar.gz ./static/
+
+      - name: Artifact webui
+        uses: actions/upload-artifact@v2
+        with:
+          name: webui.tar.gz
+          path: webui.tar.gz
+
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ ubuntu-20.04, macos-latest, windows-latest ]
+    needs:
+      - build-webui
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+            ~/Library/Caches/go-build
+            '%LocalAppData%\go-build'
+          key: ${{ runner.os }}-build-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-build-go-
+
+      - name: Installing dependencies
+        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v2
+        with:
+          name: webui.tar.gz
+          path: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+      - name: Untar webui
+        run: tar xvf webui.tar.gz
+
+      - name: Build
+        run: make binary

.github/workflows/check_doc.yml

@@ -0,0 +1,21 @@
+name: Check Documentation
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+
+  docs:
+    name: Check, verify and build documentation
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Check documentation
+        run: make docs-pull-images docs

.github/workflows/documentation.yml

@@ -6,18 +6,18 @@ on:
       - master
       - v*
 
+env:
+  STRUCTOR_VERSION: v1.11.2
+  MIXTUS_VERSION: v0.4.1
+
 jobs:
 
   docs:
     name: Doc Process
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     if: github.repository == 'traefik/traefik'
-    env:
-      STRUCTOR_VERSION: v1.11.2
-      MIXTUS_VERSION: v0.4.1
 
     steps:
-
       - name: Check out code
         uses: actions/checkout@v2
         with:
@@ -32,6 +32,9 @@ jobs:
       - name: Install Structor ${{ env.STRUCTOR_VERSION }}
         run: curl -sSfL https://raw.githubusercontent.com/traefik/structor/master/godownloader.sh | sh -s -- -b $HOME/bin ${STRUCTOR_VERSION}
 
+      - name: Install Seo-doc
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/seo-doc/master/godownloader.sh | sh -s -- -b "${HOME}/bin"
+
       - name: Install Mixtus ${{ env.MIXTUS_VERSION }}
         run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}
 
@@ -40,6 +43,9 @@ jobs:
         env:
           STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}
 
+      - name: Apply seo
+        run: $HOME/bin/seo -path=./site
+
       - name: Publish documentation
         run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
         env:

.github/workflows/test-unit.yaml

@@ -0,0 +1,46 @@
+name: Test Unit
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.16
+  PRE_TARGET: ""
+
+jobs:
+
+  test-unit:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-test-unit-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-test-unit-go-
+
+      - name: Installing dependencies
+        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
+
+      - name: Tests
+        run: make test-unit

.github/workflows/validate.yaml

@@ -0,0 +1,100 @@
+name: Validate
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.16
+  GOLANGCI_LINT_VERSION: v1.41.1
+  MISSSPELL_VERSION: v0.3.4
+  PRE_TARGET: ""
+
+jobs:
+
+  validate:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-validate-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-validate-go-
+
+      - name: Installing dependencies
+        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
+
+      - name: Install golangci-lint ${{ env.GOLANGCI_LINT_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
+
+      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
+        run: curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
+
+      - name: Validate
+        run: make validate
+
+  validate-generate:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-validate-generate-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-validate-generate-go-
+
+      - name: Installing dependencies
+        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
+
+      - name: go generate
+        run: |
+          go generate
+          git diff --exit-code
+
+      - name: go mod tidy
+        run: |
+          go mod tidy
+          git diff --exit-code
+
+      - name: make generate-crd
+        run: |
+          make generate-crd
+          git diff --exit-code

.golangci.toml

@@ -30,38 +30,75 @@
     lines = 230 # default 60
     statements = 120 # default 40
 
+  [linters-settings.forbidigo]
+    forbid = [
+      '^print(ln)?$',
+      '^spew\.Print(f|ln)?$',
+      '^spew\.Dump$',
+    ]
+
+  [linters-settings.depguard]
+    list-type = "blacklist"
+    include-go-root = false
+    packages = ["github.com/pkg/errors"]
+
+  [linters-settings.godox]
+    keywords = ["FIXME"]
+
+  [linters-settings.importas]
+    corev1 = "k8s.io/api/core/v1"
+    networkingv1beta1 = "k8s.io/api/networking/v1beta1"
+    extensionsv1beta1 = "k8s.io/api/extensions/v1beta1"
+    metav1 = "k8s.io/apimachinery/pkg/apis/meta/v1"
+    kubeerror = "k8s.io/apimachinery/pkg/api/errors"
+
+  [linters-settings.gomoddirectives]
+    replace-allow-list = [
+      "github.com/abbot/go-http-auth",
+      "github.com/go-check/check",
+      "github.com/gorilla/mux",
+      "github.com/mailgun/minheap",
+      "github.com/mailgun/multibuf",
+    ]
+
 [linters]
   enable-all = true
   disable = [
+    "scopelint", # Deprecated
+    "interfacer", # Deprecated
+    "maligned", # Deprecated
+    "golint", # Deprecated
+    "sqlclosecheck", # Not relevant (SQL)
+    "rowserrcheck", # Not relevant (SQL)
+    "lll", # Not relevant
     "gocyclo", # FIXME must be fixed
-    "gosec",
-    "dupl",
-    "maligned",
-    "lll",
-    "unparam",
-    "prealloc",
-    "scopelint",
+    "cyclop", # Duplicate of gocyclo
+    "gocognit", # Too strict
+    "nestif", # Too many false-positive.
+    "prealloc", # Too many false-positive.
+    "makezero", # Not relevant
+    "ifshort", # Not relevant
+    "dupl", # Too strict
+    "gosec", # Too strict
     "gochecknoinits",
     "gochecknoglobals",
-    "godox",
-    "gocognit",
-    "bodyclose", # Too many false-positive and panics.
     "wsl", # Too strict
+    "nlreturn", # Not relevant
     "gomnd", # Too strict
     "stylecheck", # skip because report issues related to some generated files.
     "testpackage", # Too strict
-    "goerr113", # Too strict
-    "nestif", # Too many false-positive.
-    "noctx", # Too strict
-    "exhaustive", # Too strict
-    "nlreturn", # Not relevant
-    "wrapcheck", # Too strict
     "tparallel", # Not relevant
     "paralleltest", # Not relevant
+    "exhaustive", # Not relevant
     "exhaustivestruct", # Not relevant
-    "makezero", # not relevant
-    "forbidigo", # not relevant
-    "ifshort", # not relevant
+    "goerr113", # Too strict
+    "wrapcheck", # Too strict
+    "noctx", # Too strict
+    "bodyclose", # Too many false-positive and panics.
+    "unparam", # Too strict
+    "godox", # Too strict
+    "forcetypeassert", # Too strict
+    "tagliatelle", # Not compatible with current tags.
   ]
 
 [issues]
@@ -69,9 +106,9 @@
   max-per-linter = 0
   max-same-issues = 0
   exclude = [
-    "SA1019: http.CloseNotifier is deprecated: the CloseNotifier interface predates Go's context package. New code should use Request.Context instead.", # FIXME must be fixed
     "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked",
     "should have a package comment, unless it's in another file for this package",
+    "SA1019: http.CloseNotifier has been deprecated",  # FIXME must be fixed
   ]
  [[issues.exclude-rules]]
     path = "(.+)_test.go"
@@ -88,18 +125,12 @@
  [[issues.exclude-rules]]
     path = "pkg/h2c/h2c.go"
     text = "Error return value of `rw.Write` is not checked"
- [[issues.exclude-rules]]
-    path = "pkg/middlewares/recovery/recovery.go"
-    text = "`logger` can be `github.com/stretchr/testify/assert.TestingT`"
  [[issues.exclude-rules]]
     path = "pkg/provider/docker/builder_test.go"
     text = "(U1000: func )?`(.+)` is unused"
  [[issues.exclude-rules]]
     path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
     text = "(U1000: func )?`(.+)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/config/parser/.+_test.go"
-    text = "U1000: field `(foo|fuu)` is unused"
  [[issues.exclude-rules]]
     path = "pkg/server/service/bufferpool.go"
     text = "SA6002: argument should be pointer-like to avoid allocations"
@@ -109,9 +140,6 @@
  [[issues.exclude-rules]]
     path = "pkg/server/middleware/middlewares.go"
     text = "Function 'buildConstructor' has too many statements"
- [[issues.exclude-rules]] # FIXME must be fixed
-    path = "cmd/context.go"
-    text = "S1000: should use a simple channel send/receive instead of `select` with a single case"
  [[issues.exclude-rules]]
     path = "pkg/tracing/haystack/logger.go"
     linters = ["goprintffuncname"]

.semaphore/semaphore.yml

@@ -0,0 +1,100 @@
+version: v1.0
+name: Traefik
+agent:
+  machine:
+    type: e1-standard-4
+    os_image: ubuntu1804
+
+fail_fast:
+  stop:
+    when: "branch != 'master'"
+
+auto_cancel:
+  queued:
+    when: "branch != 'master'"
+  running:
+    when: "branch != 'master'"
+
+global_job_config:
+  prologue:
+    commands:
+      - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
+      - sudo semgo go1.16
+      - export "GOPATH=$(go env GOPATH)"
+      - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
+      - export "PATH=${GOPATH}/bin:${PATH}"
+      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
+      - export GOPROXY=https://proxy.golang.org,direct
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.41.1
+      - curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
+      - go install github.com/containous/go-bindata/go-bindata@v1.0.0
+      - checkout
+      - cache restore traefik-$(checksum go.sum)
+
+blocks:
+  - name: Test Integration Container
+    dependencies: []
+    run:
+      when: "branch =~ '.*' OR pull_request =~'.*'"
+    task:
+      jobs:
+        - name: Test Integration Container
+          commands:
+            - make pull-images
+            - mkdir -p static # Avoid to generate webui
+            - PRE_TARGET="" make binary
+            - make test-integration-container
+            - df -h
+      epilogue:
+        always:
+          commands:
+            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
+
+  - name: Test Integration Host
+    dependencies: []
+    run:
+      when: "branch =~ '.*' OR pull_request =~'.*'"
+    task:
+      env_vars:
+        - name: PRE_TARGET
+          value: ""
+      jobs:
+        - name: Test Integration Host
+          commands:
+            - mkdir -p static # Avoid to generate webui
+            - make test-integration-host
+      epilogue:
+        always:
+          commands:
+            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
+
+  - name: Release
+    dependencies: []
+    run:
+      when: "tag =~ '.*'"
+    task:
+      agent:
+        machine:
+          type: e1-standard-8
+          os_image: ubuntu1804
+      secrets:
+        - name: traefik
+      env_vars:
+        - name: GH_VERSION
+          value: 1.12.1
+        - name: CODENAME
+          value: "livarot"
+        - name: PRE_TARGET
+          value: ""
+      prologue:
+        commands:
+          - export VERSION=${SEMAPHORE_GIT_TAG_NAME}
+          - curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
+          - tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
+          - sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
+      jobs:
+        - name: Release
+          commands:
+            - make release-packages
+            - gh release create ${SEMAPHORE_GIT_TAG_NAME} ./dist/traefik*.* --repo traefik/traefik --title ${SEMAPHORE_GIT_TAG_NAME} --notes ${SEMAPHORE_GIT_TAG_NAME}
+            - ./script/deploy.sh

.semaphoreci/cleanup.sh

@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-sudo rm -rf static

.semaphoreci/golang.sh

@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-curl -O https://dl.google.com/go/go"${GO_VERSION}".linux-amd64.tar.gz
-
-tar -xvf go"${GO_VERSION}".linux-amd64.tar.gz
-rm -rf go"${GO_VERSION}".linux-amd64.tar.gz
-
-sudo mkdir -p /usr/local/golang/"${GO_VERSION}"/go
-sudo mv go /usr/local/golang/"${GO_VERSION}"/
-
-sudo rm /usr/local/bin/go
-sudo chmod +x /usr/local/golang/"${GO_VERSION}"/go/bin/go
-sudo ln -s /usr/local/golang/"${GO_VERSION}"/go/bin/go /usr/local/bin/go
-
-export GOROOT="/usr/local/golang/${GO_VERSION}/go"
-export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"
-
-go version

.semaphoreci/job1.sh

@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make pull-images; fi
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-integration; fi

.semaphoreci/job2.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-ci_retry make validate
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-unit; fi
-
-if [ -n "$SHOULD_TEST" ]; then make -j"${N_MAKE_JOBS}" crossbinary-default-parallel; fi

.semaphoreci/setup.sh

@@ -1,35 +0,0 @@
-# For personnal CI
-# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/traefik/
-# cd /home/runner/workspace/src/github.com/traefik/traefik/
-for s in apache2 cassandra elasticsearch memcached mysql mongod postgresql sphinxsearch rethinkdb rabbitmq-server redis-server; do sudo service $s stop; done
-sudo swapoff -a
-sudo dd if=/dev/zero of=/swapfile bs=1M count=3072
-sudo mkswap /swapfile
-sudo swapon /swapfile
-sudo rm -rf /home/runner/.rbenv
-sudo rm -rf /usr/local/golang/{1.4.3,1.5.4,1.6.4,1.7.6,1.8.6,1.9.7,1.10.3,1.11}
-#export DOCKER_VERSION=18.06.3
-source .semaphoreci/vars
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/traefik/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
-echo ${SHOULD_TEST}
-if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
-echo ${TEMP_STORAGE}
-echo ${SHOULD_TEST}
-#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
-#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
-if [ -n "$SHOULD_TEST" ]; then docker version; fi
-export GO_VERSION=1.13
-if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
-#if [ "${GO_VERSION}" == '1.15' ]; then export GO_VERSION=1.15rc2; fi
-echo "Selected Go version: ${GO_VERSION}"
-
-if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi
-if [ -f "./.semaphoreci/golang.sh" ]; then export GOROOT="/usr/local/golang/${GO_VERSION}/go"; fi
-if [ -f "./.semaphoreci/golang.sh" ]; then export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"; fi
-go version
-
-if [ -f "./go.mod" ]; then export GO111MODULE=on; fi
-if [ -f "./go.mod" ]; then export GOPROXY=https://proxy.golang.org; fi
-if [ -f "./go.mod" ]; then go mod download; fi
-
-df

.semaphoreci/vars

@@ -1,36 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-export REPO='traefik/traefik'
-
-if VERSION=$(git describe --exact-match --abbrev=0 --tags);
-then
-  export VERSION
-else
-  export VERSION=''
-fi
-
-export CODENAME=livarot
-
-export N_MAKE_JOBS=2
-
-
-function ci_retry {
-
-    local NRETRY=3
-    local NSLEEP=5
-    local n=0
-
-    until [ $n -ge $NRETRY ]
-    do
-        "$@" && break
-        n=$((n+1))
-        echo "${*} failed, attempt ${n}/${NRETRY}"
-        sleep $NSLEEP
-    done
-
-    [ $n -lt $NRETRY ]
-
-}
-
-export -f ci_retry

.travis.yml

@@ -1,50 +0,0 @@
-sudo: required
-dist: trusty
-
-git:
-  depth: false
-
-services:
-  - docker
-
-env:
-  global:
-    - REPO=$TRAVIS_REPO_SLUG
-    - VERSION=$TRAVIS_TAG
-    - CODENAME=livarot
-    - GO111MODULE=on
-
-script:
-- echo "Skipping tests... (Tests are executed on SemaphoreCI)"
-- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs; fi
-
-before_deploy:
-  - >
-    if ! [ "$BEFORE_DEPLOY_RUN" ]; then
-      export BEFORE_DEPLOY_RUN=1;
-      sudo -E apt-get -yq update;
-      sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
-      docker version;
-      echo "${DOCKERHUB_PASSWORD}" | docker login -u "${DOCKERHUB_USERNAME}" --password-stdin;
-      make build-image;
-      if [ "$TRAVIS_TAG" ]; then
-        make release-packages;
-      fi;
-    fi
-
-deploy:
-  - provider: releases
-    api_key: ${GITHUB_TOKEN}
-    file: dist/traefik*
-    skip_cleanup: true
-    file_glob: true
-    on:
-      repo: traefik/traefik
-      tags: true
-  - provider: script
-    script: sh script/deploy.sh
-    skip_cleanup: true
-    on:
-      repo: traefik/traefik
-      tags: true
-

CHANGELOG.md

@@ -1,3 +1,154 @@
+## [v2.4.14](https://github.com/traefik/traefik/tree/v2.4.14) (2021-08-16)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.13...v2.4.14)
+
+**Bug fixes:**
+- **[k8s/crd,k8s]** Avoid unauthorized middleware cross namespace reference  ([#8322](https://github.com/traefik/traefik/pull/8322) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[kv]** Remove unwanted trailing slash in key ([#8335](https://github.com/traefik/traefik/pull/8335) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[middleware]** Redirect: fix comparison when explicit port request and implicit redirect port ([#8348](https://github.com/traefik/traefik/pull/8348) by [tcolgate](https://github.com/tcolgate))
+
+**Documentation:**
+- **[kv]** Fix a router's entryPoint definition example for KV provider ([#8357](https://github.com/traefik/traefik/pull/8357) by [avtion](https://github.com/avtion))
+
+## [v2.4.13](https://github.com/traefik/traefik/tree/v2.4.13) (2021-07-30)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.12...v2.4.13)
+
+**Bug fixes:**
+- **[authentication,middleware]** Remove hop-by-hop headers define in connection header beore some middleware ([#8319](https://github.com/traefik/traefik/pull/8319) by [ldez](https://github.com/ldez))
+
+## [v2.4.12](https://github.com/traefik/traefik/tree/v2.4.12) (2021-07-26)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.11...v2.4.12)
+
+**Bug fixes:**
+- **[k8s,k8s/ingress]** Get Kubernetes server version early ([#8286](https://github.com/traefik/traefik/pull/8286) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/ingress]** Don't remove ingress config on API call failure ([#8185](https://github.com/traefik/traefik/pull/8185) by [dtomcej](https://github.com/dtomcej))
+- **[middleware]** Ratelimiter: use correct ttlSeconds value, and always call Set ([#8254](https://github.com/traefik/traefik/pull/8254) by [mpl](https://github.com/mpl))
+- **[tls]** Check if defaultcertificate is defined in store ([#8274](https://github.com/traefik/traefik/pull/8274) by [dtomcej](https://github.com/dtomcej))
+
+## [v2.4.11](https://github.com/traefik/traefik/tree/v2.4.11) (2021-07-15)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.9...v2.4.11)
+
+**Bug fixes:**
+- **[k8s,k8s/crd,k8s/ingress]** Disable ExternalName Services by default on Kubernetes providers ([#8261](https://github.com/traefik/traefik/pull/8261) by [dtomcej](https://github.com/dtomcej))
+- **[k8s,k8s/crd,k8s/ingress]** Fix: malformed Kubernetes resource names and references in tests ([#8226](https://github.com/traefik/traefik/pull/8226) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/crd]** Disable Cross-Namespace by default for IngressRoute provider ([#8260](https://github.com/traefik/traefik/pull/8260) by [dtomcej](https://github.com/dtomcej))
+- **[logs,middleware]** Accesslog: support multiple values for a given header ([#8258](https://github.com/traefik/traefik/pull/8258) by [ldez](https://github.com/ldez))
+- **[logs]** Ignore http 1.0 request host missing errors ([#8252](https://github.com/traefik/traefik/pull/8252) by [dtomcej](https://github.com/dtomcej))
+- **[middleware]** Headers Middleware: support http.CloseNotifier interface ([#8238](https://github.com/traefik/traefik/pull/8238) by [dtomcej](https://github.com/dtomcej))
+- **[tls]** Detect certificates content modifications ([#8243](https://github.com/traefik/traefik/pull/8243) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+**Documentation:**
+- **[middleware,k8s]** Fix invalid subdomain ([#8212](https://github.com/traefik/traefik/pull/8212) by [WLun001](https://github.com/WLun001))
+- Add the list of available provider names ([#8225](https://github.com/traefik/traefik/pull/8225) by [WLun001](https://github.com/WLun001))
+- Fix maintainers-guidelines page title ([#8216](https://github.com/traefik/traefik/pull/8216) by [kubopanda](https://github.com/kubopanda))
+- Typos in contributing section ([#8215](https://github.com/traefik/traefik/pull/8215) by [kubopanda](https://github.com/kubopanda))
+
+## [v2.4.10](https://github.com/traefik/traefik/tree/v2.4.10) (2021-07-13)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.9...v2.4.10)
+
+Release canceled.
+
+## [v2.4.9](https://github.com/traefik/traefik/tree/v2.4.9) (2021-06-21)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.8...v2.4.9)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.4.0 ([#8179](https://github.com/traefik/traefik/pull/8179) by [ldez](https://github.com/ldez))
+- **[acme]** Fix: ACME preferred chain. ([#8146](https://github.com/traefik/traefik/pull/8146) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/gatewayapi]** Remove error when HTTProutes is empty ([#8023](https://github.com/traefik/traefik/pull/8023) by [tomMoulard](https://github.com/tomMoulard))
+- **[k8s,k8s/ingress]** Fix incorrect behaviour with multi-port endpoint subsets ([#8156](https://github.com/traefik/traefik/pull/8156) by [coufalja](https://github.com/coufalja))
+- **[k8s,k8s/ingress]** Kubernetes ingress provider to search via all endpoints ([#7997](https://github.com/traefik/traefik/pull/7997) by [martinvizvary](https://github.com/martinvizvary))
+- **[plugins,windows]** Fix plugin unzip call on windows ([#8136](https://github.com/traefik/traefik/pull/8136) by [ddtmachado](https://github.com/ddtmachado))
+- **[plugins]** Update Yaegi to v0.9.17 ([#8100](https://github.com/traefik/traefik/pull/8100) by [ldez](https://github.com/ldez))
+- **[provider]** Bump paerser to v0.1.4 ([#8116](https://github.com/traefik/traefik/pull/8116) by [ldez](https://github.com/ldez))
+- **[server]** Create buffered signals channel ([#8190](https://github.com/traefik/traefik/pull/8190) by [dtomcej](https://github.com/dtomcej))
+- **[server]** Fix: use defaultEntryPoints when no entryPoint is defined in a TCPRouter ([#8111](https://github.com/traefik/traefik/pull/8111) by [LandryBe](https://github.com/LandryBe))
+- **[tls]** Use a dynamic buffer to handle client Hello SNI detection ([#8194](https://github.com/traefik/traefik/pull/8194) by [ldez](https://github.com/ldez))
+- **[tracing]** Error span on 5xx only ([#8033](https://github.com/traefik/traefik/pull/8033) by [kevtainer](https://github.com/kevtainer))
+
+**Documentation:**
+- **[k8s,k8s/crd]** Fix ingressRouteTCP external name service examples in documentation ([#8120](https://github.com/traefik/traefik/pull/8120) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Fix Kubernetes Gateway API documentation links ([#8063](https://github.com/traefik/traefik/pull/8063) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/gatewayapi]** Fix: k8s gateway api link ([#8085](https://github.com/traefik/traefik/pull/8085) by [tomMoulard](https://github.com/tomMoulard))
+- **[k8s,k8s/gatewayapi]** Fix the "values" field in the example of httproute ([#8192](https://github.com/traefik/traefik/pull/8192) by [maelvls](https://github.com/maelvls))
+- **[k8s/crd]** Fix ServersTransport documentation ([#8019](https://github.com/traefik/traefik/pull/8019) by [tomMoulard](https://github.com/tomMoulard))
+- **[k8s]** Correct annotation option ([#8031](https://github.com/traefik/traefik/pull/8031) by [cbergmann](https://github.com/cbergmann))
+- **[metrics]** Add metrics documentation ([#8007](https://github.com/traefik/traefik/pull/8007) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Docs: add examples for removing headers ([#8030](https://github.com/traefik/traefik/pull/8030) by [SuperSandro2000](https://github.com/SuperSandro2000))
+- **[middleware]** Doc: clarify usage for ratelimit's excludedIPs ([#8072](https://github.com/traefik/traefik/pull/8072) by [mpl](https://github.com/mpl))
+- **[middleware]** Elaborate on possible use of status codes with the errors middleware ([#8176](https://github.com/traefik/traefik/pull/8176) by [Midnighter](https://github.com/Midnighter))
+- **[middleware]** Doc: fix a syntax error in ratelimit TOML configuration sample ([#8101](https://github.com/traefik/traefik/pull/8101) by [mvertes](https://github.com/mvertes))
+- **[pilot]** Docs: add pilot dashboard flag to static configuration file reference ([#8152](https://github.com/traefik/traefik/pull/8152) by [danshilm](https://github.com/danshilm))
+- Adding Maintainers Guidelines ([#8168](https://github.com/traefik/traefik/pull/8168) by [jakubhajek](https://github.com/jakubhajek))
+- Explains Traefik HTTP response status codes ([#8170](https://github.com/traefik/traefik/pull/8170) by [rtribotte](https://github.com/rtribotte))
+- Doc: typo fix ([#8026](https://github.com/traefik/traefik/pull/8026) by [mpl](https://github.com/mpl))
+- Adding formatting to the document. ([#8180](https://github.com/traefik/traefik/pull/8180) by [jakubhajek](https://github.com/jakubhajek))
+- Changing default file format for the snippets from TOML to YAML ([#8193](https://github.com/traefik/traefik/pull/8193) by [tomMoulard](https://github.com/tomMoulard))
+
+## [v2.4.8](https://github.com/traefik/traefik/tree/v2.4.8) (2021-03-22)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.7...v2.4.8)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.3.1 ([#7980](https://github.com/traefik/traefik/pull/7980) by [ldez](https://github.com/ldez))
+- **[acme]** Update go-acme/lego to v4.3.0 ([#7975](https://github.com/traefik/traefik/pull/7975) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/gatewayapi]** Update to gateway-api v0.2.0 ([#7943](https://github.com/traefik/traefik/pull/7943) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[pilot,webui]** Adding an option to (de)activate Pilot integration into the Traefik dashboard ([#7994](https://github.com/traefik/traefik/pull/7994) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Raise errors for non-ASCII domain names in a router's rules ([#7986](https://github.com/traefik/traefik/pull/7986) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Update pires/go-proxyproto to v0.5.0 ([#7948](https://github.com/traefik/traefik/pull/7948) by [mschneider82](https://github.com/mschneider82))
+
+**Documentation:**
+- **[middleware]** Improve basic auth middleware httpasswd example ([#7992](https://github.com/traefik/traefik/pull/7992) by [d3473r](https://github.com/d3473r))
+- **[middleware]** Add missing `traefik.` prefix across sample config ([#7990](https://github.com/traefik/traefik/pull/7990) by [deepyaman](https://github.com/deepyaman))
+- **[middleware]** Remove a no longer needed note ([#7979](https://github.com/traefik/traefik/pull/7979) by [cmcga1125](https://github.com/cmcga1125))
+
+## [v2.4.7](https://github.com/traefik/traefik/tree/v2.4.7) (2021-03-08)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.6...v2.4.7)
+
+**Bug fixes:**
+- **[acme]** Fix: double close chan on TLS challenge ([#7956](https://github.com/traefik/traefik/pull/7956) by [ldez](https://github.com/ldez))
+- **[provider]** Bump paerser to v0.1.2 ([#7945](https://github.com/traefik/traefik/pull/7945) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[server]** Feature: tune transport buffer size to increase performance ([#7957](https://github.com/traefik/traefik/pull/7957) by [mvertes](https://github.com/mvertes))
+
+**Documentation:**
+- **[service]** Fix ServersTransport documentation ([#7942](https://github.com/traefik/traefik/pull/7942) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.4.6](https://github.com/traefik/traefik/tree/v2.4.6) (2021-03-01)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.5...v2.4.6)
+
+**Bug fixes:**
+- **[plugins]** Update Yaegi to v0.9.13 ([#7928](https://github.com/traefik/traefik/pull/7928) by [ldez](https://github.com/ldez))
+- **[provider]** Fix: wait for file and internal before applying configurations ([#7925](https://github.com/traefik/traefik/pull/7925) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- **[file]** Fix reflink typo in file provider documentation ([#7913](https://github.com/traefik/traefik/pull/7913) by [vgerak](https://github.com/vgerak))
+- **[k8s/serviceapi]** Fix Kubernetes Gateway API documentation links ([#7914](https://github.com/traefik/traefik/pull/7914) by [kevinpollet](https://github.com/kevinpollet))
+- **[service]** Fix typo in routing/services/index.md ([#7922](https://github.com/traefik/traefik/pull/7922) by [snikch](https://github.com/snikch))
+- Fixing doc for default value of checknewversion ([#7933](https://github.com/traefik/traefik/pull/7933) by [tomMoulard](https://github.com/tomMoulard))
+
+## [v2.4.5](https://github.com/traefik/traefik/tree/v2.4.5) (2021-02-18)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.3...v2.4.5)
+
+**Bug fixes:**
+- **[webui]** Only allow iframes to be loaded from our domain ([#7904](https://github.com/traefik/traefik/pull/7904) by [SantoDE](https://github.com/SantoDE))
+
+## [v2.4.4](https://github.com/traefik/traefik/tree/v2.4.4) (2021-02-18)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.3...v2.4.4)
+
+Release canceled.
+
+## [v2.4.3](https://github.com/traefik/traefik/tree/v2.4.3) (2021-02-15)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.2...v2.4.3)
+
+**Bug fixes:**
+- **[acme]** Fix TLS challenge timeout and validation error ([#7879](https://github.com/traefik/traefik/pull/7879) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Fixed typo in consul catalog tests ([#7865](https://github.com/traefik/traefik/pull/7865) by [apollo13](https://github.com/apollo13))
+- **[middleware]** Apply content type exclusion on response ([#7888](https://github.com/traefik/traefik/pull/7888) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+**Documentation:**
+- **[middleware]** Add HEAD as available option for Method ([#7858](https://github.com/traefik/traefik/pull/7858) by [mlandauer](https://github.com/mlandauer))
+- **[middleware]** Middleware documentation fixes ([#7808](https://github.com/traefik/traefik/pull/7808) by [Ullaakut](https://github.com/Ullaakut))
+- **[provider]** Add missing doc about servers transport ([#7894](https://github.com/traefik/traefik/pull/7894) by [ldez](https://github.com/ldez))
+- **[provider]** Provider documentation fixes ([#7823](https://github.com/traefik/traefik/pull/7823) by [Ullaakut](https://github.com/Ullaakut))
+- Fix the static reference documentation for the internal redirection router ([#7860](https://github.com/traefik/traefik/pull/7860) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
 ## [v2.4.2](https://github.com/traefik/traefik/tree/v2.4.2) (2021-02-02)
 [All Commits](https://github.com/traefik/traefik/compare/v2.4.1...v2.4.2)
 

CONTRIBUTING.md

@@ -1,4 +1,9 @@
 # Contributing
 
-- https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
-- https://doc.traefik.io/traefik/contributing/submitting-issues/
+Here are some guidelines that should help to start contributing to the project.
+
+- [Submitting pull Requests](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md)
+- [Submitting issues](https://doc.traefik.io/traefik/contributing/submitting-issues/)
+- [Submitting security issues](docs/content/contributing/submitting-security-issues.md)
+
+If you are willing to become a maintainer of the project, please take a look at the [maintainers guidelines](docs/content/contributing/maintainers-guidelines.md).

Makefile

@@ -58,23 +58,24 @@ build-webui-image:
 	docker build -t traefik-webui --build-arg ARG_PLATFORM_URL=$(PLATFORM_URL) -f webui/Dockerfile webui
 
 ## Generate WebUI
-generate-webui: build-webui-image
+generate-webui:
 	if [ ! -d "static" ]; then \
+		$(MAKE) build-webui-image; \
 		mkdir -p static; \
 		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build:nc; \
 		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ../static; \
-		echo 'For more informations show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
+		echo 'For more information show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
 	fi
 
 ## Build the linux binary
 binary: generate-webui $(PRE_TARGET)
 	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
 
-## Build the binary for the standard plaforms (linux, darwin, windows)
+## Build the binary for the standard platforms (linux, darwin, windows)
 crossbinary-default: generate-webui build-dev-image
 	$(DOCKER_RUN_TRAEFIK_NOTTY) ./script/make.sh generate crossbinary-default
 
-## Build the binary for the standard plaforms (linux, darwin, windows) in parallel
+## Build the binary for the standard platforms (linux, darwin, windows) in parallel
 crossbinary-default-parallel:
 	$(MAKE) generate-webui
 	$(MAKE) build-dev-image crossbinary-default
@@ -92,8 +93,16 @@ pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
 
 ## Run the integration tests
-test-integration: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
+test-integration: $(PRE_TARGET) binary
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
+	TEST_HOST=1 ./script/make.sh test-integration
+
+## Run the container integration tests
+test-integration-container: $(PRE_TARGET) binary
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
+
+## Run the host integration tests
+test-integration-host: $(PRE_TARGET) binary
 	TEST_HOST=1 ./script/make.sh test-integration
 
 ## Validate code and docs
@@ -123,26 +132,30 @@ shell: build-dev-image
 docs:
 	make -C ./docs docs
 
-## Serve the documentation site localy
+## Serve the documentation site locally
 docs-serve:
 	make -C ./docs docs-serve
 
+## Pull image for doc building
+docs-pull-images:
+	make -C ./docs docs-pull-images
+
 ## Generate CRD clientset
 generate-crd:
-	./script/update-generated-crd-code.sh
+	@$(CURDIR)/script/code-gen.sh
 
 ## Create packages for the release
-release-packages: generate-webui build-dev-image
+release-packages: generate-webui $(PRE_TARGET)
 	rm -rf dist
-	$(DOCKER_RUN_TRAEFIK_NOTTY) goreleaser release --skip-publish --timeout="60m"
-	$(DOCKER_RUN_TRAEFIK_NOTTY) tar cfz dist/traefik-${VERSION}.src.tar.gz \
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="60m"
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \
 		--exclude .travis \
 		--exclude .semaphoreci \
 		--exclude .github \
 		--exclude dist .
-	$(DOCKER_RUN_TRAEFIK_NOTTY) chown -R $(shell id -u):$(shell id -g) dist/
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/
 
 ## Format the Code
 fmt:

README.md

@@ -6,7 +6,6 @@
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
-[![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
 [![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
@@ -126,7 +125,10 @@ You can find high level and deep dive videos on [videos.traefik.io](https://vide
 
 ## Maintainers
 
-[Information about process and maintainers](docs/content/contributing/maintainers.md)
+We are strongly promoting a philosophy of openness and sharing, and firmly standing against the elitist closed approach. Being part of the core team should be accessible to anyone who is motivated and want to be part of that journey!
+This [document](docs/content/contributing/maintainers-guidelines.md) describes how to be part of the core team as well as various responsibilities and guidelines for Traefik maintainers.
+You can also find more information on our process to review pull requests and manage issues [in this document](docs/content/contributing/maintainers.md).
+
 
 ## Contributing
 

build.Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.15-alpine
+FROM golang:1.16-alpine
 
 RUN apk --update upgrade \
     && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.36.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.41.1
 
 # Download misspell binary to bin folder in $GOPATH
 RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4

cmd/context.go

@@ -1,22 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"syscall"
-)
-
-// ContextWithSignal creates a context canceled when SIGINT or SIGTERM are notified.
-func ContextWithSignal(ctx context.Context) context.Context {
-	newCtx, cancel := context.WithCancel(ctx)
-	signals := make(chan os.Signal)
-	signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		select {
-		case <-signals:
-			cancel()
-		}
-	}()
-	return newCtx
-}

cmd/traefik/traefik.go

@@ -6,9 +6,11 @@ import (
 	stdlog "log"
 	"net/http"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"sort"
 	"strings"
+	"syscall"
 	"time"
 
 	"github.com/coreos/go-systemd/daemon"
@@ -119,7 +121,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		return err
 	}
 
-	ctx := cmd.ContextWithSignal(context.Background())
+	ctx, _ := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 
 	if staticConfiguration.Experimental != nil && staticConfiguration.Experimental.DevPlugin != nil {
 		var cancel context.CancelFunc
@@ -186,7 +188,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	tlsManager := traefiktls.NewManager()
 	httpChallengeProvider := acme.NewChallengeHTTP()
-	tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration))
+
+	// we need to wait at least 2 times the ProvidersThrottleDuration to be sure to handle the challenge.
+	tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration) * 2)
 	err = providerAggregator.AddProvider(tlsChallengeProvider)
 	if err != nil {
 		return nil, err
@@ -220,6 +224,10 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		})
 	}
 
+	if staticConfiguration.Pilot != nil {
+		version.PilotEnabled = staticConfiguration.Pilot.Dashboard
+	}
+
 	// Plugins
 
 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
@@ -254,6 +262,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		providerAggregator,
 		time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration),
 		getDefaultsEntrypoints(staticConfiguration),
+		"internal",
 	)
 
 	// TLS
@@ -363,30 +372,32 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 
 	var resolvers []*acme.Provider
 	for name, resolver := range c.CertificatesResolvers {
-		if resolver.ACME != nil {
-			if localStores[resolver.ACME.Storage] == nil {
-				localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
-			}
-
-			p := &acme.Provider{
-				Configuration:         resolver.ACME,
-				Store:                 localStores[resolver.ACME.Storage],
-				ResolverName:          name,
-				HTTPChallengeProvider: httpChallengeProvider,
-				TLSChallengeProvider:  tlsChallengeProvider,
-			}
-
-			if err := providerAggregator.AddProvider(p); err != nil {
-				log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
-				continue
-			}
-
-			p.SetTLSManager(tlsManager)
-
-			p.SetConfigListenerChan(make(chan dynamic.Configuration))
-
-			resolvers = append(resolvers, p)
+		if resolver.ACME == nil {
+			continue
 		}
+
+		if localStores[resolver.ACME.Storage] == nil {
+			localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
+		}
+
+		p := &acme.Provider{
+			Configuration:         resolver.ACME,
+			Store:                 localStores[resolver.ACME.Storage],
+			ResolverName:          name,
+			HTTPChallengeProvider: httpChallengeProvider,
+			TLSChallengeProvider:  tlsChallengeProvider,
+		}
+
+		if err := providerAggregator.AddProvider(p); err != nil {
+			log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
+			continue
+		}
+
+		p.SetTLSManager(tlsManager)
+
+		p.SetConfigListenerChan(make(chan dynamic.Configuration))
+
+		resolvers = append(resolvers, p)
 	}
 
 	return resolvers

docs/Makefile

@@ -12,7 +12,7 @@ TRAEFIK_DOCS_CHECK_IMAGE ?= $(TRAEFIK_DOCS_BUILD_IMAGE)-check
 SITE_DIR := $(CURDIR)/site
 
 DOCKER_RUN_DOC_PORT := 8000
-DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs 
+DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs
 DOCKER_RUN_DOC_OPTS := --rm $(DOCKER_RUN_DOC_MOUNTS) -p $(DOCKER_RUN_DOC_PORT):8000
 
 # Default: generates the documentation into $(SITE_DIR)
@@ -22,6 +22,10 @@ docs: docs-clean docs-image docs-lint docs-build docs-verify
 docs-serve: docs-image
 	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) mkdocs serve
 
+## Pull image for doc building
+docs-pull-images:
+	grep --no-filename -E '^FROM' ./*.Dockerfile | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
+
 # Utilities Targets for each step
 docs-image:
 	docker build -t $(TRAEFIK_DOCS_BUILD_IMAGE) -f docs.Dockerfile ./

docs/check.Dockerfile

@@ -8,8 +8,11 @@ RUN apk --no-cache --no-progress add \
     ruby-etc \
     ruby-ffi \
     ruby-json \
-    ruby-nokogiri
-RUN gem install html-proofer --version 3.13.0 --no-document -- --use-system-libraries
+    ruby-nokogiri \
+    ruby-dev \
+    build-base
+
+RUN gem install html-proofer --version 3.19.0 --no-document -- --use-system-libraries
 
 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \
@@ -21,8 +24,8 @@ RUN apk --no-cache --no-progress add \
 RUN npm config set unsafe-perm true
 
 RUN npm install --global \
-    markdownlint@0.17.2 \
-    markdownlint-cli@0.19.0
+    markdownlint@0.22.0 \
+    markdownlint-cli@0.26.0
 
 # Finally the shell tools we need for later
 # tini helps to terminate properly all the parallelized tasks when sending CTRL-C

docs/content/contributing/building-testing.md

@@ -30,7 +30,7 @@ Successfully tagged traefik-webui:latest
 [...]
 docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
 Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.14-alpine
+Step 1/10 : FROM golang:1.16-alpine
  ---> f4bfb3d22bda
 [...]
 Successfully built 5c3c1a911277
@@ -62,7 +62,7 @@ PRE_TARGET= make test-unit
 
 Requirements:
 
-- `go` v1.14+
+- `go` v1.16+
 - environment variable `GO111MODULE=on`
 - [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
 

docs/content/contributing/data-collection.md

@@ -9,19 +9,19 @@ Understanding how you use Traefik is very important to us: it helps us improve t
 For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us so we can benefit from your experience and use cases.
 
 !!! example "Enabling Data Collection"
-    
-    ```toml tab="File (TOML)"
-    [global]
-      # Send anonymous usage data
-      sendAnonymousUsage = true
-    ```
-    
+
     ```yaml tab="File (YAML)"
     global:
       # Send anonymous usage data
       sendAnonymousUsage: true
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [global]
+      # Send anonymous usage data
+      sendAnonymousUsage = true
+    ```
+
     ```bash tab="CLI"
     # Send anonymous usage data
     --global.sendAnonymousUsage
@@ -45,49 +45,51 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
 - an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).
 
 !!! info
-    
+
     - We do not collect the dynamic configuration information (routers & services).
     - We do not collect this data to run advertising programs.
     - We do not sell this data to third-parties.
 
 ### Example of Collected Data
 
-```toml tab="Original configuration"
-[entryPoints]
-  [entryPoints.web]
-    address = ":80"
+```yaml tab="Original configuration"
+entryPoints:
+  web:
+  address: ":80"
 
-[api]
+api: {}
 
-[providers.docker]
-  endpoint = "tcp://10.10.10.10:2375"
-  exposedByDefault = true
-  swarmMode = true
+providers:
+  docker:
+    endpoint: "tcp://10.10.10.10:2375"
+    exposedByDefault: true
+    swarmMode: true
 
-  [providers.docker.TLS]
-    ca = "dockerCA"
-    cert = "dockerCert"
-    key = "dockerKey"
-    insecureSkipVerify = true
+    tls:
+      ca: dockerCA
+      cert: dockerCert
+      key: dockerKey
+      insecureSkipVerify: true
 ```
 
-```toml tab="Resulting Obfuscated Configuration"
-[entryPoints]
-  [entryPoints.web]
-    address = ":80"
+```yaml tab="Resulting Obfuscated Configuration"
+entryPoints:
+  web:
+  address: ":80"
 
-[api]
+api: {}
 
-[providers.docker]
-  endpoint = "xxxx"
-  exposedByDefault = true
-  swarmMode = true
+providers:
+  docker:
+    endpoint: "xxxx"
+    exposedByDefault: true
+    swarmMode: true
 
-  [providers.docker.TLS]
-    ca = "xxxx"
-    cert = "xxxx"
-    key = "xxxx"
-    insecureSkipVerify = true
+    tls:
+      ca: xxxx
+      cert: xxxx
+      key: xxxx
+      insecureSkipVerify: true
 ```
 
 ## The Code for Data Collection

docs/content/contributing/documentation.md

@@ -14,10 +14,10 @@ This [documentation](https://doc.traefik.io/traefik/) is built with [mkdocs](htt
 
 ### Method 1: `Docker` and `make`
 
-You can build the documentation and test it locally (with live reloading), using the `docs` target:
+You can build the documentation and test it locally (with live reloading), using the `docs-serve` target:
 
 ```bash
-$ make docs
+$ make docs-serve
 docker build -t traefik-docs -f docs.Dockerfile .
 # […]
 docker run  --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
@@ -82,17 +82,19 @@ Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/bas
 
 !!! note "Clean & Verify"
 
-    If you've made changes to the documentation, it's safter to clean it before verifying it. 
+    If you've made changes to the documentation, it's safter to clean it before verifying it.
 
     ```bash
-    $ make docs-clean docs-verify
+    $ make docs
     ...
     ```
 
+    Will perform all necessary steps for you.
+
 !!! note "Disabling Documentation Verification"
 
     Verification can be disabled by setting the environment variable `DOCS_VERIFY_SKIP` to `true`:
-    
+
     ```shell
     DOCS_VERIFY_SKIP=true make docs-verify
     ...

docs/content/contributing/maintainers-guidelines.md

@@ -0,0 +1,129 @@
+# Maintainer's Guidelines
+
+![Maintainer's Guidelines](../assets/img/maintainers-guidelines.png)
+
+Note: the document is a work in progress.
+
+Welcome to the Traefik Community.
+This document describes how to be part of the core team
+as well as various responsibilities
+and guidelines for Traefik maintainers.
+We are strongly promoting a philosophy of openness and sharing,
+and firmly standing against the elitist closed approach.
+Being part of the core team should be accessible to anyone motivated
+and wants to be part of that journey!
+
+## Onboarding Process
+
+If you consider joining our community please drop us a line using Twitter or leave a note in the issue.
+We will schedule a quick call to meet you and learn more about your motivation.
+During the call, the team will discuss the process of becoming a maintainer.
+We will be happy to answer any questions and explain all your doubts.
+
+## Maintainer's Requirements
+
+Note: you do not have to meet all the listed requirements,
+but must have achieved several.
+
+- Enabled [2FA](https://docs.github.com/en/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) on your Github account
+- The contributor has opened and successfully run medium to large PR’s in the past 6 months.
+- The contributor has participated in multiple code reviews of other PR’s,
+  including those of other maintainers and contributors.
+- The contributor showed a consistent pattern of helpful, non-threatening, and friendly behavior towards other community members in the past.
+- The contributor is active on Traefik Community forums
+  or other technical forums/boards such as K8S slack, Reddit, StackOverflow, hacker news.
+- Have read and accepted the contributor guidelines.
+
+## Maintainer's Responsibilities and Privileges
+
+There are lots of areas where you can contribute to the project,
+but we can suggest you start with activities such as:
+
+- PR reviewing.
+    - According to our guidelines we require you have at least 3 reviewers,
+      thus you can review a PR and leave the relevant comment if it is necessary.
+- Participating in a daily [issue triage](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md).
+    - The process helps to understand and prioritize the reported issue according to its importance and severity.
+      This is crucial to learn how our users implement Traefik.
+      Each of the issues that are labeled as bug/possible bug/confirmed requires a reproducible use case. 
+      You can help in creating a reproducible use case if it has not been added to the issue
+      or use the sample code provided by the reporter.
+      Typically, a simple docker compose should be enough to reproduce the issue.
+- Code contribution.
+- Documentation contribution.
+    - Technical documentation is one of the most important components of the product.
+      The ability to set up a testing environment in a few minutes,
+      using the official documentation,
+      is a game changer.
+- You will be listed on our Maintainers Github page
+  as well as on our website in the section [maintainers](maintainers.md).
+- We will be promoting you on social channels (mostly on Twitter).
+
+## Governance
+
+- Roadmap meetings on a regular basis where all maintainers are welcome.
+
+## Communicating
+
+- All of our maintainers are added to Slack #traefik-maintainers channel that belongs to Traefik labs workspace.
+  Having the team in one place helps us to communicate effectively. 
+  You can reach Traefik core developers directly,
+  which offers the possibility to discuss issues, pull requests, enhancements more efficiently
+  and get the feedback almost immediately.
+  Fewer blockers mean more fun and engaging work.
+
+- On a daily basis, we publish a report that includes all the activities performed during the day.
+  You are updated in regard to the workload that has been processed including:
+  working on the new features and enhancements,
+  activities related to the reported issues and PR’s,
+  other important project-related announcements.
+
+- At 5:00 PM CET every day we review all the created issues that have been reported,
+  assign them the appropriate *[labels](maintainers.md#labels)*
+  and prioritize them based on the severity of the problem.
+  The process is called *[issue triaging](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md)*.
+  Each of the maintainers is welcome to join the meeting.
+  For that purpose, we use a dedicated Discord server
+  where you are invited once you have become the official maintainer.
+
+## Maintainers Activity
+
+In order to keep the core team efficient and dynamic,
+maintainers' activity and involvement will be reviewed on a regular basis.
+
+- Has the maintainer engaged with the team and the community by meeting two or more of these benchmarks in the past six months?
+    - Has the maintainer participated in at least two or three maintainer meetings?
+    - Substantial review of at least one or two PRs from either contributors or maintainers.
+    - Opened at least one or two bug fixes or feature request PRs
+      that were eventually merged (or on a trajectory for merge).
+    - Substantial participation in the Help Wanted program (answered questions, helped identify issues, applied guidelines from the Help Wanted guide to open issues).
+    - Substantial participation with the community in general.
+
+- Has the maintainer shown a consistent pattern of helpful,
+  non-threatening,
+  and friendly behavior towards other people on the maintainer team and with our community?
+
+## Additional Comments for (not only) Maintainers
+
+- Be able to put yourself in users’ shoes.
+- Be open-minded and respectful with other maintainers and other community members.
+- Keep the communication public - 
+  if anyone tries to communicate with you directly,
+  ask him politely to move the conversation to a public communication channel.
+- Stay away from defensive comments.
+- Please try to express your thoughts clearly enough
+  and note that some of us are not native English speakers.
+  Try to rephrase your sentences, avoiding mental shortcuts;
+  none of us is able to predict your thoughts.
+- There are a lot of use cases of using Traefik
+  and even more issues that are difficult to reproduce.
+  If the issue can’t be replicated due to a lack of reproducible case (a simple docker compose should be enough) - 
+  set your time limits while working on the issue
+  and express clearly that you were not able to replicate it.
+  You can come back later to that case.
+- Be proactive.
+- Emoji are fine,
+  but if you express yourself clearly enough they are not necessary.
+  They will not replace good communication.
+- Embrace mentorship.
+- Keep in mind that we all have the same intent to improve the project.

docs/content/contributing/maintainers.md

@@ -1,6 +1,6 @@
 # Maintainers
 
-## The team
+## The Team
 
 * Emile Vauge [@emilevauge](https://github.com/emilevauge)
 * Vincent Demeester [@vdemeester](https://github.com/vdemeester)
@@ -20,11 +20,15 @@
 * Kevin Pollet [@kevinpollet](https://github.com/kevinpollet)
 * Harold Ozouf [@jspdown](https://github.com/jspdown)
 
+## Maintainer's Guidelines
+
+Please read the [maintainer's guidelines](maintainers-guidelines.md)
+
 ## Issue Triage
 
 Issues and PRs are triaged daily and the process for triaging may be found under [triaging issues](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in our [contributors guide repository](https://github.com/traefik/contributors-guide).
 
-## PR review process:
+## PR Review Process
 
 The process for reviewing PRs may be found under [review guidelines](https://github.com/traefik/contributors-guide/blob/master/review_guidelines.md) in our contributors guide repository.
 
@@ -114,7 +118,7 @@ The `status/*` labels represent the desired state in the workflow.
 * `priority/P2`: need to be fixed in the future.
 * `priority/P3`: maybe.
 
-### PR size
+### PR Size
 
 Automatically set by a bot.
 

docs/content/getting-started/configuration-overview.md

@@ -13,13 +13,13 @@ Configuration in Traefik can refer to two different things:
 Elements in the _static configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).
 
 The _dynamic configuration_ contains everything that defines how the requests are handled by your system.
-This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.    
+This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.
 
 !!! warning "Incompatible Configuration"
     Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now.
     If you are running v2, please ensure you are using a v2 configuration.
 
-## The Dynamic Configuration 
+## The Dynamic Configuration
 
 Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file.
 
@@ -28,14 +28,14 @@ Since this configuration is specific to your infrastructure choices, we invite y
 !!! info ""
 
     In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
-    
+
 !!! info "HTTPS Certificates also belong to the dynamic configuration."
-    
-    You can add / update / remove them without restarting your Traefik instance. 
- 
+
+    You can add / update / remove them without restarting your Traefik instance.
+
 ## The Static Configuration
 
-There are three different, **mutually exclusive** (e.g. you can use only one at the same time), ways to define static configuration options in Traefik:
+There are three different, **mutually exclusive** (i.e. you can use only one at the same time), ways to define static configuration options in Traefik:
 
 1. In a configuration file
 1. In the command-line arguments
@@ -45,13 +45,13 @@ These ways are evaluated in the order listed above.
 
 If no value was provided for a given option, a default value applies.
 Moreover, if an option has sub-options, and any of these sub-options is not specified, a default value will apply as well.
-    
+
 For example, the `--providers.docker` option is enough by itself to enable the docker provider, even though sub-options like `--providers.docker.endpoint` exist.
 Once positioned, this option sets (and resets) all the default values of the sub-options of `--providers.docker`.
-    
+
 ### Configuration File
 
-At startup, Traefik searches for a file named `traefik.toml` (or `traefik.yml` or `traefik.yaml`) in:
+At startup, Traefik searches for a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:
 
 - `/etc/traefik/`
 - `$XDG_CONFIG_HOME/`
@@ -61,7 +61,7 @@ At startup, Traefik searches for a file named `traefik.toml` (or `traefik.yml` o
 You can override this using the `configFile` argument.
 
 ```bash
-traefik --configFile=foo/bar/myconfigfile.toml
+traefik --configFile=foo/bar/myconfigfile.yml
 ```
 
 ### Arguments

docs/content/getting-started/faq.md

@@ -0,0 +1,139 @@
+# FAQ
+
+## Why is Traefik Answering `XXX` HTTP Response Status Code?
+
+Traefik is a dynamic reverse proxy,
+and while the documentation often demonstrates configuration options through file examples,
+the core feature of Traefik is its dynamic configurability,
+directly reacting to changes from providers over time.
+
+Notably, a part of the configuration is [static](../configuration-overview/#the-static-configuration),
+and can be provided by a file on startup, whereas various providers,
+such as the file provider,
+contribute dynamically all along the traefik instance lifetime to its [dynamic configuration](../configuration-overview/#the-dynamic-configuration) changes.
+
+In addition, the configuration englobes concepts such as the EntryPoint which can be seen as a listener on the Transport Layer (TCP),
+as apposed to the Router which is more about the Presentation (TLS) and Application layers (HTTP).
+And there can be as many routers as one wishes for a given EntryPoint.
+
+In other words, for a given Entrypoint,
+at any given time the traffic seen is not bound to be just about one protocol.
+It could be HTTP, or otherwise. Over TLS, or not.
+Not to mention that dynamic configuration changes potentially make that kind of traffic vary over time.
+
+Therefore, in this dynamic context,
+the static configuration of an `entryPoint` does not give any hint whatsoever about how the traffic going through that `entryPoint` is going to be routed.
+Or whether it's even going to be routed at all,
+i.e. whether there is a Router matching the kind of traffic going through it.
+
+### `404 Not found`
+
+Traefik returns a `404` response code in the following situations:
+
+- A request reaching an EntryPoint that has no Routers
+- An HTTP request reaching an EntryPoint that has no HTTP Router
+- An HTTPS request reaching an EntryPoint that has no HTTPS Router
+- A request reaching an EntryPoint that has HTTP/HTTPS Routers that cannot be matched
+
+From Traefik's point of view,
+every time a request cannot be matched with a router the correct response code is a `404 Not found`.
+
+In this situation, the response code is not a `503 Service Unavailable`
+because Traefik is not able to confirm that the lack of a matching router for a request is only temporary.
+Traefik's routing configuration is dynamic and aggregated from different providers,
+hence it's not possible to assume at any moment that a specific route should be handled or not.
+
+??? info "This behavior is consistent with rfc7231"
+
+    ```txt
+    The server is currently unable to handle the request due to a
+    temporary overloading or maintenance of the server. The implication
+    is that this is a temporary condition which will be alleviated after
+    some delay. If known, the length of the delay MAY be indicated in a
+    Retry-After header. If no Retry-After is given, the client SHOULD
+    handle the response as it would for a 500 response.
+
+        Note: The existence of the 503 status code does not imply that a
+        server must use it when becoming overloaded. Some servers may wish
+        to simply refuse the connection.
+    ```
+
+    Extract from [rfc7231#section-6.6.4](https://datatracker.ietf.org/doc/html/rfc7231#section-6.6.4).
+
+### `502 Bad Gateway`
+
+Traefik returns a `502` response code when an error happens while contacting the upstream service.
+
+### `503 Service Unavailable`
+
+Traefik returns a `503` response code when a Router has been matched
+but there are no servers ready to handle the request.
+
+This situation is encountered when a service has been explicitly configured without servers,
+or when a service has healthcheck enabled and all servers are unhealthy.
+
+### `XXX` Instead of `404`
+
+Sometimes, the `404` response code doesn't play well with other parties or services (such as CDNs).
+
+In these situations, you may want Traefik to always reply with a `503` response code,
+instead of a `404` response code.
+
+To achieve this behavior, a simple catchall router,
+with the lowest possible priority and routing to a service without servers,
+can handle all the requests when no other router has been matched.
+
+The example below is a file provider only version (`yaml`) of what this configuration could look like:
+
+```yaml tab="Static configuration"
+# traefik.yml
+
+entrypoints:
+  web:
+    address: :80
+
+providers:
+  file:
+    filename: dynamic.yaml
+```
+
+```yaml tab="Dynamic configuration"
+# dynamic.yaml
+
+http:
+  routers:
+    catchall:
+      # attached only to web entryPoint
+      entryPoints:
+        - "web"
+      # catchall rule
+      rule: "PathPrefix(`/`)"
+      service: unavailable
+      # lowest possible priority
+      # evaluated when no other router is matched
+      priority: 1
+
+  services:
+    # Service that will always answer a 503 Service Unavailable response
+    unavailable:
+      loadBalancer:
+        servers: {}
+```
+
+!!! info "Dedicated service"
+    If there is a need for a response code other than a `503` and/or a custom message,
+    the principle of the above example above (a catchall router) still stands,
+    but the `unavailable` service should be adapted to fit such a need.
+
+## Why Is My TLS Certificate Not Reloaded When Its Contents Change ? 
+
+With the file provider,
+a configuration update is only triggered when one of the [watched](../providers/file.md#provider-configuration) configuration files is modified.
+
+Which is why, when a certificate is defined by path,
+and the actual contents of this certificate change,
+a configuration update is _not_ triggered.
+
+To take into account the new certificate contents, the update of the dynamic configuration must be forced.
+One way to achieve that, is to trigger a file notification,
+for example, by using the `touch` command on the configuration file.

docs/content/getting-started/install-traefik.md

@@ -11,12 +11,12 @@ You can install Traefik with the following flavors:
 
 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
 
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.4/traefik.sample.toml)
 * [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.4/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.4/traefik.sample.toml)
 
 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.4
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.4
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -31,8 +31,8 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 ## Use the Helm Chart
 
 !!! warning
-    
-    The Traefik Chart from 
+
+    The Traefik Chart from
     [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://doc.traefik.io/traefik/v1.7).
 
 Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/traefik/traefik-helm-chart>.
@@ -61,7 +61,7 @@ helm install traefik traefik/traefik
 ```
 
 !!! tip "Helm Features"
-    
+
     All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
     For instance, installing the chart in a dedicated namespace:
 
@@ -73,30 +73,30 @@ helm install traefik traefik/traefik
     ```
 
 ??? example "Installing with Custom Values"
-    
+
     You can customize the installation by specifying custom values,
     as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
     {: #helm-custom-values }
-    
+
     The values are not (yet) documented, but are self-explanatory:
     you can look at the [default `values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
-    
+
     You can also set Traefik command line flags using `additionalArguments`.
     Example of installation with logging set to `DEBUG`:
-    
+
     ```bash tab="Using Helm CLI"
     helm install --namespace=traefik-v2 \
         --set="additionalArguments={--log.level=DEBUG}" \
         traefik traefik/traefik
     ```
-    
+
     ```yml tab="With a custom values file"
     # File custom-values.yml
     ## Install with "helm install --values=./custom-values.yml traefik traefik/traefik
     additionalArguments:
       - "--log.level=DEBUG"
     ```
-    
+
 ### Exposing the Traefik dashboard
 
 This HelmChart does not expose the Traefik dashboard by default, for security concerns.

docs/content/glossary.md

@@ -1,22 +0,0 @@
-# TODO -- Glossary
-
-Where Every Technical Word finds its Definition`
-{: .subtitle}
-
-- [ ] Provider
-    - [ ] Types of providers (KV, annotation based, label based, configuration based)
-- [ ] Entrypoint
-- [ ] Routers
-- [ ] Middleware
-- [ ] Service
-- [ ] [Static configuration](getting-started/configuration-overview.md#the-static-configuration)
-- [ ] [Dynamic configuration](getting-started/configuration-overview.md#the-dynamic-configuration)
-- [ ] ACME
-- [ ] Traefik Enterprise
-- [ ] Tracing
-- [ ] Metrics
-- [ ] Orchestrator
-- [ ] Key Value Store
-- [ ] Logs
-- [ ] Traefiker
-- [ ] Traefik (How to pronounce)

docs/content/https/acme.md

@@ -13,7 +13,7 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
 
 ## Certificate Resolvers
 
-Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration), 
+Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration),
 which are responsible for retrieving certificates from an ACME server.
 
 Then, each ["router"](../routing/routers/index.md) is configured to enable TLS,
@@ -26,33 +26,33 @@ You can read more about this retrieval mechanism in the following section: [ACME
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
 
 ??? note "Configuration Reference"
-    
+
     There are many available options for ACME.
     For a quick glance at what's possible, browse the configuration reference:
-    
-    ```toml tab="File (TOML)"
-    --8<-- "content/https/ref-acme.toml"
-    ```
-    
+
     ```yaml tab="File (YAML)"
     --8<-- "content/https/ref-acme.yaml"
     ```
-    
+
+    ```toml tab="File (TOML)"
+    --8<-- "content/https/ref-acme.toml"
+    ```
+
     ```bash tab="CLI"
     --8<-- "content/https/ref-acme.txt"
     ```
 
 ## Domain Definition
 
-Certificate resolvers request certificates for a set of the domain names 
+Certificate resolvers request certificates for a set of the domain names
 inferred from routers, with the following logic:
 
 - If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
   then the certificate resolver uses the `main` (and optionally `sans`) option of `tls.domains` to know the domain names for this router.
 
-- If no [`tls.domains`](../routing/routers/index.md#domains) option is set, 
-  then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule), 
-  by checking the `Host()` matchers. 
+- If no [`tls.domains`](../routing/routers/index.md#domains) option is set,
+  then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule),
+  by checking the `Host()` matchers.
   Please note that [multiple `Host()` matchers can be used](../routing/routers/index.md#certresolver)) for specifying multiple domain names for this router.
 
 Please note that:
@@ -69,31 +69,15 @@ Please check the [configuration examples below](#configuration-examples) for mor
 ## Configuration Examples
 
 ??? example "Enabling ACME"
-    
-    ```toml tab="File (TOML)"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-    
-      [entryPoints.websecure]
-        address = ":443"
-    
-    [certificatesResolvers.myresolver.acme]
-      email = "your-email@example.com"
-      storage = "acme.json"
-      [certificatesResolvers.myresolver.acme.httpChallenge]
-        # used during the challenge
-        entryPoint = "web"
-    ```
-    
+
     ```yaml tab="File (YAML)"
     entryPoints:
       web:
         address: ":80"
-    
+
       websecure:
         address: ":443"
-    
+
     certificatesResolvers:
       myresolver:
         acme:
@@ -103,7 +87,23 @@ Please check the [configuration examples below](#configuration-examples) for mor
             # used during the challenge
             entryPoint: web
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+
+    [certificatesResolvers.myresolver.acme]
+      email = "your-email@example.com"
+      storage = "acme.json"
+      [certificatesResolvers.myresolver.acme.httpChallenge]
+        # used during the challenge
+        entryPoint = "web"
+    ```
+
     ```bash tab="CLI"
     --entrypoints.web.address=:80
     --entrypoints.websecure.address=:443
@@ -117,23 +117,23 @@ Please check the [configuration examples below](#configuration-examples) for mor
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
 
 ??? example "Single Domain from Router's Rule Example"
-    
+
     * A certificate for the domain `example.com` is requested:
 
     --8<-- "content/https/include-acme-single-domain-example.md"
 
 ??? example "Multiple Domains from Router's Rule Example"
- 
+
     * A certificate for the domains `example.com` (main) and `blog.example.org`
       is requested:
-    
+
     --8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
-    
+
 ??? example "Multiple Domains from Router's `tls.domain` Example"
 
     * A certificate for the domains `example.com` (main) and `*.example.org` (SAN)
       is requested:
-      
+
     --8<-- "content/https/include-acme-multiple-domains-example.md"
 
 ## Automatic Renewals
@@ -165,12 +165,6 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 
 ??? example "Configuring the `tlsChallenge`"
 
-    ```toml tab="File (TOML)"
-    [certificatesResolvers.myresolver.acme]
-      # ...
-      [certificatesResolvers.myresolver.acme.tlsChallenge]
-    ```
-
     ```yaml tab="File (YAML)"
     certificatesResolvers:
       myresolver:
@@ -178,7 +172,13 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
           # ...
           tlsChallenge: {}
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.tlsChallenge]
+    ```
+
     ```bash tab="CLI"
     # ...
     --certificatesresolvers.myresolver.acme.tlschallenge=true
@@ -193,28 +193,14 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
 
 ??? example "Using an EntryPoint Called web for the `httpChallenge`"
 
-    ```toml tab="File (TOML)"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-      
-      [entryPoints.websecure]
-        address = ":443"
-    
-    [certificatesResolvers.myresolver.acme]
-      # ...
-      [certificatesResolvers.myresolver.acme.httpChallenge]
-        entryPoint = "web"
-    ```
-
     ```yaml tab="File (YAML)"
     entryPoints:
       web:
         address: ":80"
-    
+
       websecure:
         address: ":443"
-    
+
     certificatesResolvers:
       myresolver:
         acme:
@@ -222,7 +208,21 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
           httpChallenge:
             entryPoint: web
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.httpChallenge]
+        entryPoint = "web"
+    ```
+
     ```bash tab="CLI"
     --entrypoints.web.address=:80
     --entrypoints.websecure.address=:443
@@ -239,15 +239,6 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 
 ??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
 
-    ```toml tab="File (TOML)"
-    [certificatesResolvers.myresolver.acme]
-      # ...
-      [certificatesResolvers.myresolver.acme.dnsChallenge]
-        provider = "digitalocean"
-        delayBeforeCheck = 0
-    # ...
-    ```
-    
     ```yaml tab="File (YAML)"
     certificatesResolvers:
       myresolver:
@@ -258,7 +249,16 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
             delayBeforeCheck: 0
         # ...
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      [certificatesResolvers.myresolver.acme.dnsChallenge]
+        provider = "digitalocean"
+        delayBeforeCheck = 0
+    # ...
+    ```
+
     ```bash tab="CLI"
     # ...
     --certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
@@ -270,7 +270,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
         A `provider` is mandatory.
 
 #### `providers`
- 
+
 Here is a list of supported `providers`, that can automate the DNS verification,
 along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
 Do not hesitate to complete it.
@@ -303,6 +303,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
 | [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)       |
 | [Domain Offensive (do.de)](https://www.do.de/)              | `dode`         | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)         |
+| [Domeneshop](https://domene.shop)                           | `domeneshop`   | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)   |
 | [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)    |
 | [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)      |
 | [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)          |
@@ -322,9 +323,10 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
 | [HyperOne](https://www.hyperone.com)                        | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
+| [Infoblox](https://www.infoblox.com/)                       | `infoblox`     | `INFOBLOX_USER`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)     |
 | [Infomaniak](https://www.infomaniak.com)                    | `infomaniak`   | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)   |
 | [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
-| [ionos](https://ionos.com/)                                 | `ionos`        | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)       |
+| [ionos](https://ionos.com/)                                 | `ionos`        | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)        |
 | [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
 | [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
 | [Linode v4](https://www.linode.com)                         | `linode`       | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
@@ -340,11 +342,13 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
 | [Netlify](https://www.netlify.com)                          | `netlify`      | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)      |
 | [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
+| [Njalla](https://njal.la)                                   | `njalla`       | `NJALLA_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)       |
 | [NS1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
 | [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
 | [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
 | [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)    |
 | [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)  |
+| [Porkbun](https://porkbun.com/)                             | `porkbun`      | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)      |
 | [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)         |
 | [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)    |
 | [reg.ru](https://www.reg.ru)                                | `regru`        | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)        |
@@ -355,12 +359,16 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Scaleway](https://www.scaleway.com)                        | `scaleway`     | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)     |
 | [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
 | [Servercow](https://servercow.de)                           | `servercow`    | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)    |
+| [Simply.com](https://www.simply.com/en/domains/)            | `simply`       | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/simply)       |
+| [Sonic](https://www.sonic.com/)                             | `sonic`        | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)        |
 | [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
 | [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
 | [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
+| [VinylDNS](https://www.vinyldns.io)                         | `vinyldns`     | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)     |
 | [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)       |
 | [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)        |
+| [WEDOS](https://www.wedos.com)                              | `wedos`        | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)        |
 | [Yandex](https://yandex.com)                                | `yandex`       | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)       |
 | [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
 | [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
@@ -380,14 +388,6 @@ For complete details, refer to your provider's _Additional configuration_ link.
 
 Use custom DNS servers to resolve the FQDN authority.
 
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  [certificatesResolvers.myresolver.acme.dnsChallenge]
-    # ...
-    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
-```
-
 ```yaml tab="File (YAML)"
 certificatesResolvers:
   myresolver:
@@ -400,6 +400,14 @@ certificatesResolvers:
           - "8.8.8.8:53"
 ```
 
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
+```
+
 ```bash tab="CLI"
 # ...
 --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
@@ -415,14 +423,6 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
 - `kid`: Key identifier from External CA
 - `hmacEncoded`: HMAC key from External CA, should be in Base64 URL Encoding without padding format
 
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  [certificatesResolvers.myresolver.acme.eab]
-    kid = "abc-keyID-xyz"
-    hmacEncoded = "abc-hmac-xyz"
-```
-
 ```yaml tab="File (YAML)"
 certificatesResolvers:
   myresolver:
@@ -433,6 +433,14 @@ certificatesResolvers:
         hmacEncoded: abc-hmac-xyz
 ```
 
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.eab]
+    kid = "abc-keyID-xyz"
+    hmacEncoded = "abc-hmac-xyz"
+```
+
 ```bash tab="CLI"
 # ...
 --certificatesresolvers.myresolver.acme.eab.kid=abc-keyID-xyz
@@ -452,13 +460,6 @@ The CA server to use:
 
 ??? example "Using the Let's Encrypt staging server"
 
-    ```toml tab="File (TOML)"
-    [certificatesResolvers.myresolver.acme]
-      # ...
-      caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
-      # ...
-    ```
-    
     ```yaml tab="File (YAML)"
     certificatesResolvers:
       myresolver:
@@ -468,6 +469,13 @@ The CA server to use:
           # ...
     ```
 
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.myresolver.acme]
+      # ...
+      caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
+      # ...
+    ```
+
     ```bash tab="CLI"
     # ...
     --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
@@ -480,13 +488,6 @@ _Required, Default="acme.json"_
 
 The `storage` option sets the location where your ACME certificates are saved to.
 
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  storage = "acme.json"
-  # ...
-```
-
 ```yaml tab="File (YAML)"
 certificatesResolvers:
   myresolver:
@@ -496,6 +497,13 @@ certificatesResolvers:
       # ...
 ```
 
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  storage = "acme.json"
+  # ...
+```
+
 ```bash tab="CLI"
 # ...
 --certificatesresolvers.myresolver.acme.storage=acme.json
@@ -526,13 +534,6 @@ Preferred chain to use.
 If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
 If no match, the default offered chain will be used.
 
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  preferredChain = "ISRG Root X1"
-  # ...
-```
-
 ```yaml tab="File (YAML)"
 certificatesResolvers:
   myresolver:
@@ -542,6 +543,13 @@ certificatesResolvers:
       # ...
 ```
 
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  preferredChain = "ISRG Root X1"
+  # ...
+```
+
 ```bash tab="CLI"
 # ...
 --certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
@@ -554,13 +562,6 @@ _Optional, Default="RSA4096"_
 
 KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
 
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  keyType = "RSA4096"
-  # ...
-```
-
 ```yaml tab="File (YAML)"
 certificatesResolvers:
   myresolver:
@@ -570,6 +571,13 @@ certificatesResolvers:
       # ...
 ```
 
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  keyType = "RSA4096"
+  # ...
+```
+
 ```bash tab="CLI"
 # ...
 --certificatesresolvers.myresolver.acme.keyType="RSA4096"

docs/content/https/include-acme-multiple-domains-example.md

@@ -64,18 +64,6 @@ labels:
   - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```
 
-```toml tab="File (TOML)"
-## Dynamic configuration
-[http.routers]
-  [http.routers.blog]
-    rule = "Host(`example.com`) && Path(`/blog`)"
-    [http.routers.blog.tls]
-      certResolver = "myresolver" # From static configuration
-      [[http.routers.blog.tls.domains]]
-        main = "example.org"
-        sans = ["*.example.org"]
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
@@ -89,3 +77,15 @@ http:
             sans:
               - "*.example.org"
 ```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "Host(`example.com`) && Path(`/blog`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver" # From static configuration
+      [[http.routers.blog.tls.domains]]
+        main = "example.org"
+        sans = ["*.example.org"]
+```

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -52,15 +52,6 @@ labels:
   - traefik.http.routers.blog.tls.certresolver=myresolver
 ```
 
-```toml tab="File (TOML)"
-## Dynamic configuration
-[http.routers]
-  [http.routers.blog]
-    rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
-    [http.routers.blog.tls]
-      certResolver = "myresolver"
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
@@ -70,3 +61,12 @@ http:
       tls:
         certResolver: myresolver
 ```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
+    [http.routers.blog.tls]
+      certResolver = "myresolver"
+```

docs/content/https/include-acme-single-domain-example.md

@@ -52,15 +52,6 @@ labels:
   - traefik.http.routers.blog.tls.certresolver=myresolver
 ```
 
-```toml tab="File (TOML)"
-## Dynamic configuration
-[http.routers]
-  [http.routers.blog]
-  rule = "Host(`example.com`) && Path(`/blog`)"
-  [http.routers.blog.tls]
-    certResolver = "myresolver"
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
@@ -70,3 +61,12 @@ http:
       tls:
         certResolver: myresolver
 ```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+  rule = "Host(`example.com`) && Path(`/blog`)"
+  [http.routers.blog.tls]
+    certResolver = "myresolver"
+```

docs/content/https/tls.md

@@ -13,18 +13,6 @@ See the [Let's Encrypt](./acme.md) page.
 
 To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:
 
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[[tls.certificates]]
-  certFile = "/path/to/domain.cert"
-  keyFile = "/path/to/domain.key"
-
-[[tls.certificates]]
-  certFile = "/path/to/other-domain.cert"
-  keyFile = "/path/to/other-domain.key"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration
 
@@ -36,23 +24,28 @@ tls:
       keyFile: /path/to/other-domain.key
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[[tls.certificates]]
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"
+
+[[tls.certificates]]
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
+```
+
 !!! important "Restriction"
 
     In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
     It is the only available method to configure the certificates (as well as the options and the stores).
-    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
+    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
 
 ## Certificates Stores
 
 In Traefik, certificates are grouped together in certificates stores, which are defined as such:
 
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.stores]
-  [tls.stores.default]
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration
 
@@ -61,6 +54,13 @@ tls:
     default: {}
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.stores]
+  [tls.stores.default]
+```
+
 !!! important "Restriction"
 
     Any store definition other than the default one (named `default`) will be ignored,
@@ -68,21 +68,6 @@ tls:
 
 In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
 
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[[tls.certificates]]
-  certFile = "/path/to/domain.cert"
-  keyFile = "/path/to/domain.key"
-  stores = ["default"]
-
-[[tls.certificates]]
-  # Note that since no store is defined,
-  # the certificate below will be stored in the `default` store.
-  certFile = "/path/to/other-domain.cert"
-  keyFile = "/path/to/other-domain.key"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration
 
@@ -98,6 +83,21 @@ tls:
       keyFile: /path/to/other-domain.key
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[[tls.certificates]]
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"
+  stores = ["default"]
+
+[[tls.certificates]]
+  # Note that since no store is defined,
+  # the certificate below will be stored in the `default` store.
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
+```
+
 !!! important "Restriction"
 
     The `stores` list will actually be ignored and automatically set to `["default"]`.
@@ -107,16 +107,6 @@ tls:
 Traefik can use a default certificate for connections without a SNI, or without a matching domain.
 This default certificate should be defined in a TLS store:
 
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.stores]
-  [tls.stores.default]
-    [tls.stores.default.defaultCertificate]
-      certFile = "path/to/cert.crt"
-      keyFile  = "path/to/cert.key"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration
 
@@ -128,6 +118,16 @@ tls:
         keyFile: path/to/cert.key
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.stores]
+  [tls.stores.default]
+    [tls.stores.default.defaultCertificate]
+      certFile = "path/to/cert.crt"
+      keyFile  = "path/to/cert.key"
+```
+
 If no default certificate is provided, Traefik generates and uses a self-signed certificate.
 
 ## TLS Options
@@ -155,18 +155,6 @@ The TLS options allow one to configure some parameters of the TLS connection.
 
 ### Minimum TLS Version
 
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-
-  [tls.options.default]
-    minVersion = "VersionTLS12"
-
-  [tls.options.mintls13]
-    minVersion = "VersionTLS13"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration
 
@@ -179,6 +167,18 @@ tls:
       minVersion: VersionTLS13
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    minVersion = "VersionTLS12"
+
+  [tls.options.mintls13]
+    minVersion = "VersionTLS13"
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -206,18 +206,6 @@ We discourage the use of this setting to disable TLS1.3.
 
 The recommended approach is to update the clients to support TLS1.3.
 
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-
-  [tls.options.default]
-    maxVersion = "VersionTLS13"
-
-  [tls.options.maxtls12]
-    maxVersion = "VersionTLS12"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration
 
@@ -230,6 +218,18 @@ tls:
       maxVersion: VersionTLS12
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+
+  [tls.options.default]
+    maxVersion = "VersionTLS13"
+
+  [tls.options.maxtls12]
+    maxVersion = "VersionTLS12"
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -255,16 +255,6 @@ spec:
 
 See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
 
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    cipherSuites = [
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
-    ]
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration
 
@@ -275,6 +265,16 @@ tls:
         - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+    ]
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -301,14 +301,6 @@ The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#Curve
 
 See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
 
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    curvePreferences = ["CurveP521", "CurveP384"]
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration
 
@@ -320,6 +312,14 @@ tls:
         - CurveP384
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    curvePreferences = ["CurveP521", "CurveP384"]
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -338,14 +338,6 @@ spec:
 With strict SNI checking enabled, Traefik won't allow connections from clients
 that do not specify a server_name extension or don't match any certificate configured on the tlsOption.
 
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    sniStrict = true
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration
 
@@ -355,6 +347,14 @@ tls:
       sniStrict: true
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    sniStrict = true
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -371,14 +371,6 @@ spec:
 This option allows the server to choose its most preferred cipher suite instead of the client's.
 Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
 
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    preferServerCipherSuites = true
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic configuration
 
@@ -388,6 +380,14 @@ tls:
       preferServerCipherSuites: true
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    preferServerCipherSuites = true
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
@@ -404,25 +404,14 @@ spec:
 Traefik supports mutual authentication, through the `clientAuth` section.
 
 For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `clientAuth.caFiles`.
- 
+
 The `clientAuth.clientAuthType` option governs the behaviour as follows:
 
 - `NoClientCert`: disregards any client certificate.
 - `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
 - `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles`.
 - `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles`. Otherwise proceeds without any certificate.
-- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`. 
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    [tls.options.default.clientAuth]
-      # in PEM format. each file can contain multiple CAs.
-      caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
-      clientAuthType = "RequireAndVerifyClientCert"
-```
+- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`.
 
 ```yaml tab="File (YAML)"
 # Dynamic configuration
@@ -438,6 +427,17 @@ tls:
         clientAuthType: RequireAndVerifyClientCert
 ```
 
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    [tls.options.default.clientAuth]
+      # in PEM format. each file can contain multiple CAs.
+      caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
+      clientAuthType = "RequireAndVerifyClientCert"
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption

docs/content/middlewares/addprefix.md

@@ -1,11 +1,11 @@
 # Add Prefix
 
-Prefixing the Path 
+Prefixing the Path
 {: .subtitle }
 
-![AddPrefix](../assets/img/middleware/addprefix.png) 
+![AddPrefix](../assets/img/middleware/addprefix.png)
 
-The AddPrefix middleware updates the URL Path of the request before forwarding it.
+The AddPrefix middleware updates the path of a request before forwarding it.
 
 ## Configuration Examples
 
@@ -43,13 +43,6 @@ labels:
   - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```
 
-```toml tab="File (TOML)"
-# Prefixing with /foo
-[http.middlewares]
-  [http.middlewares.add-foo.addPrefix]
-    prefix = "/foo"
-```
-
 ```yaml tab="File (YAML)"
 # Prefixing with /foo
 http:
@@ -59,9 +52,16 @@ http:
         prefix: "/foo"
 ```
 
+```toml tab="File (TOML)"
+# Prefixing with /foo
+[http.middlewares]
+  [http.middlewares.add-foo.addPrefix]
+    prefix = "/foo"
+```
+
 ## Configuration Options
 
 ### `prefix`
 
 `prefix` is the string to add before the current path in the requested URL.
-It should include the leading slash (`/`).
+It should include a leading slash (`/`).

docs/content/middlewares/basicauth.md

@@ -5,7 +5,7 @@ Adding Basic Authentication
 
 ![BasicAuth](../assets/img/middleware/basicauth.png)
 
-The BasicAuth middleware is a quick way to restrict access to your services to known users.
+The BasicAuth middleware restricts access to your services to known users.
 
 ## Configuration Examples
 
@@ -14,7 +14,7 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
 #
 # Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
 # To create user:password pair, it's possible to use this command:
-# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
 #
 # Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
 labels:
@@ -48,16 +48,6 @@ labels:
   - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
-```toml tab="File (TOML)"
-# Declaring the user list
-[http.middlewares]
-  [http.middlewares.test-auth.basicAuth]
-  users = [
-    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
-    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-  ]
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -65,26 +55,36 @@ http:
     test-auth:
       basicAuth:
         users:
-          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
           - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```
+
 ## Configuration Options
 
 ### General
 
 Passwords must be hashed using MD5, SHA1, or BCrypt.
 
-!!! tip 
+!!! tip
 
     Use `htpasswd` to generate the passwords.
 
 ### `users`
 
-The `users` option is an array of authorized users. Each user will be declared using the `name:hashed-password` format.
+The `users` option is an array of authorized users. Each user must be declared using the `name:hashed-password` format.
 
 !!! note ""
-    
+
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
     - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
@@ -142,16 +142,6 @@ labels:
   - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
-```toml tab="File (TOML)"
-# Declaring the user list
-[http.middlewares]
-  [http.middlewares.test-auth.basicAuth]
-    users = [
-      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
-      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-    ]
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -159,10 +149,20 @@ http:
     test-auth:
       basicAuth:
         users:
-          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
           - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    users = [
+      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+    ]
+```
+
 ### `usersFile`
 
 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@@ -170,9 +170,9 @@ The `usersFile` option is the path to an external file that contains the authori
 The file content is a list of `name:hashed-password`.
 
 !!! note ""
-    
+
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
-    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
 ```yaml tab="Docker"
 labels:
@@ -216,12 +216,6 @@ labels:
   - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.basicAuth]
-    usersFile = "/path/to/my/usersfile"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -230,6 +224,12 @@ http:
         usersFile: "/path/to/my/usersfile"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
 ??? example "A file containing test/test and test2/test2"
 
     ```txt
@@ -239,7 +239,7 @@ http:
 
 ### `realm`
 
-You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 
+You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
 
 ```yaml tab="Docker"
 labels:
@@ -271,12 +271,6 @@ labels:
   - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.basicAuth]
-    realm = "MyRealm"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -285,6 +279,12 @@ http:
         realm: "MyRealm"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    realm = "MyRealm"
+```
+
 ### `headerField`
 
 You can define a header field to store the authenticated user using the `headerField`option.
@@ -315,12 +315,6 @@ spec:
 }
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares.my-auth.basicAuth]
-  # ...
-  headerField = "X-WebAuth-User"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -330,6 +324,12 @@ http:
         headerField: "X-WebAuth-User"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares.my-auth.basicAuth]
+  # ...
+  headerField = "X-WebAuth-User"
+```
+
 ### `removeHeader`
 
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
@@ -364,12 +364,6 @@ labels:
   - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.basicAuth]
-    removeHeader = true
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -377,3 +371,9 @@ http:
       basicAuth:
         removeHeader: true
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    removeHeader = true
+```

docs/content/middlewares/buffering.md

@@ -5,22 +5,22 @@ How to Read the Request before Forwarding It
 
 ![Buffering](../assets/img/middleware/buffering.png)
 
-The Buffering middleware gives you control on how you want to read the requests before sending them to services.
+The Buffering middleware limits the size of requests that can be forwarded to services.
 
-With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified limit.
+With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified size limit.
 
-This can help services deal with large data (multipart/form-data for example), and can minimize time spent sending data to a service.
+This can help services avoid large amounts of data (`multipart/form-data` for example), and can minimize the time spent sending data to a service.
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 labels:
   - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
 ```yaml tab="Kubernetes"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
@@ -31,7 +31,7 @@ spec:
 ```
 
 ```yaml tab="Consul Catalog"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
@@ -42,20 +42,13 @@ spec:
 ```
 
 ```yaml tab="Rancher"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 labels:
   - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
-```toml tab="File (TOML)"
-# Sets the maximum request body to 2Mb
-[http.middlewares]
-  [http.middlewares.limit.buffering]
-    maxRequestBodyBytes = 2000000
-```
-
 ```yaml tab="File (YAML)"
-# Sets the maximum request body to 2Mb
+# Sets the maximum request body to 2MB
 http:
   middlewares:
     limit:
@@ -63,13 +56,20 @@ http:
         maxRequestBodyBytes: 2000000
 ```
 
+```toml tab="File (TOML)"
+# Sets the maximum request body to 2MB
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxRequestBodyBytes = 2000000
+```
+
 ## Configuration Options
 
 ### `maxRequestBodyBytes`
 
-With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
+The `maxRequestBodyBytes` option configures the maximum allowed body size for the request (in bytes).
 
-If the request exceeds the allowed size, it is not forwarded to the service and the client gets a `413 (Request Entity Too Large)` response.
+If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a `413 (Request Entity Too Large)` response.
 
 ```yaml tab="Docker"
 labels:
@@ -101,12 +101,6 @@ labels:
   - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.limit.buffering]
-    maxRequestBodyBytes = 2000000
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -115,9 +109,15 @@ http:
         maxRequestBodyBytes: 2000000
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxRequestBodyBytes = 2000000
+```
+
 ### `memRequestBodyBytes`
 
-You can configure a threshold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. 
+You can configure a threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
 
 ```yaml tab="Docker"
 labels:
@@ -149,12 +149,6 @@ labels:
   - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.limit.buffering]
-    memRequestBodyBytes = 2000000
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -163,9 +157,15 @@ http:
         memRequestBodyBytes: 2000000
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    memRequestBodyBytes = 2000000
+```
+
 ### `maxResponseBodyBytes`
 
-With the `maxResponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
+The `maxResponseBodyBytes` option configures the maximum allowed response size from the service (in bytes).
 
 If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
 
@@ -199,12 +199,6 @@ labels:
   - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.limit.buffering]
-    maxResponseBodyBytes = 2000000
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -213,9 +207,15 @@ http:
         maxResponseBodyBytes: 2000000
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxResponseBodyBytes = 2000000
+```
+
 ### `memResponseBodyBytes`
 
-You can configure a threshold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. 
+You can configure a threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
 
 ```yaml tab="Docker"
 labels:
@@ -247,12 +247,6 @@ labels:
   - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.limit.buffering]
-    memResponseBodyBytes = 2000000
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -261,17 +255,23 @@ http:
         memResponseBodyBytes: 2000000
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    memResponseBodyBytes = 2000000
+```
+
 ### `retryExpression`
 
-You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
+You can have the Buffering middleware replay the request using `retryExpression`.
+
+??? example "Retries once in the case of a network error"
 
-??? example "Retries once in case of a network error"
-    
     ```yaml tab="Docker"
     labels:
       - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
     ```
-    
+
     ```yaml tab="Kubernetes"
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
@@ -281,28 +281,22 @@ You can have the Buffering middleware replay the request with the help of the `r
       buffering:
         retryExpression: "IsNetworkError() && Attempts() < 2"
     ```
-    
+
     ```yaml tab="Consul Catalog"
     - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
     ```
-        
+
     ```json tab="Marathon"
     "labels": {
       "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"
     }
     ```
-    
+
     ```yaml tab="Rancher"
     labels:
       - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
     ```
-    
-    ```toml tab="File (TOML)"
-    [http.middlewares]
-      [http.middlewares.limit.buffering]
-        retryExpression = "IsNetworkError() && Attempts() < 2"
-    ```
-    
+
     ```yaml tab="File (YAML)"
     http:
       middlewares:
@@ -311,8 +305,14 @@ You can have the Buffering middleware replay the request with the help of the `r
             retryExpression: "IsNetworkError() && Attempts() < 2"
     ```
 
+    ```toml tab="File (TOML)"
+    [http.middlewares]
+      [http.middlewares.limit.buffering]
+        retryExpression = "IsNetworkError() && Attempts() < 2"
+    ```
+
 The retry expression is defined as a logical combination of the functions below with the operators AND (`&&`) and OR (`||`). At least one function is required:
 
 - `Attempts()` number of attempts (the first one counts)
 - `ResponseCode()` response code of the service
-- `IsNetworkError()` - if the response code is related to networking error 
+- `IsNetworkError()` whether the response code is related to networking error

docs/content/middlewares/chain.md

@@ -5,12 +5,12 @@ When One Isn't Enough
 
 ![Chain](../assets/img/middleware/chain.png)
 
-The Chain middleware enables you to define reusable combinations of other pieces of middleware. 
+The Chain middleware enables you to define reusable combinations of other pieces of middleware.
 It makes reusing the same groups easier.
 
 ## Configuration Example
 
-Example "A Chain for WhiteList, BasicAuth, and HTTPS"
+Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.
 
 ```yaml tab="Docker"
 labels:
@@ -21,7 +21,7 @@ labels:
   - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
   - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
   - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-  - "http.services.service1.loadbalancer.server.port=80"
+  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```
 
 ```yaml tab="Kubernetes"
@@ -30,11 +30,9 @@ kind: IngressRoute
 metadata:
   name: test
   namespace: default
-
 spec:
   entryPoints:
     - web
-
   routes:
     - match: Host(`mydomain`)
       kind: Rule
@@ -91,7 +89,7 @@ spec:
 - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
 - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-- "http.services.service1.loadbalancer.server.port=80"
+- "traefik.http.services.service1.loadbalancer.server.port=80"
 ```
 
 ```json tab="Marathon"
@@ -103,7 +101,7 @@ spec:
   "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
   "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
   "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
-  "http.services.service1.loadbalancer.server.port": "80"
+  "traefik.http.services.service1.loadbalancer.server.port": "80"
 }
 ```
 
@@ -116,39 +114,11 @@ labels:
   - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
   - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
   - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-  - "http.services.service1.loadbalancer.server.port=80"
-```
-
-```toml tab="File (TOML)"
-# ...    
-[http.routers]
-  [http.routers.router1]
-    service = "service1"
-    middlewares = ["secured"]
-    rule = "Host(`mydomain`)"
-
-[http.middlewares]
-  [http.middlewares.secured.chain]
-    middlewares = ["https-only", "known-ips", "auth-users"]
-
-  [http.middlewares.auth-users.basicAuth]
-    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
-
-  [http.middlewares.https-only.redirectScheme]
-    scheme = "https"
-
-  [http.middlewares.known-ips.ipWhiteList]
-    sourceRange = ["192.168.1.7", "127.0.0.1/32"]
-
-[http.services]
-  [http.services.service1]
-    [http.services.service1.loadBalancer]
-      [[http.services.service1.loadBalancer.servers]]
-        url = "http://127.0.0.1:80"
+  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```
 
 ```yaml tab="File (YAML)"
-# ...    
+# ...
 http:
   routers:
     router1:
@@ -186,3 +156,31 @@ http:
         servers:
           - url: "http://127.0.0.1:80"
 ```
+
+```toml tab="File (TOML)"
+# ...
+[http.routers]
+  [http.routers.router1]
+    service = "service1"
+    middlewares = ["secured"]
+    rule = "Host(`mydomain`)"
+
+[http.middlewares]
+  [http.middlewares.secured.chain]
+    middlewares = ["https-only", "known-ips", "auth-users"]
+
+  [http.middlewares.auth-users.basicAuth]
+    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
+
+  [http.middlewares.https-only.redirectScheme]
+    scheme = "https"
+
+  [http.middlewares.known-ips.ipWhiteList]
+    sourceRange = ["192.168.1.7", "127.0.0.1/32"]
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://127.0.0.1:80"
+```

docs/content/middlewares/circuitbreaker.md

@@ -3,27 +3,24 @@
 Don't Waste Time Calling Unhealthy Services
 {: .subtitle }
 
-![CircuitBreaker](../assets/img/middleware/circuitbreaker.png) 
+![CircuitBreaker](../assets/img/middleware/circuitbreaker.png)
 
-The circuit breaker protects your system from stacking requests to unhealthy services (resulting in cascading failures).
+The circuit breaker protects your system from stacking requests to unhealthy services, resulting in cascading failures.
 
 When your system is healthy, the circuit is closed (normal operations).
-When your system becomes unhealthy, the circuit becomes open and the requests are no longer forwarded (but handled by a fallback mechanism).
+When your system becomes unhealthy, the circuit opens, and the requests are no longer forwarded, but instead are handled by a fallback mechanism.
 
-To assess if your system is healthy, the circuit breaker constantly monitors the services. 
+To assess if your system is healthy, the circuit breaker constantly monitors the services.
 
 !!! note ""
 
-    - The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state.
-    - The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state.
+    The CircuitBreaker only analyzes what happens _after_ its position within the middleware chain. What happens _before_ has no impact on its state.
 
 !!! important
 
-    Each router will eventually gets its own instance of a given circuit breaker.
-    
-    If two different routers refer to the same circuit breaker definition, they will get one instance each.
-    It means that one circuit breaker can be open while the other stays closed: their state is not shared.
-    
+    Each router gets its own instance of a given circuit breaker.
+    One circuit breaker instance can be open while the other remains closed: their state is not shared.
+
     This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
 
 ## Configuration Examples
@@ -62,13 +59,6 @@ labels:
   - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```
 
-```toml tab="File (TOML)"
-# Latency Check
-[http.middlewares]
-  [http.middlewares.latency-check.circuitBreaker]
-    expression = "LatencyAtQuantileMS(50.0) > 100"
-```
-
 ```yaml tab="File (YAML)"
 # Latency Check
 http:
@@ -78,6 +68,13 @@ http:
         expression: "LatencyAtQuantileMS(50.0) > 100"
 ```
 
+```toml tab="File (TOML)"
+# Latency Check
+[http.middlewares]
+  [http.middlewares.latency-check.circuitBreaker]
+    expression = "LatencyAtQuantileMS(50.0) > 100"
+```
+
 ## Possible States
 
 There are three possible states for your circuit breaker:
@@ -90,70 +87,71 @@ There are three possible states for your circuit breaker:
 
 While the circuit is closed, the circuit breaker only collects metrics to analyze the behavior of the requests.
 
-At specified intervals (`checkPeriod`), it will evaluate `expression` to decide if its state must change. 
+At specified intervals (`checkPeriod`), the circuit breaker evaluates `expression` to decide if its state must change.
 
 ### Open
 
 While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
-After this duration, it will enter the recovering state.
+After this duration, it enters the recovering state.
 
 ### Recovering
 
-While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`).
-If your service fails during recovery, the circuit breaker becomes open again.
-If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
+While recovering, the circuit breaker sends linearly increasing amounts of requests to your service (for `RecoveryDuration`).
+If your service fails during recovery, the circuit breaker opens again.
+If the service operates normally during the entire recovery duration, then the circuit breaker closes.
 
 ## Configuration Options
 
 ### Configuring the Trigger
 
-You can specify an `expression` that, once matched, will trigger the circuit breaker (and apply the fallback mechanism instead of calling your services).
+You can specify an `expression` that, once matched, opens the circuit breaker and applies the fallback mechanism instead of calling your services.
 
-The `expression` can check three different metrics:
+The `expression` option can check three different metrics:
 
 - The network error ratio (`NetworkErrorRatio`)
 - The status code ratio (`ResponseCodeRatio`)
-- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
+- The latency at a quantile in milliseconds (`LatencyAtQuantileMS`)
 
 #### `NetworkErrorRatio`
 
-If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
+If you want the circuit breaker to open at a 30% ratio of network errors, the `expression` is `NetworkErrorRatio() > 0.30`
 
 #### `ResponseCodeRatio`
 
-You can trigger the circuit breaker based on the ratio of a given range of status codes.
+You can configure the circuit breaker to open based on the ratio of a given range of status codes.
 
 The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`, `dividedByTo`.
 
 The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`).
 
 !!! note ""
-    If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
-    
-    `from`is inclusive, `to` is exclusive. 
 
-For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX). 
+    If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
+
+    `from`is inclusive, `to` is exclusive.
+
+For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).
 
 #### `LatencyAtQuantileMS`
 
-You can trigger the circuit breaker when a given proportion of your requests become too slow.
+You can configure the circuit breaker to open when a given proportion of your requests become too slow.
 
-For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
+For example, the expression `LatencyAtQuantileMS(50.0) > 100` opens the circuit breaker when the median latency (quantile 50) reaches 100ms.
 
 !!! note ""
 
-    You must provide a float number (with the trailing .0) for the quantile value
- 
-#### Using multiple metrics
+    You must provide a floating point number (with the trailing .0) for the quantile value
 
-You can combine multiple metrics using operators in your expression.
+#### Using Multiple Metrics
+
+You can combine multiple metrics using operators in your `expression`.
 
 Supported operators are:
 
 - AND (`&&`)
 - OR (`||`)
 
-For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%. 
+For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.
 
 #### Operators
 
@@ -168,8 +166,8 @@ Here is the list of supported operators:
 
 ### Fallback mechanism
 
-The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service).
-This behavior cannot be configured. 
+The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.
+This behavior cannot be configured.
 
 ### `CheckPeriod`
 
@@ -182,6 +180,6 @@ By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
 
 ### `RecoveringDuration`
 
-The duration of the recovering mode (recovering state). 
+The duration of the recovering mode (recovering state).
 
-By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.  
+By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.

docs/content/middlewares/compress.md

@@ -1,11 +1,11 @@
 # Compress
 
-Compressing the Response before Sending it to the Client
+Compress Responses before Sending them to the Client
 {: .subtitle }
 
 ![Compress](../assets/img/middleware/compress.png)
 
-The Compress middleware enables the gzip compression. 
+The Compress middleware uses gzip compression.
 
 ## Configuration Examples
 
@@ -42,12 +42,6 @@ labels:
   - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
-```toml tab="File (TOML)"
-# Enable gzip compression
-[http.middlewares]
-  [http.middlewares.test-compress.compress]
-```
-
 ```yaml tab="File (YAML)"
 # Enable gzip compression
 http:
@@ -56,24 +50,30 @@ http:
       compress: {}
 ```
 
+```toml tab="File (TOML)"
+# Enable gzip compression
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+```
+
 !!! info
-    
-    Responses are compressed when:
-    
+
+    Responses are compressed when the following criteria are all met:
+
     * The response body is larger than `1400` bytes.
     * The `Accept-Encoding` request header contains `gzip`.
     * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
 
-    If Content-Type header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type. 
-    It will also set accordingly the `Content-Type` header with the detected MIME type.
-    
+    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+    It will also set the `Content-Type` header according to the detected MIME type.
+
 ## Configuration Options
 
 ### `excludedContentTypes`
 
-`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests to before compressing.
+`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.
 
-The requests with content types defined in `excludedContentTypes` are not compressed.
+The responses with content types defined in `excludedContentTypes` are not compressed.
 
 Content types are compared in a case-insensitive, whitespace-ignored manner.
 
@@ -108,12 +108,6 @@ labels:
   - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-compress.compress]
-    excludedContentTypes = ["text/event-stream"]
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -122,3 +116,9 @@ http:
         excludedContentTypes:
           - text/event-stream
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    excludedContentTypes = ["text/event-stream"]
+```

docs/content/middlewares/contenttype.md

@@ -1,18 +1,18 @@
-
 # ContentType
 
-Handling ContentType auto-detection
+Handling Content-Type auto-detection
 {: .subtitle }
 
-The Content-Type middleware - or rather its unique `autoDetect` option -
+The Content-Type middleware - or rather its `autoDetect` option -
 specifies whether to let the `Content-Type` header,
-if it has not been set by the backend,
+if it has not been defined by the backend,
 be automatically set to a value derived from the contents of the response.
 
 As a proxy, the default behavior should be to leave the header alone,
 regardless of what the backend did with it.
-However, the historic default was to always auto-detect and set the header if it was nil,
-and it is going to be kept that way in order to support users currently relying on it.
+However, the historic default was to always auto-detect and set the header if it was not already defined,
+and altering this behavior would be a breaking change which would impact many users.
+
 This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
 
 !!! info
@@ -21,7 +21,7 @@ This middleware exists to enable the correct behavior until at least the default
     is still to automatically set the `Content-Type` header.
     Therefore, given the default value of the `autoDetect` option (false),
     simply enabling this middleware for a router switches the router's behavior.
-    
+
     The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
     Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).
 
@@ -61,13 +61,6 @@ labels:
   - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
 ```
 
-```toml tab="File (TOML)"
-# Disable auto-detection
-[http.middlewares]
-  [http.middlewares.autodetect.contentType]
-     autoDetect=false
-```
-
 ```yaml tab="File (YAML)"
 # Disable auto-detection
 http:
@@ -77,6 +70,13 @@ http:
         autoDetect: false
 ```
 
+```toml tab="File (TOML)"
+# Disable auto-detection
+[http.middlewares]
+  [http.middlewares.autodetect.contentType]
+     autoDetect=false
+```
+
 ## Configuration Options
 
 ### `autoDetect`

docs/content/middlewares/digestauth.md

@@ -1,11 +1,11 @@
 # DigestAuth
 
 Adding Digest Authentication
-{: .subtitle } 
+{: .subtitle }
 
 ![BasicAuth](../assets/img/middleware/digestauth.png)
 
-The DigestAuth middleware is a quick way to restrict access to your services to known users.
+The DigestAuth middleware restricts access to your services to known users.
 
 ## Configuration Examples
 
@@ -43,16 +43,6 @@ labels:
   - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
-```toml tab="File (TOML)"
-# Declaring the user list
-[http.middlewares]
-  [http.middlewares.test-auth.digestAuth]
-    users = [
-      "test:traefik:a2688e031edb4be6a3797f3882655c05",
-      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
-    ]
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -64,10 +54,20 @@ http:
           - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    users = [
+      "test:traefik:a2688e031edb4be6a3797f3882655c05",
+      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+    ]
+```
+
 ## Configuration Options
 
-!!! tip 
-   
+!!! tip
+
     Use `htdigest` to generate passwords.
 
 ### `users`
@@ -75,9 +75,9 @@ http:
 The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
 
 !!! note ""
-    
+
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
-    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
 ```yaml tab="Docker"
 labels:
@@ -120,15 +120,6 @@ labels:
   - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.digestAuth]
-    users = [
-      "test:traefik:a2688e031edb4be6a3797f3882655c05",
-      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
-    ]
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -139,6 +130,15 @@ http:
           - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    users = [
+      "test:traefik:a2688e031edb4be6a3797f3882655c05",
+      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+    ]
+```
+
 ### `usersFile`
 
 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@@ -146,9 +146,9 @@ The `usersFile` option is the path to an external file that contains the authori
 The file content is a list of `name:realm:encoded-password`.
 
 !!! note ""
-    
+
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
-    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
 ```yaml tab="Docker"
 labels:
@@ -192,12 +192,6 @@ labels:
   - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.digestAuth]
-    usersFile = "/path/to/my/usersfile"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -206,6 +200,12 @@ http:
         usersFile: "/path/to/my/usersfile"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
 ??? example "A file containing test/test and test2/test2"
 
     ```txt
@@ -215,7 +215,7 @@ http:
 
 ### `realm`
 
-You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 
+You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
 
 ```yaml tab="Docker"
 labels:
@@ -247,12 +247,6 @@ labels:
   - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.digestAuth]
-    realm = "MyRealm"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -261,6 +255,12 @@ http:
         realm: "MyRealm"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    realm = "MyRealm"
+```
+
 ### `headerField`
 
 You can customize the header field for the authenticated user using the `headerField`option.
@@ -296,12 +296,6 @@ labels:
   - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares.my-auth.digestAuth]
-  # ...
-  headerField = "X-WebAuth-User"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -311,6 +305,12 @@ http:
         headerField: "X-WebAuth-User"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares.my-auth.digestAuth]
+  # ...
+  headerField = "X-WebAuth-User"
+```
+
 ### `removeHeader`
 
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
@@ -345,12 +345,6 @@ labels:
   - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.digestAuth]
-    removeHeader = true
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -358,3 +352,9 @@ http:
       digestAuth:
         removeHeader: true
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    removeHeader = true
+```

docs/content/middlewares/errorpages.md

@@ -58,6 +58,21 @@ labels:
   - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
 ```
 
+```yaml tab="File (YAML)"
+# Custom Error Page for 5XX
+http:
+  middlewares:
+    test-errorpage:
+      errors:
+        status:
+          - "500-599"
+        service: serviceError
+        query: "/{status}.html"
+
+  services:
+    # ... definition of error-handler-service and my-service
+```
+
 ```toml tab="File (TOML)"
 # Custom Error Page for 5XX
 [http.middlewares]
@@ -70,43 +85,33 @@ labels:
   # ... definition of error-handler-service and my-service
 ```
 
-```yaml tab="File (YAML)"
-# Custom Error Page for 5XX
-http:
-  middlewares:
-    test-errorpage:
-      errors:
-        status:
-          - "500-599"
-        service: serviceError
-        query: "/{status}.html"
+!!! note ""
 
-[http.services]
-  # ... definition of error-handler-service and my-service
-```
-
-!!! note "" 
     In this example, the error page URL is based on the status code (`query=/{status}.html`).
 
 ## Configuration Options
 
 ### `status`
 
-The `status` that will trigger the error page.
+The `status` option defines which status or range of statuses should result in an error page.
 
 The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
- 
-!!! note "" 
 
-    You can define either a status code like `500` or ranges with a syntax like `500-599`.
+!!! note ""
+
+    You can define either a status code as a number (`500`),
+    as multiple comma-separated numbers (`500,502`),
+    as ranges by separating two codes with a dash (`500-599`),
+    or a combination of the two (`404,418,500-599`).
 
 ### `service`
 
 The service that will serve the new requested error page.
 
-!!! note "" 
-    In kubernetes, you need to reference a kubernetes service instead of a traefik service.
+!!! note ""
+
+    In Kubernetes, you need to reference a Kubernetes Service instead of a Traefik service.
 
 ### `query`
 
-The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.
+The URL for the error page (hosted by `service`). You can use the `{status}` variable in the `query` option in order to insert the status code in the URL.

docs/content/middlewares/forwardauth.md

@@ -1,12 +1,12 @@
 # ForwardAuth
 
-Using an External Service to Check for Credentials
+Using an External Service to Forward Authentication
 {: .subtitle }
 
 ![AuthForward](../assets/img/middleware/authforward.png)
 
-The ForwardAuth middleware delegate the authentication to an external service.
-If the service response code is 2XX, access is granted and the original request is performed.
+The ForwardAuth middleware delegates authentication to an external service.
+If the service answers with a 2XX code, access is granted, and the original request is performed.
 Otherwise, the response from the authentication server is returned.
 
 ## Configuration Examples
@@ -45,13 +45,6 @@ labels:
   - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
-```toml tab="File (TOML)"
-# Forward authentication to example.com
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-```
-
 ```yaml tab="File (YAML)"
 # Forward authentication to example.com
 http:
@@ -61,6 +54,13 @@ http:
         address: "https://example.com/auth"
 ```
 
+```toml tab="File (TOML)"
+# Forward authentication to example.com
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+```
+
 ## Forward-Request Headers
 
 The following request properties are provided to the forward-auth target endpoint as `X-Forwarded-` headers.
@@ -91,7 +91,7 @@ metadata:
   name: test-auth
 spec:
   forwardAuth:
-    address: https://example.com/auth 
+    address: https://example.com/auth
 ```
 
 ```yaml tab="Consul Catalog"
@@ -109,12 +109,6 @@ labels:
   - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -123,9 +117,15 @@ http:
         address: "https://example.com/auth"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+```
+
 ### `trustForwardHeader`
 
-Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
+Set the `trustForwardHeader` option to `true` to trust all `X-Forwarded-*` headers.
 
 ```yaml tab="Docker"
 labels:
@@ -158,13 +158,6 @@ labels:
   - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    trustForwardHeader = true
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -174,9 +167,17 @@ http:
         trustForwardHeader: true
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    trustForwardHeader = true
+```
+
 ### `authResponseHeaders`
 
-The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request. All incoming request's headers in this list are deleted from the request before any copy happens.
+The `authResponseHeaders` option is the list of headers to copy from the authentication server response and set on
+forwarded request, replacing any existing conflicting headers.
 
 ```yaml tab="Docker"
 labels:
@@ -211,13 +212,6 @@ labels:
   - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    authResponseHeaders = ["X-Auth-User", "X-Secret"]
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -229,11 +223,19 @@ http:
           - "X-Secret"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    authResponseHeaders = ["X-Auth-User", "X-Secret"]
+```
+
 ### `authResponseHeadersRegex`
 
-The `authResponseHeadersRegex` option is the regex to match the headers that should be copied from the authentication server to the request. All incoming request's headers matching this regex are deleted from the request before any copy happens.
-It allows partial matching of the regular expression against the header's key.
-You should use start of string (`^`) and end of string (`$`) anchors to ensure a full match against the header's key.
+The `authResponseHeadersRegex` option is the regex to match headers to copy from the authentication server response and
+set on forwarded request, after stripping all headers that match the regex.
+It allows partial matching of the regular expression against the header key.
+The start of string (`^`) and end of string (`$`) anchors should be used to ensure a full match against the header key.
 
 ```yaml tab="Docker"
 labels:
@@ -266,13 +268,6 @@ labels:
   - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    authResponseHeadersRegex = "^X-"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -282,11 +277,18 @@ http:
         authResponseHeadersRegex: "^X-"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    authResponseHeadersRegex = "^X-"
+```
+
 ### `authRequestHeaders`
 
 The `authRequestHeaders` option is the list of the headers to copy from the request to the authentication server.
 It allows filtering headers that should not be passed to the authentication server.
-If not set or empty then all request headers will be passed.
+If not set or empty then all request headers are passed.
 
 ```yaml tab="Docker"
 labels:
@@ -321,13 +323,6 @@ labels:
   - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    authRequestHeaders = "Accept,X-CustomHeader"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -339,6 +334,13 @@ http:
           - "X-CustomHeader"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    authRequestHeaders = "Accept,X-CustomHeader"
+```
+
 ### `tls`
 
 The `tls` option is the TLS configuration from Traefik to the authentication server.
@@ -389,14 +391,6 @@ labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    [http.middlewares.test-auth.forwardAuth.tls]
-      ca = "path/to/local.crt"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -407,14 +401,25 @@ http:
           ca: "path/to/local.crt"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      ca = "path/to/local.crt"
+```
+
 #### `tls.caOptional`
 
-Policy used for the secured connection with TLS Client Authentication to the authentication server.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.
 
-- `true`: VerifyClientCertIfGiven
-- `false`: RequireAndVerifyClientCert
-- if `tls.ca` is undefined NoClientCert
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
 
 ```yaml tab="Docker"
 labels:
@@ -448,14 +453,6 @@ labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    [http.middlewares.test-auth.forwardAuth.tls]
-      caOptional = true
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -466,9 +463,17 @@ http:
           caOptional: true
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      caOptional = true
+```
+
 #### `tls.cert`
 
-Public certificate used for the secured connection to the authentication server.
+The public certificate used for the secure connection to the authentication server.
 
 ```yaml tab="Docker"
 labels:
@@ -517,15 +522,6 @@ labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    [http.middlewares.test-auth.forwardAuth.tls]
-      cert = "path/to/foo.cert"
-      key = "path/to/foo.key"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -537,12 +533,22 @@ http:
           key: "path/to/foo.key"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
 !!! info
-    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
 #### `tls.key`
 
-Private certificate used for the secure connection to the authentication server.
+The private certificate used for the secure connection to the authentication server.
 
 ```yaml tab="Docker"
 labels:
@@ -591,15 +597,6 @@ labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    [http.middlewares.test-auth.forwardAuth.tls]
-      cert = "path/to/foo.cert"
-      key = "path/to/foo.key"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -611,12 +608,22 @@ http:
           key: "path/to/foo.key"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
 !!! info
-    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
 #### `tls.insecureSkipVerify`
 
-If `insecureSkipVerify` is `true`, TLS for the connection to authentication server accepts any certificate presented by the server and any host name in that certificate.
+If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.
 
 ```yaml tab="Docker"
 labels:
@@ -650,14 +657,6 @@ labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    [http.middlewares.test-auth.forwardAuth.tls]
-      insecureSkipVerify: true
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -667,3 +666,11 @@ http:
         tls:
           insecureSkipVerify: true
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      insecureSkipVerify: true
+```

docs/content/middlewares/headers.md

@@ -1,17 +1,17 @@
-# Headers 
+# Headers
 
-Adding Headers to the Request / Response
+Managing Request/Response headers
 {: .subtitle }
 
 ![Headers](../assets/img/middleware/headers.png)
 
-The Headers middleware can manage the requests/responses headers.
+The Headers middleware manages the headers of requests and responses.
 
 ## Configuration Examples
 
 ### Adding Headers to the Request and the Response
 
-Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` to the response
+The following example adds the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` header to the response
 
 ```yaml tab="Docker"
 labels:
@@ -23,7 +23,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     customRequestHeaders:
@@ -50,15 +50,6 @@ labels:
   - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.testHeader.headers]
-    [http.middlewares.testHeader.headers.customRequestHeaders]
-        X-Script-Name = "test"
-    [http.middlewares.testHeader.headers.customResponseHeaders]
-        X-Custom-Response-Header = "value"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -70,23 +61,32 @@ http:
           X-Custom-Response-Header: "value"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    [http.middlewares.testHeader.headers.customRequestHeaders]
+        X-Script-Name = "test"
+    [http.middlewares.testHeader.headers.customResponseHeaders]
+        X-Custom-Response-Header = "value"
+```
+
 ### Adding and Removing Headers
 
-`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request,
-and the `X-Custom-Response-Header` header removed from the response.
-
-Please note that it is not possible to remove headers through the use of labels (Docker, Rancher, Marathon, ...) for now.
+In the following example, requests are proxied with an extra `X-Script-Name` header while their `X-Custom-Request-Header` header gets stripped,
+and responses are stripped of their `X-Custom-Response-Header` header.
 
 ```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
 ```
 
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     customRequestHeaders:
@@ -98,27 +98,23 @@ spec:
 
 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
+- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
 ```
 
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header": "",
+  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "",
 }
 ```
 
 ```yaml tab="Rancher"
 labels:
   - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.testHeader.headers]
-    [http.middlewares.testHeader.headers.customRequestHeaders]
-        X-Script-Name = "test" # Adds
-        X-Custom-Request-Header = "" # Removes
-    [http.middlewares.testHeader.headers.customResponseHeaders]
-        X-Custom-Response-Header = "" # Removes
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
 ```
 
 ```yaml tab="File (YAML)"
@@ -133,10 +129,20 @@ http:
           X-Custom-Response-Header: "" # Removes
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    [http.middlewares.testHeader.headers.customRequestHeaders]
+        X-Script-Name = "test" # Adds
+        X-Custom-Request-Header = "" # Removes
+    [http.middlewares.testHeader.headers.customResponseHeaders]
+        X-Custom-Response-Header = "" # Removes
+```
+
 ### Using Security Headers
 
-Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured in a manner similar to the custom headers above.
-This functionality allows for some easy security features to quickly be set.
+Security-related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
+This functionality makes it possible to easily use security features by adding headers.
 
 ```yaml tab="Docker"
 labels:
@@ -148,7 +154,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     frameDeny: true
@@ -173,14 +179,7 @@ labels:
   - "traefik.http.middlewares.testheader.headers.sslredirect=true"
 ```
 
-```toml tab="File (TOML)"    
-[http.middlewares]
-  [http.middlewares.testHeader.headers]
-    frameDeny = true
-    sslRedirect = true
-```
-
-```yaml tab="File (YAML)"  
+```yaml tab="File (YAML)"
 http:
   middlewares:
     testHeader:
@@ -189,6 +188,13 @@ http:
         sslRedirect: true
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    frameDeny = true
+    sslRedirect = true
+```
+
 ### CORS Headers
 
 CORS (Cross-Origin Resource Sharing) headers can be added and configured in a manner similar to the custom headers above.
@@ -206,7 +212,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     accessControlAllowMethods:
@@ -244,15 +250,6 @@ labels:
   - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
 
-```toml tab="File (TOML)"    
-[http.middlewares]
-  [http.middlewares.testHeader.headers]
-    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
-    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
-    accessControlMaxAge = 100
-    addVaryHeader = true
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -269,23 +266,34 @@ http:
         addVaryHeader: true
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
+    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
+    accessControlMaxAge = 100
+    addVaryHeader = true
+```
+
 ## Configuration Options
 
 ### General
 
 !!! warning
-    If the custom header name is the same as one header name of the request or response, it will be replaced.
+
+    Custom headers will overwrite existing headers if they have identical names.
 
 !!! note ""
-    The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
+
+    The detailed documentation for security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
 
 ### `customRequestHeaders`
 
-The `customRequestHeaders` option lists the Header names and values to apply to the request.
+The `customRequestHeaders` option lists the header names and values to apply to the request.
 
 ### `customResponseHeaders`
 
-The `customResponseHeaders` option lists the Header names and values to apply to the response.
+The `customResponseHeaders` option lists the header names and values to apply to the response.
 
 ### `accessControlAllowCredentials`
 
@@ -303,25 +311,26 @@ The  `accessControlAllowMethods` indicates which methods can be used during requ
 
 The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.
 
-A wildcard origin `*` can also be configured, and will match all requests.
-If this value is set by a backend server, it will be overwritten by Traefik
+A wildcard origin `*` can also be configured, and matches all requests.
+If this value is set by a backend service, it will be overwritten by Traefik.
 
 This value can contain a list of allowed origins.
 
-More information including how to use the settings can be found on:
+More information including how to use the settings can be found at:
 
 - [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
 - [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
 - [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
 
-Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
+Traefik no longer supports the `null` value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
 
 ### `accessControlAllowOriginListRegex`
 
 The `accessControlAllowOriginListRegex` option is the counterpart of the `accessControlAllowOriginList` option with regular expressions instead of origin values.
-It will allow all origin that contains any match of a regular expression in the `accessControlAllowOriginList`.
+It allows all origins that contain any match of a regular expression in the `accessControlAllowOriginList`.
 
 !!! tip
+
     Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
 
 ### `accessControlExposeHeaders`
@@ -330,66 +339,66 @@ The `accessControlExposeHeaders` indicates which headers are safe to expose to t
 
 ### `accessControlMaxAge`
 
-The `accessControlMaxAge` indicates how long (in seconds) a preflight request can be cached.
+The `accessControlMaxAge` indicates how many seconds a preflight request can be cached for.
 
 ### `addVaryHeader`
 
-The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
+The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the `Vary` header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
 
-### `allowedHosts` 
+### `allowedHosts`
 
 The `allowedHosts` option lists fully qualified domain names that are allowed.
 
-### `hostsProxyHeaders` 
+### `hostsProxyHeaders`
 
 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
 
-### `sslRedirect` 
+### `sslRedirect`
 
-The `sslRedirect` is set to true, then only allow https requests.
+The `sslRedirect` only allow HTTPS requests when set to `true`.
 
 ### `sslTemporaryRedirect`
-                    
-Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
 
-### `sslHost` 
+Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
 
-The `sslHost` option is the host name that is used to redirect http requests to https.
+### `sslHost`
 
-### `sslProxyHeaders` 
+The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.
 
-The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request.
-Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
+### `sslProxyHeaders`
 
-### `sslForceHost` 
+The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
+It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).
 
-Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
+### `sslForceHost`
 
-### `stsSeconds` 
+Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.
 
-The `stsSeconds` is the max-age of the Strict-Transport-Security header.
-If set to 0, would NOT include the header.
+### `stsSeconds`
 
-### `stsIncludeSubdomains` 
+The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
+If set to `0`, the header is not set.
 
-The `stsIncludeSubdomains` is set to true, the `includeSubDomains` directive will be appended to the Strict-Transport-Security header.
+### `stsIncludeSubdomains`
 
-### `stsPreload` 
+If the `stsIncludeSubdomains` is set to `true`, the `includeSubDomains` directive is appended to the `Strict-Transport-Security` header.
 
-Set `stsPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
+### `stsPreload`
+
+Set `stsPreload` to `true` to have the `preload` flag appended to the `Strict-Transport-Security` header.
 
 ### `forceSTSHeader`
 
-Set `forceSTSHeader` to true, to add the STS header even when the connection is HTTP.
+Set `forceSTSHeader` to `true` to add the STS header even when the connection is HTTP.
 
-### `frameDeny` 
+### `frameDeny`
 
-Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
- 
-### `customFrameOptionsValue` 
+Set `frameDeny` to `true` to add the `X-Frame-Options` header with the value of `DENY`.
+
+### `customFrameOptionsValue`
 
 The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value.
-This overrides the FrameDeny option.
+This overrides the `FrameDeny` option.
 
 ### `contentTypeNosniff`
 
@@ -402,7 +411,7 @@ Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the val
 ### `customBrowserXSSValue`
 
 The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value.
-This overrides the BrowserXssFilter option.
+This overrides the `BrowserXssFilter` option.
 
 ### `contentSecurityPolicy`
 
@@ -410,11 +419,11 @@ The `contentSecurityPolicy` option allows the `Content-Security-Policy` header v
 
 ### `publicKey`
 
-The `publicKey` implements HPKP to prevent MITM attacks with forged certificates. 
+The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
 
 ### `referrerPolicy`
 
-The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
+The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.
 
 ### `featurePolicy`
 
@@ -422,7 +431,6 @@ The `featurePolicy` allows sites to control browser features.
 
 ### `isDevelopment`
 
-Set `isDevelopment` to true when developing.
-The AllowedHosts, SSL, and STS options can cause some unwanted effects.
-Usually testing happens on http, not https, and on localhost, not your production domain.  
-If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.
+Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options.
+Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
+If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.

docs/content/middlewares/inflightreq.md

@@ -5,7 +5,7 @@ Limiting the Number of Simultaneous In-Flight Requests
 
 ![InFlightReq](../assets/img/middleware/inflightreq.png)
 
-To proactively prevent services from being overwhelmed with high load, a limit on the number of simultaneous in-flight requests can be applied.
+To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous in-flight requests can be limited.
 
 ## Configuration Examples
 
@@ -41,20 +41,20 @@ labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
 
-```toml tab="File (TOML)"
-# Limiting to 10 simultaneous connections
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inFlightReq]
-    amount = 10 
-```
-
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
   middlewares:
     test-inflightreq:
       inFlightReq:
-        amount: 10 
+        amount: 10
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inFlightReq]
+    amount = 10
 ```
 
 ## Configuration Options
@@ -62,7 +62,7 @@ http:
 ### `amount`
 
 The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
-The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
+The middleware responds with `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
 
 ```yaml tab="Docker"
 labels:
@@ -96,42 +96,42 @@ labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
 
-```toml tab="File (TOML)"
-# Limiting to 10 simultaneous connections
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inFlightReq]
-    amount = 10 
-```
-
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
   middlewares:
     test-inflightreq:
       inFlightReq:
-        amount: 10 
+        amount: 10
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inFlightReq]
+    amount = 10
 ```
 
 ### `sourceCriterion`
- 
-SourceCriterion defines what criterion is used to group requests as originating from a common source.
+
+The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
 The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
 If none are set, the default is to use the `requestHost`.
 
 #### `sourceCriterion.ipStrategy`
 
-The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
 
 ##### `ipStrategy.depth`
 
-The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
+
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
+- `depth` is ignored if its value is less than or equal to 0.
 
-- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
-- `depth` is ignored if its value is lesser than or equal to 0.
-    
 !!! example "Example of Depth & X-Forwarded-For"
 
-    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
 
     | `X-Forwarded-For`                       | `depth` | clientIP     |
     |-----------------------------------------|---------|--------------|
@@ -171,13 +171,6 @@ labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inflightreq]
-    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
-      depth = 2
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -188,9 +181,16 @@ http:
             depth: 2
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
+      depth = 2
+```
+
 ##### `ipStrategy.excludedIPs`
 
-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
+`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
 
 !!! important "If `depth` is specified, `excludedIPs` is ignored."
 
@@ -238,13 +238,6 @@ labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inflightreq]
-    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
-      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -257,9 +250,16 @@ http:
               - "192.168.1.7"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
+
 #### `sourceCriterion.requestHeaderName`
 
-Requests having the same value for the given header are grouped as coming from the same source.
+Name of the header used to group incoming requests.
 
 ```yaml tab="Docker"
 labels:
@@ -292,13 +292,6 @@ labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inflightreq]
-    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
-      requestHeaderName = "username"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -308,6 +301,13 @@ http:
           requestHeaderName: username
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
+      requestHeaderName = "username"
+```
+
 #### `sourceCriterion.requestHost`
 
 Whether to consider the request host as the source.
@@ -343,13 +343,6 @@ labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inflightreq]
-    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
-      requestHost = true
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -358,3 +351,10 @@ http:
         sourceCriterion:
           requestHost: true
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
+      requestHost = true
+```

docs/content/middlewares/ipwhitelist.md

@@ -44,13 +44,6 @@ labels:
   - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
-```toml tab="File (TOML)"
-# Accepts request from defined IP
-[http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
-    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-```
-
 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
@@ -62,6 +55,13 @@ http:
           - "192.168.1.7"
 ```
 
+```toml tab="File (TOML)"
+# Accepts request from defined IP
+[http.middlewares]
+  [http.middlewares.test-ipwhitelist.ipWhiteList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+```
+
 ## Configuration Options
 
 ### `sourceRange`
@@ -70,95 +70,105 @@ The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using
 
 ### `ipStrategy`
 
-The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.
 
 #### `ipStrategy.depth`
 
 The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
 
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
+- `depth` is ignored if its value is less than or equal to 0.
+
 !!! example "Examples of Depth & X-Forwarded-For"
 
-    ```yaml tab="Docker"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    labels:
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-    ```
-    
-    ```yaml tab="Kubernetes"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    apiVersion: traefik.containo.us/v1alpha1
-    kind: Middleware
-    metadata:
-      name: testIPwhitelist
-    spec:
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
+
+    | `X-Forwarded-For`                       | `depth` | clientIP     |
+    |-----------------------------------------|---------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+
+```yaml tab="Docker"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+```
+
+```yaml tab="Kubernetes"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipwhitelist
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 127.0.0.1/32
+      - 192.168.1.7
+    ipStrategy:
+      depth: 2
+```
+
+```yaml tab="Consul Catalog"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+```
+
+```yaml tab="File (YAML)"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+http:
+  middlewares:
+    test-ipwhitelist:
       ipWhiteList:
         sourceRange:
-          - 127.0.0.1/32
-          - 192.168.1.7
+          - "127.0.0.1/32"
+          - "192.168.1.7"
         ipStrategy:
           depth: 2
-    ```
-    
-    ```yaml tab="Consul Catalog"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-    - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-    ```
-    
-    ```json tab="Marathon"
-    "labels": {
-      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-      "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
-    }
-    ```
-    
-    ```yaml tab="Rancher"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    labels:
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-      - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
-    ```
-    
-    ```toml tab="File (TOML)"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    [http.middlewares]
-      [http.middlewares.test-ipwhitelist.ipWhiteList]
-        sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-        [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
-          depth = 2
-    ```
-    
-    ```yaml tab="File (YAML)"
-    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    http:
-      middlewares:
-        test-ipwhitelist:
-          ipWhiteList:
-            sourceRange:
-              - "127.0.0.1/32"
-              - "192.168.1.7"
-            ipStrategy:
-              depth: 2
-    ```
-    
-    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
-    
-    ??? example "More examples"
-    
-        | `X-Forwarded-For`                       | `depth` | clientIP     |
-        |-----------------------------------------|---------|--------------|
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
-        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+```
 
-!!! info
-
-    - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
-    - `depth` is ignored if its value is lesser than or equal to 0.
+```toml tab="File (TOML)"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+[http.middlewares]
+  [http.middlewares.test-ipwhitelist.ipWhiteList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+      depth = 2
+```
 
 #### `ipStrategy.excludedIPs`
 
+`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Example of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
@@ -196,14 +206,6 @@ labels:
   - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
-```toml tab="File (TOML)"
-# Exclude from `X-Forwarded-For`
-[http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
-    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
-      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-```
-
 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:
@@ -216,16 +218,10 @@ http:
             - "192.168.1.7"
 ```
 
-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
-
-!!! important "If `depth` is specified, `excludedIPs` is ignored."
-
-!!! example "Examples of ExcludedIPs & X-Forwarded-For"
-
-    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
-    |-----------------------------------------|-----------------------|--------------|
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+```toml tab="File (TOML)"
+# Exclude from `X-Forwarded-For`
+[http.middlewares]
+  [http.middlewares.test-ipwhitelist.ipWhiteList]
+    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```

docs/content/middlewares/overview.md

@@ -13,7 +13,7 @@ Pieces of middleware can be combined in chains to fit every scenario.
 
 !!! warning "Provider Namespace"
 
-    Be aware of the concept of Providers Namespace described in the [Configuration Discovery](../providers/overview.md#provider-namespace) section. 
+    Be aware of the concept of Providers Namespace described in the [Configuration Discovery](../providers/overview.md#provider-namespace) section.
     It also applies to Middlewares.
 
 ## Configuration Example
@@ -91,26 +91,6 @@ labels:
   - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
 ```
 
-```toml tab="File (TOML)"
-# As TOML Configuration File
-[http.routers]
-  [http.routers.router1]
-    service = "myService"
-    middlewares = ["foo-add-prefix"]
-    rule = "Host(`example.com`)"
-
-[http.middlewares]
-  [http.middlewares.foo-add-prefix.addPrefix]
-    prefix = "/foo"
-
-[http.services]
-  [http.services.service1]
-    [http.services.service1.loadBalancer]
-
-      [[http.services.service1.loadBalancer.servers]]
-        url = "http://127.0.0.1:80"
-```
-
 ```yaml tab="File (YAML)"
 # As YAML Configuration File
 http:
@@ -133,6 +113,26 @@ http:
           - url: "http://127.0.0.1:80"
 ```
 
+```toml tab="File (TOML)"
+# As TOML Configuration File
+[http.routers]
+  [http.routers.router1]
+    service = "myService"
+    middlewares = ["foo-add-prefix"]
+    rule = "Host(`example.com`)"
+
+[http.middlewares]
+  [http.middlewares.foo-add-prefix.addPrefix]
+    prefix = "/foo"
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://127.0.0.1:80"
+```
+
 ## Available Middlewares
 
 | Middleware                                | Purpose                                           | Area                        |

docs/content/middlewares/passtlsclientcert.md

@@ -7,7 +7,7 @@ Adding Client Certificates in a Header
 TODO: add schema
 -->
 
-PassTLSClientCert adds in header the selected data from the passed client tls certificate.
+PassTLSClientCert adds the selected data from the passed client TLS certificate to a header.
 
 ## Configuration Examples
 
@@ -46,13 +46,6 @@ labels:
   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```
 
-```toml tab="File (TOML)"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
-[http.middlewares]
-  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
-    pem = true
-```
-
 ```yaml tab="File (YAML)"
 # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 http:
@@ -62,6 +55,13 @@ http:
         pem: true
 ```
 
+```toml tab="File (TOML)"
+# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+[http.middlewares]
+  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
+    pem = true
+```
+
 ??? example "Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
 
     ```yaml tab="Docker"
@@ -86,7 +86,7 @@ http:
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
     ```
-    
+
     ```yaml tab="Kubernetes"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     apiVersion: traefik.containo.us/v1alpha1
@@ -116,7 +116,7 @@ http:
             serialNumber: true
             domainComponent: true
     ```
-    
+
     ```yaml tab="Consul Catalog"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
@@ -137,7 +137,7 @@ http:
     - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
     - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
     ```
-        
+
     ```json tab="Marathon"
     "labels": {
       "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
@@ -159,7 +159,7 @@ http:
       "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
     }
     ```
-    
+
     ```yaml tab="Rancher"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     labels:
@@ -182,32 +182,6 @@ http:
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
     ```
 
-    ```toml tab="File (TOML)"
-    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
-    [http.middlewares]
-      [http.middlewares.test-passtlsclientcert.passTLSClientCert]
-        [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
-          notAfter = true
-          notBefore = true
-          sans = true
-          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
-            country = true
-            province = true
-            locality = true
-            organization = true
-            commonName = true
-            serialNumber = true
-            domainComponent = true
-          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
-            country = true
-            province = true
-            locality = true
-            organization = true
-            commonName = true
-            serialNumber = true
-            domainComponent = true
-    ```
-
     ```yaml tab="File (YAML)"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     http:
@@ -236,11 +210,37 @@ http:
                 domainComponent: true
     ```
 
+    ```toml tab="File (TOML)"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    [http.middlewares]
+      [http.middlewares.test-passtlsclientcert.passTLSClientCert]
+        [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
+          notAfter = true
+          notBefore = true
+          sans = true
+          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
+            country = true
+            province = true
+            locality = true
+            organization = true
+            commonName = true
+            serialNumber = true
+            domainComponent = true
+          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
+            country = true
+            province = true
+            locality = true
+            organization = true
+            commonName = true
+            serialNumber = true
+            domainComponent = true
+    ```
+
 ## Configuration Options
 
 ### General
 
-PassTLSClientCert can add two headers to the request: 
+PassTLSClientCert can add two headers to the request:
 
 - `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
 - `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
@@ -251,9 +251,9 @@ PassTLSClientCert can add two headers to the request:
     * These options only work accordingly to the [MutualTLS configuration](../https/tls.md#client-authentication-mtls).
     That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.
 
-In the following example, you can see a complete certificate. We will use each part of it to explain the middleware options.
+The following example shows a complete certificate and explains each of the middleware options.
 
-??? example "A complete client tls certificate"
+??? example "A complete client TLS certificate"
 
     ```
     Certificate:
@@ -292,16 +292,16 @@ In the following example, you can see a complete certificate. We will use each p
             X509v3 extensions:
                 X509v3 Key Usage: critical
                     Digital Signature, Key Encipherment
-                X509v3 Basic Constraints: 
+                X509v3 Basic Constraints:
                     CA:FALSE
-                X509v3 Extended Key Usage: 
+                X509v3 Extended Key Usage:
                     TLS Web Server Authentication, TLS Web Client Authentication
-                X509v3 Subject Key Identifier: 
+                X509v3 Subject Key Identifier:
                     94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
-                X509v3 Authority Key Identifier: 
+                X509v3 Authority Key Identifier:
                     keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
-    
-                X509v3 Subject Alternative Name: 
+
+                X509v3 Subject Alternative Name:
                     DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
         Signature Algorithm: sha1WithRSAEncryption
              76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
@@ -359,9 +359,9 @@ In the following example, you can see a complete certificate. We will use each p
 
 ### `pem`
 
-The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
+The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escaped certificate.
 
-In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
+In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters:
 
 ??? example "The data used by the pem option"
 
@@ -403,23 +403,24 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
     ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
     -----END CERTIFICATE-----
     ```
-    
+
 !!! info "Extracted data"
-    
-    The delimiters and `\n` will be removed.  
+
+    The delimiters and `\n` will be removed.
     If there are more than one certificate, they are separated by a "`,`".
 
 !!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
 
-    The header size limit of web servers is commonly between 4kb and 8kb.  
+    The header size limit of web servers is commonly between 4kb and 8kb.
     You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).
 
 ### `info`
 
-The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
-The value of the header will be an escaped concatenation of all the selected certificate details.
+The `info` option selects the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
 
-The following example shows an unescaped result that uses all the available fields: 
+The value of the header is an escaped concatenation of all the selected certificate details.
+
+The following example shows an unescaped result that uses all the available fields:
 
 ```text
 Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
@@ -433,14 +434,14 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO
 
 Set the `info.notAfter` option to `true` to add the `Not After` information from the `Validity` part.
 
-The data are taken from the following certificate part:      
+The data is taken from the following certificate part:
 
 ```text
     Validity
-        Not After : Dec  5 11:10:16 2020 GMT            
+        Not After : Dec  5 11:10:16 2020 GMT
 ```
 
-The escape `notAfter` info part will be like:
+The escaped `notAfter` info part is formatted as below:
 
 ```text
 NA="1607166616"
@@ -450,14 +451,14 @@ NA="1607166616"
 
 Set the `info.notBefore` option to `true` to add the `Not Before` information from the `Validity` part.
 
-The data are taken from the following certificate part:
+The data is taken from the following certificate part:
 
 ```text
 Validity
     Not Before: Dec  6 11:10:16 2018 GMT
 ```
 
-The escape `notBefore` info part will be like:
+The escaped `notBefore` info part is formatted as below:
 
 ```text
 NB="1544094616"
@@ -467,28 +468,28 @@ NB="1544094616"
 
 Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
 
-The data are taken from the following certificate part:
+The data is taken from the following certificate part:
 
 ```text
- X509v3 Subject Alternative Name: 
+ X509v3 Subject Alternative Name:
     DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
 ```
 
-The escape SANs info part will be like:
+The escape SANs info part is formatted as below:
 
 ```text
 SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```
 
-!!! info "multiple values"
+!!! info "Multiple values"
 
-    All the SANs data are separated by a `,`.
+    The SANs are separated by a `,`.
 
 #### `info.subject`
 
-The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
+The `info.subject` selects the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
 
-The data are taken from the following certificate part :
+The data is taken from the following certificate part:
 
 ```text
 Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
@@ -496,9 +497,11 @@ Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=
 
 ##### `info.subject.country`
 
-Set the `info.subject.country` option to true to add the `country` information into the subject.  
-The data are taken from the subject part with the `C` key. 
-The escape country info in the subject part will be like :
+Set the `info.subject.country` option to `true` to add the `country` information into the subject.
+
+The data is taken from the subject part with the `C` key.
+
+The escape country info in the subject part is formatted as below:
 
 ```text
 C=FR,C=US
@@ -506,11 +509,11 @@ C=FR,C=US
 
 ##### `info.subject.province`
 
-Set the `info.subject.province` option to true to add the `province` information into the subject.
-  
-The data are taken from the subject part with the `ST` key.
+Set the `info.subject.province` option to `true` to add the `province` information into the subject.
 
-The escape province info in the subject part will be like :
+The data is taken from the subject part with the `ST` key.
+
+The escape province info in the subject part is formatted as below:
 
 ```text
 ST=Cheese org state,ST=Cheese com state
@@ -518,11 +521,11 @@ ST=Cheese org state,ST=Cheese com state
 
 ##### `info.subject.locality`
 
-Set the `info.subject.locality` option to true to add the `locality` information into the subject.
-  
-The data are taken from the subject part with the `L` key.
+Set the `info.subject.locality` option to `true` to add the `locality` information into the subject.
 
-The escape locality info in the subject part will be like :
+The data is taken from the subject part with the `L` key.
+
+The escape locality info in the subject part is formatted as below:
 
 ```text
 L=TOULOUSE,L=LYON
@@ -530,11 +533,11 @@ L=TOULOUSE,L=LYON
 
 ##### `info.subject.organization`
 
-Set the `info.subject.organization` option to true to add the `organization` information into the subject.
-  
-The data are taken from the subject part with the `O` key.
+Set the `info.subject.organization` option to `true` to add the `organization` information into the subject.
 
-The escape organization info in the subject part will be like :
+The data is taken from the subject part with the `O` key.
+
+The escape organization info in the subject part is formatted as below:
 
 ```text
 O=Cheese,O=Cheese 2
@@ -542,11 +545,11 @@ O=Cheese,O=Cheese 2
 
 ##### `info.subject.commonName`
 
-Set the `info.subject.commonName` option to true to add the `commonName` information into the subject.
-  
-The data are taken from the subject part with the `CN` key.
+Set the `info.subject.commonName` option to `true` to add the `commonName` information into the subject.
 
-The escape common name info in the subject part will be like :
+The data is taken from the subject part with the `CN` key.
+
+The escape common name info in the subject part is formatted as below:
 
 ```text
 CN=*.example.com
@@ -554,11 +557,11 @@ CN=*.example.com
 
 ##### `info.subject.serialNumber`
 
-Set the `info.subject.serialNumber` option to true to add the `serialNumber` information into the subject.
-  
-The data are taken from the subject part with the `SN` key.
+Set the `info.subject.serialNumber` option to `true` to add the `serialNumber` information into the subject.
 
-The escape serial number info in the subject part will be like :
+The data is taken from the subject part with the `SN` key.
+
+The escape serial number info in the subject part is formatted as below:
 
 ```text
 SN=1234567890
@@ -566,11 +569,11 @@ SN=1234567890
 
 ##### `info.subject.domainComponent`
 
-Set the `info.subject.domainComponent` option to true to add the `domainComponent` information into the subject.
-  
-The data are taken from the subject part with the `DC` key.
+Set the `info.subject.domainComponent` option to `true` to add the `domainComponent` information into the subject.
 
-The escape domaincomponent info in the subject part will be like :
+The data is taken from the subject part with the `DC` key.
+
+The escape domain component info in the subject part is formatted as below:
 
 ```text
 DC=org,DC=cheese
@@ -578,9 +581,9 @@ DC=org,DC=cheese
 
 #### `info.issuer`
 
-The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
+The `info.issuer` selects the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
 
-The data are taken from the following certificate part :
+The data is taken from the following certificate part:
 
 ```text
 Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
@@ -588,9 +591,11 @@ Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=S
 
 ##### `info.issuer.country`
 
-Set the `info.issuer.country` option to true to add the `country` information into the issuer.  
-The data are taken from the issuer part with the `C` key. 
-The escape country info in the issuer part will be like :
+Set the `info.issuer.country` option to `true` to add the `country` information into the issuer.
+
+The data is taken from the issuer part with the `C` key.
+
+The escape country info in the issuer part is formatted as below:
 
 ```text
 C=FR,C=US
@@ -598,11 +603,11 @@ C=FR,C=US
 
 ##### `info.issuer.province`
 
-Set the `info.issuer.province` option to true to add the `province` information into the issuer.
-  
-The data are taken from the issuer part with the `ST` key.
+Set the `info.issuer.province` option to `true` to add the `province` information into the issuer.
 
-The escape province info in the issuer part will be like :
+The data is taken from the issuer part with the `ST` key.
+
+The escape province info in the issuer part is formatted as below:
 
 ```text
 ST=Signing State,ST=Signing State 2
@@ -610,11 +615,11 @@ ST=Signing State,ST=Signing State 2
 
 ##### `info.issuer.locality`
 
-Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
-  
-The data are taken from the issuer part with the `L` key.
+Set the `info.issuer.locality` option to `true` to add the `locality` information into the issuer.
 
-The escape locality info in the issuer part will be like :
+The data is taken from the issuer part with the `L` key.
+
+The escape locality info in the issuer part is formatted as below:
 
 ```text
 L=TOULOUSE,L=LYON
@@ -622,11 +627,11 @@ L=TOULOUSE,L=LYON
 
 ##### `info.issuer.organization`
 
-Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
-  
-The data are taken from the issuer part with the `O` key.
+Set the `info.issuer.organization` option to `true` to add the `organization` information into the issuer.
 
-The escape organization info in the issuer part will be like :
+The data is taken from the issuer part with the `O` key.
+
+The escape organization info in the issuer part is formatted as below:
 
 ```text
 O=Cheese,O=Cheese 2
@@ -634,11 +639,11 @@ O=Cheese,O=Cheese 2
 
 ##### `info.issuer.commonName`
 
-Set the `info.issuer.commonName` option to true to add the `commonName` information into the issuer.
-  
-The data are taken from the issuer part with the `CN` key.
+Set the `info.issuer.commonName` option to `true` to add the `commonName` information into the issuer.
 
-The escape common name info in the issuer part will be like :
+The data is taken from the issuer part with the `CN` key.
+
+The escape common name info in the issuer part is formatted as below:
 
 ```text
 CN=Simple Signing CA 2
@@ -646,11 +651,11 @@ CN=Simple Signing CA 2
 
 ##### `info.issuer.serialNumber`
 
-Set the `info.issuer.serialNumber` option to true to add the `serialNumber` information into the issuer.
-  
-The data are taken from the issuer part with the `SN` key.
+Set the `info.issuer.serialNumber` option to `true` to add the `serialNumber` information into the issuer.
 
-The escape serial number info in the issuer part will be like :
+The data is taken from the issuer part with the `SN` key.
+
+The escape serial number info in the issuer part is formatted as below:
 
 ```text
 SN=1234567890
@@ -658,11 +663,11 @@ SN=1234567890
 
 ##### `info.issuer.domainComponent`
 
-Set the `info.issuer.domainComponent` option to true to add the `domainComponent` information into the issuer.
-  
-The data are taken from the issuer part with the `DC` key.
+Set the `info.issuer.domainComponent` option to `true` to add the `domainComponent` information into the issuer.
 
-The escape domain component info in the issuer part will be like :
+The data is taken from the issuer part with the `DC` key.
+
+The escape domain component info in the issuer part is formatted as below:
 
 ```text
 DC=org,DC=cheese

docs/content/middlewares/ratelimit.md

@@ -3,7 +3,7 @@
 To Control the Number of Requests Going to a Service
 {: .subtitle }
 
-The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows one to define what fair is.
+The RateLimit middleware ensures that services will receive a _fair_ amount of requests, and allows one to define what fair is.
 
 ## Configuration Example
 
@@ -50,15 +50,6 @@ labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```
 
-```toml tab="File (TOML)"
-# Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 50 requests is allowed.
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    average = 100
-    burst = 50
-```
-
 ```yaml tab="File (YAML)"
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 50 requests is allowed.
@@ -70,11 +61,20 @@ http:
         burst: 50
 ```
 
+```toml tab="File (TOML)"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 100
+    burst = 50
+```
+
 ## Configuration Options
 
 ### `average`
 
-`average` is the maximum rate, by default in requests by second, allowed for the given source.
+`average` is the maximum rate, by default in requests per second, allowed from a given source.
 
 It defaults to `0`, which means no rate limiting.
 
@@ -114,13 +114,6 @@ labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```
 
-```toml tab="File (TOML)"
-# 100 reqs/s
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    average = 100
-```
-
 ```yaml tab="File (YAML)"
 # 100 reqs/s
 http:
@@ -130,6 +123,13 @@ http:
         average: 100
 ```
 
+```toml tab="File (TOML)"
+# 100 reqs/s
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 100
+```
+
 ### `period`
 
 `period`, in combination with `average`, defines the actual maximum rate, such as:
@@ -179,14 +179,6 @@ labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
 ```
 
-```toml tab="File (TOML)"
-# 6 reqs/minute
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    average = 6
-    period = 1m
-```
-
 ```yaml tab="File (YAML)"
 # 6 reqs/minute
 http:
@@ -197,6 +189,14 @@ http:
         period: 1m
 ```
 
+```toml tab="File (TOML)"
+# 6 reqs/minute
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 6
+    period = "1m"
+```
+
 ### `burst`
 
 `burst` is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
@@ -219,7 +219,7 @@ spec:
 ```
 
 ```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
+- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```
 
 ```json tab="Marathon"
@@ -230,13 +230,7 @@ spec:
 
 ```yaml tab="Rancher"
 labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"	
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    burst = 100
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```
 
 ```yaml tab="File (YAML)"
@@ -247,26 +241,32 @@ http:
         burst: 100
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    burst = 100
+```
+
 ### `sourceCriterion`
- 
-SourceCriterion defines what criterion is used to group requests as originating from a common source.
+
+The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
 The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
 If none are set, the default is to use the request's remote address field (as an `ipStrategy`).
 
 #### `sourceCriterion.ipStrategy`
 
-The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
 
 ##### `ipStrategy.depth`
 
-The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
 
-- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
-- `depth` is ignored if its value is lesser than or equal to 0.
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
+- `depth` is ignored if its value is less than or equal to 0.
 
 !!! example "Example of Depth & X-Forwarded-For"
 
-    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
 
     | `X-Forwarded-For`                       | `depth` | clientIP     |
     |-----------------------------------------|---------|--------------|
@@ -274,8 +274,98 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
 
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    sourceCriterion:
+      ipStrategy:
+        depth: 2
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        sourceCriterion:
+          ipStrategy:
+            depth: 2
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
+      depth = 2
+```
+
 ##### `ipStrategy.excludedIPs`
 
+!!! important "Contrary to what the name might suggest, this option is _not_ about excluding an IP from the rate limiter, and therefore cannot be used to deactivate rate limiting for some IPs."
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+`excludedIPs` is meant to address two classes of somewhat distinct use-cases:
+
+1. Distinguish IPs which are behind the same (set of) reverse-proxies so that each of them contributes, independently to the others,
+   to its own rate-limit "bucket" (cf the [leaky bucket analogy](https://wikipedia.org/wiki/Leaky_bucket)).
+   In this case, `excludedIPs` should be set to match the list of `X-Forwarded-For IPs` that are to be excluded,
+   in order to find the actual clientIP.
+
+    !!! example "Each IP as a distinct source"
+
+        | X-Forwarded-For                | excludedIPs           | clientIP     |
+        |--------------------------------|-----------------------|--------------|
+        | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
+        | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
+
+2. Group together a set of IPs (also behind a common set of reverse-proxies) so that they are considered the same source,
+   and all contribute to the same rate-limit bucket.
+
+    !!! example "Group IPs together as same source"
+
+        |  X-Forwarded-For               |  excludedIPs | clientIP     |
+        |--------------------------------|--------------|--------------|
+        | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
+        | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
+        | `"10.0.0.3,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
+
+For completeness, below are additional examples to illustrate how the matching works.
+For a given request the list of `X-Forwarded-For` IPs is checked from most recent to most distant against the `excludedIPs` pool,
+and the first IP that is _not_ in the pool (if any) is returned.
+
+!!! example "Matching for clientIP"
+
+    |  X-Forwarded-For               |  excludedIPs          | clientIP     |
+    |--------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"11.0.0.1"`          | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`          | `"10.0.0.1,11.0.0.1"` | `""`         |
+
 ```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
@@ -310,13 +400,6 @@ labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
-      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -329,23 +412,16 @@ http:
               - "192.168.1.7"
 ```
 
-`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
-
-!!! important "If `depth` is specified, `excludedIPs` is ignored."
-
-!!! example "Example of ExcludedIPs & X-Forwarded-For"
-
-    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
-    |-----------------------------------------|-----------------------|--------------|
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
 
 #### `sourceCriterion.requestHeaderName`
 
-Requests having the same value for the given header are grouped as coming from the same source.
+Name of the header used to group incoming requests.
 
 ```yaml tab="Docker"
 labels:
@@ -378,13 +454,6 @@ labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
-      requestHeaderName = "username"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -394,6 +463,13 @@ http:
           requestHeaderName: username
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
+      requestHeaderName = "username"
+```
+
 #### `sourceCriterion.requestHost`
 
 Whether to consider the request host as the source.
@@ -429,13 +505,6 @@ labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
-      requestHost = true
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -444,3 +513,10 @@ http:
         sourceCriterion:
           requestHost: true
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
+      requestHost = true
+```

docs/content/middlewares/redirectregex.md

@@ -7,7 +7,7 @@ Redirecting the Client to a Different Location
 TODO: add schema
 -->
 
-RegexRedirect redirect a request from an url to another with regex matching and replacement.
+The RedirectRegex redirects a request using regex matching and replacement.
 
 ## Configuration Examples
 
@@ -53,14 +53,6 @@ labels:
   - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```
 
-```toml tab="File (TOML)"
-# Redirect with domain replacement
-[http.middlewares]
-  [http.middlewares.test-redirectregex.redirectRegex]
-    regex = "^http://localhost/(.*)"
-    replacement = "http://mydomain/${1}"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect with domain replacement
 http:
@@ -71,8 +63,20 @@ http:
         replacement: "http://mydomain/${1}"
 ```
 
+```toml tab="File (TOML)"
+# Redirect with domain replacement
+[http.middlewares]
+  [http.middlewares.test-redirectregex.redirectRegex]
+    regex = "^http://localhost/(.*)"
+    replacement = "http://mydomain/${1}"
+```
+
 ## Configuration Options
 
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
 ### `permanent`
 
 Set the `permanent` option to `true` to apply a permanent redirection.
@@ -81,14 +85,10 @@ Set the `permanent` option to `true` to apply a permanent redirection.
 
 The `regex` option is the regular expression to match and capture elements from the request URL.
 
-!!! warning
-
-    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
-
-!!! tip
-
-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-    
 ### `replacement`
 
 The `replacement` option defines how to modify the URL to have the new target URL.
+
+!!! warning
+
+    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.

docs/content/middlewares/redirectscheme.md

@@ -7,7 +7,7 @@ Redirecting the Client to a Different Scheme/Port
 TODO: add schema
 -->
 
-RedirectScheme redirect request from a scheme to another.
+RedirectScheme redirects requests from a scheme/port to another.
 
 ## Configuration Examples
 
@@ -51,14 +51,6 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```
 
-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
-  [http.middlewares.test-redirectscheme.redirectScheme]
-    scheme = "https"
-    permanent = true
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -69,6 +61,14 @@ http:
         permanent: true
 ```
 
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+    permanent = true
+```
+
 ## Configuration Options
 
 ### `permanent`
@@ -115,14 +115,6 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```
 
-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
-  [http.middlewares.test-redirectscheme.redirectScheme]
-    # ...
-    permanent = true
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -133,9 +125,17 @@ http:
         permanent: true
 ```
 
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    permanent = true
+```
+
 ### `scheme`
 
-The `scheme` option defines the scheme of the new url.
+The `scheme` option defines the scheme of the new URL.
 
 ```yaml tab="Docker"
 # Redirect to https
@@ -172,13 +172,6 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```
 
-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
-  [http.middlewares.test-redirectscheme.redirectScheme]
-    scheme = "https"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -188,9 +181,16 @@ http:
         scheme: https
 ```
 
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+```
+
 ### `port`
 
-The `port` option defines the port of the new url.
+The `port` option defines the port of the new URL.
 
 ```yaml tab="Docker"
 # Redirect to https
@@ -232,14 +232,6 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
 ```
 
-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
-  [http.middlewares.test-redirectscheme.redirectScheme]
-    # ...
-    port = 443
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -250,4 +242,12 @@ http:
         port: "443"
 ```
 
+```toml tab="File (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    # ...
+    port = 443
+```
+
 !!! info "Port in this configuration is a string, not a numeric value."

docs/content/middlewares/replacepath.md

@@ -7,18 +7,18 @@ Updating the Path Before Forwarding the Request
 TODO: add schema
 -->
 
-Replace the path of the request url.
+Replace the path of the request URL.
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
-# Replace the path by /foo
+# Replace the path with /foo
 labels:
   - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```
 
 ```yaml tab="Kubernetes"
-# Replace the path by /foo
+# Replace the path with /foo
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
@@ -29,7 +29,7 @@ spec:
 ```
 
 ```yaml tab="Consul Catalog"
-# Replace the path by /foo
+# Replace the path with /foo
 - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```
 
@@ -40,20 +40,13 @@ spec:
 ```
 
 ```yaml tab="Rancher"
-# Replace the path by /foo
+# Replace the path with /foo
 labels:
   - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```
 
-```toml tab="File (TOML)"
-# Replace the path by /foo
-[http.middlewares]
-  [http.middlewares.test-replacepath.replacePath]
-    path = "/foo"
-```
-
 ```yaml tab="File (YAML)"
-# Replace the path by /foo
+# Replace the path with /foo
 http:
   middlewares:
     test-replacepath:
@@ -61,15 +54,22 @@ http:
         path: "/foo"
 ```
 
+```toml tab="File (TOML)"
+# Replace the path with /foo
+[http.middlewares]
+  [http.middlewares.test-replacepath.replacePath]
+    path = "/foo"
+```
+
 ## Configuration Options
 
 ### General
 
 The ReplacePath middleware will:
 
-- replace the actual path by the specified one.
+- replace the actual path with the specified one.
 - store the original path in a `X-Replaced-Path` header.
 
 ### `path`
 
-The `path` option defines the path to use as replacement in the request url.
+The `path` option defines the path to use as replacement in the request URL.

docs/content/middlewares/replacepathregex.md

@@ -7,7 +7,7 @@ Updating the Path Before Forwarding the Request (Using a Regex)
 TODO: add schema
 -->
 
-The ReplaceRegex replace a path from an url to another with regex matching and replacement.
+The ReplaceRegex replaces the path of a URL using regex matching and replacement.
 
 ## Configuration Examples
 
@@ -50,16 +50,8 @@ labels:
   - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```
 
-```toml tab="File (TOML)"
-# Redirect with domain replacement
-[http.middlewares]
-  [http.middlewares.test-replacepathregex.replacePathRegex]
-    regex = "^/foo/(.*)"
-    replacement = "/bar/$1"
-```
-
 ```yaml tab="File (YAML)"
-# Redirect with domain replacement
+# Replace path with regex
 http:
   middlewares:
     test-replacepathregex:
@@ -68,27 +60,35 @@ http:
         replacement: "/bar/$1"
 ```
 
+```toml tab="File (TOML)"
+# Replace path with regex
+[http.middlewares]
+  [http.middlewares.test-replacepathregex.replacePathRegex]
+    regex = "^/foo/(.*)"
+    replacement = "/bar/$1"
+```
+
 ## Configuration Options
 
 ### General
 
 The ReplacePathRegex middleware will:
 
-- replace the matching path by the specified one.
+- replace the matching path with the specified one.
 - store the original path in a `X-Replaced-Path` header.
 
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or [Regex101](https://regex101.com/r/58sIgx/2).
+
 ### `regex`
 
 The `regex` option is the regular expression to match and capture the path from the request URL.
 
+### `replacement`
+
+The `replacement` option defines the replacement path format, which can include captured variables.
+
 !!! warning
 
     Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
-
-!!! tip
-
-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-    
-### `replacement`
-
-The `replacement` option defines how to modify the path to have the new target path.

docs/content/middlewares/retry.md

@@ -7,21 +7,21 @@ Retrying until it Succeeds
 TODO: add schema
 -->
 
-The Retry middleware is in charge of reissuing a request a given number of times to a backend server if that server does not reply.
-To be clear, as soon as the server answers, the middleware stops retrying, regardless of the response status.
-The Retry middleware has an optional configuration for exponential backoff.
+The Retry middleware reissues requests a given number of times to a backend server if that server does not reply.
+As soon as the server answers, the middleware stops retrying, regardless of the response status.
+The Retry middleware has an optional configuration to enable an exponential backoff.
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
-# Retry to send request 4 times with exponential backoff
+# Retry 4 times with exponential backoff
 labels:
   - "traefik.http.middlewares.test-retry.retry.attempts=4"
   - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```
 
 ```yaml tab="Kubernetes"
-# Retry to send request 4 times with exponential backoff
+# Retry 4 times with exponential backoff
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
@@ -33,7 +33,7 @@ spec:
 ```
 
 ```yaml tab="Consul Catalog"
-# Retry to send request 4 times with exponential backoff
+# Retry 4 times with exponential backoff
 - "traefik.http.middlewares.test-retry.retry.attempts=4"
 - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```
@@ -46,22 +46,14 @@ spec:
 ```
 
 ```yaml tab="Rancher"
-# Retry to send request 4 times with exponential backoff
+# Retry 4 times with exponential backoff
 labels:
   - "traefik.http.middlewares.test-retry.retry.attempts=4"
   - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```
 
-```toml tab="File (TOML)"
-# Retry to send request 4 times
-[http.middlewares]
-  [http.middlewares.test-retry.retry]
-    attempts = 4
-    initialInterval = "100ms"
-```
-
 ```yaml tab="File (YAML)"
-# Retry to send request 4 times with exponential backoff
+# Retry 4 times with exponential backoff
 http:
   middlewares:
     test-retry:
@@ -70,6 +62,14 @@ http:
         initialInterval: 100ms
 ```
 
+```toml tab="File (TOML)"
+# Retry 4 times with exponential backoff
+[http.middlewares]
+  [http.middlewares.test-retry.retry]
+    attempts = 4
+    initialInterval = "100ms"
+```
+
 ## Configuration Options
 
 ### `attempts`
@@ -80,4 +80,7 @@ The `attempts` option defines how many times the request should be retried.
 
 ### `initialInterval`
 
-The `initialInterval` option defines the first wait time in the exponential backoff series (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)). The maximum interval is calculated as twice the `initialInterval`. If unspecified, requests will be retried immediately.
+The `initialInterval` option defines the first wait time in the exponential backoff series. The maximum interval is
+calculated as twice the `initialInterval`. If unspecified, requests will be retried immediately.
+
+The value of initialInterval should be provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).

docs/content/middlewares/stripprefix.md

@@ -47,13 +47,6 @@ labels:
   - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```
 
-```toml tab="File (TOML)"
-# Strip prefix /foobar and /fiibar
-[http.middlewares]
-  [http.middlewares.test-stripprefix.stripPrefix]
-    prefixes = ["/foobar", "/fiibar"]
-```
-
 ```yaml tab="File (YAML)"
 # Strip prefix /foobar and /fiibar
 http:
@@ -65,36 +58,66 @@ http:
           - "/fiibar"
 ```
 
+```toml tab="File (TOML)"
+# Strip prefix /foobar and /fiibar
+[http.middlewares]
+  [http.middlewares.test-stripprefix.stripPrefix]
+    prefixes = ["/foobar", "/fiibar"]
+```
+
 ## Configuration Options
 
 ### General
 
-The StripPrefix middleware will:
-
-- strip the matching path prefix.
-- store the matching path prefix in a `X-Forwarded-Prefix` header.
+The StripPrefix middleware strips the matching path prefix and stores it in a `X-Forwarded-Prefix` header.
 
 !!! tip
-    
-    Use a `StripPrefix` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
+
+    Use a `StripPrefix` middleware if your backend listens on the root path (`/`) but should be exposed on a specific prefix.
 
 ### `prefixes`
 
 The `prefixes` option defines the prefixes to strip from the request URL.
 
-For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.
+For instance, `/products` also matches `/products/shoes` and `/products/shirts`.
 
-Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
-
-If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.  
-Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
-
-The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
+If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
+Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).
 
 ### `forceSlash`
 
 _Optional, Default=true_
 
+The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
+
+This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
+
+It is recommended to explicitly set `forceSlash` to `false`.
+
+??? info "Behavior examples"
+
+    - `forceSlash=true`
+
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | `/`    |
+    | `/foo`     | `/foo`          | `/`    |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | `/`    |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |
+
+    - `forceSlash=false`
+
+    | Path       | Prefix to strip | Result |
+    |------------|-----------------|--------|
+    | `/`        | `/`             | empty  |
+    | `/foo`     | `/foo`          | empty  |
+    | `/foo/`    | `/foo`          | `/`    |
+    | `/foo/`    | `/foo/`         | empty  |
+    | `/bar`     | `/foo`          | `/bar` |
+    | `/foo/bar` | `/foo`          | `/bar` |
+
 ```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
@@ -126,13 +149,6 @@ labels:
   - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.example.stripPrefix]
-    prefixes = ["/foobar"]
-    forceSlash = false
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -143,32 +159,9 @@ http:
         forceSlash: false
 ```
 
-The `forceSlash` option makes sure that the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
-
-This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
-
-It's recommended to explicitly set `forceSlash` to `false`.
-
-??? info "Behavior examples"
-    
-    - `forceSlash=true`
-    
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | `/`    |
-    | `/foo`     | `/foo`          | `/`    |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | `/`    |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-    
-    - `forceSlash=false`
-    
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | empty  |
-    | `/foo`     | `/foo`          | empty  |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | empty  |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.example.stripPrefix]
+    prefixes = ["/foobar"]
+    forceSlash = false
+```

docs/content/middlewares/stripprefixregex.md

@@ -38,12 +38,6 @@ labels:
   - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```
 
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-stripprefixregex.stripPrefixRegex]
-    regex = ["/foo/[a-z0-9]+/[0-9]+/"]
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -53,18 +47,21 @@ http:
           - "/foo/[a-z0-9]+/[0-9]+/"
 ```
 
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-stripprefixregex.stripPrefixRegex]
+    regex = ["/foo/[a-z0-9]+/[0-9]+/"]
+```
+
 ## Configuration Options
 
 ### General
 
-The StripPrefixRegex middleware will:
-
-- strip the matching path prefix.
-- store the matching path prefix in a `X-Forwarded-Prefix` header.
+The StripPrefixRegex middleware strips the matching path prefix and stores it in a `X-Forwarded-Prefix` header.
 
 !!! tip
-    
-    Use a `stripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
+
+    Use a `stripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be exposed on a specific prefix.
 
 ### `regex`
 
@@ -74,12 +71,7 @@ The `regex` option is the regular expression to match the path prefix from the r
 
     Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
 
-For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.  
+For instance, `/products` also matches `/products/shoes` and `/products/shirts`.
 
-Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.  
-
-If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.  
-
-Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
-
-The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
+If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
+Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).

docs/content/migration/v1-to-v2.md

@@ -68,27 +68,27 @@ Then any router can refer to an instance of the wanted middleware.
       [frontends.frontend1]
         entryPoints = ["http"]
         backend = "backend1"
-    
+
         [frontends.frontend1.routes]
           [frontends.frontend1.routes.route0]
             rule = "Host:test.localhost"
           [frontends.frontend1.routes.route0]
             rule = "PathPrefix:/test"
-        
+
         [frontends.frontend1.auth]
           [frontends.frontend1.auth.basic]
             users = [
               "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
               "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
             ]
-    
+
     [backends]
       [backends.backend1]
         [backends.backend1.servers.server0]
           url = "http://10.10.10.1:80"
         [backends.backend1.servers.server1]
           url = "http://10.10.10.2:80"
-    
+
         [backends.backend1.loadBalancer]
           method = "wrr"
     ```
@@ -110,19 +110,19 @@ Then any router can refer to an instance of the wanted middleware.
     metadata:
       name: basicauth
       namespace: foo
-    
+
     spec:
       basicAuth:
         users:
           - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
           - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
-    
+
     ---
     apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
       name: ingressroutebar
-    
+
     spec:
       entryPoints:
         - http
@@ -139,27 +139,6 @@ Then any router can refer to an instance of the wanted middleware.
           namespace: foo
     ```
 
-    ```toml tab="File (TOML)"
-    [http.routers]
-      [http.routers.router0]
-        rule = "Host(`test.localhost`) && PathPrefix(`/test`)"
-        middlewares = ["auth"]
-        service = "my-service"
-    
-    [http.services]
-      [[http.services.my-service.loadBalancer.servers]]
-        url = "http://10.10.10.1:80"
-      [[http.services.my-service.loadBalancer.servers]]
-        url = "http://10.10.10.2:80"
-    
-    [http.middlewares]
-      [http.middlewares.auth.basicAuth]
-        users = [
-          "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-          "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-        ]
-    ```
-
     ```yaml tab="File (YAML)"
     http:
       routers:
@@ -168,14 +147,14 @@ Then any router can refer to an instance of the wanted middleware.
           service: my-service
           middlewares:
             - auth
-    
+
       services:
         my-service:
           loadBalancer:
             servers:
               - url: http://10.10.10.1:80
               - url: http://10.10.10.2:80
-    
+
       middlewares:
         auth:
           basicAuth:
@@ -184,6 +163,27 @@ Then any router can refer to an instance of the wanted middleware.
               - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
     ```
 
+    ```toml tab="File (TOML)"
+    [http.routers]
+      [http.routers.router0]
+        rule = "Host(`test.localhost`) && PathPrefix(`/test`)"
+        middlewares = ["auth"]
+        service = "my-service"
+
+    [http.services]
+      [[http.services.my-service.loadBalancer.servers]]
+        url = "http://10.10.10.1:80"
+      [[http.services.my-service.loadBalancer.servers]]
+        url = "http://10.10.10.2:80"
+
+    [http.middlewares]
+      [http.middlewares.auth.basicAuth]
+        users = [
+          "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+          "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+        ]
+    ```
+
 ## TLS Configuration is Now Dynamic, per Router.
 
 TLS parameters used to be specified in the static configuration, as an entryPoint field.
@@ -193,13 +193,13 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
 !!! example "TLS on websecure entryPoint becomes TLS option on Router-1"
 
     !!! info "v1"
-    
+
     ```toml tab="File (TOML)"
     # static configuration
     [entryPoints]
       [entryPoints.websecure]
         address = ":443"
-    
+
         [entryPoints.websecure.tls]
           minVersion = "VersionTLS12"
           cipherSuites = [
@@ -221,33 +221,6 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
 
     !!! info "v2"
 
-    ```toml tab="File (TOML)"
-    # dynamic configuration
-    [http.routers]
-      [http.routers.Router-1]
-        rule = "Host(`example.com`)"
-        service = "service-id"
-        # will terminate the TLS request
-        [http.routers.Router-1.tls]
-          options = "myTLSOptions"
-    
-    [[tls.certificates]]
-      certFile = "/path/to/domain.cert"
-      keyFile = "/path/to/domain.key"
-    
-    [tls.options]
-      [tls.options.myTLSOptions]
-        minVersion = "VersionTLS12"
-        cipherSuites = [
-          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-        ]
-    ```
-
     ```yaml tab="File (YAML)"
     http:
       routers:
@@ -257,7 +230,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
           # will terminate the TLS request
           tls:
             options: myTLSOptions
-    
+
     tls:
       certificates:
         - certFile: /path/to/domain.cert
@@ -273,6 +246,33 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
 	        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     ```
 
+    ```toml tab="File (TOML)"
+    # dynamic configuration
+    [http.routers]
+      [http.routers.Router-1]
+        rule = "Host(`example.com`)"
+        service = "service-id"
+        # will terminate the TLS request
+        [http.routers.Router-1.tls]
+          options = "myTLSOptions"
+
+    [[tls.certificates]]
+      certFile = "/path/to/domain.cert"
+      keyFile = "/path/to/domain.key"
+
+    [tls.options]
+      [tls.options.myTLSOptions]
+        minVersion = "VersionTLS12"
+        cipherSuites = [
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        ]
+    ```
+
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
     # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
@@ -281,7 +281,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
     metadata:
       name: mytlsoption
       namespace: default
-    
+
     spec:
       minVersion: VersionTLS12
       cipherSuites:
@@ -290,13 +290,13 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
 	    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 	    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 	    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-    
+
     ---
     apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
       name: ingressroutebar
-    
+
     spec:
       entryPoints:
         - web
@@ -322,7 +322,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
 ## HTTP to HTTPS Redirection is Now Configured on Routers
 
 Previously on Traefik v1, the redirection was applied on an entry point or on a frontend.
-With Traefik v2 it is applied on an entry point or a [Router](../routing/routers/index.md). 
+With Traefik v2 it is applied on an entry point or a [Router](../routing/routers/index.md).
 
 To apply a redirection:
 
@@ -332,11 +332,11 @@ To apply a redirection:
 !!! example "Global HTTP to HTTPS redirection"
 
     !!! info "v1"
-    
+
     ```toml tab="File (TOML)"
     # static configuration
     defaultEntryPoints = ["web", "websecure"]
-    
+
     [entryPoints]
       [entryPoints.web]
         address = ":80"
@@ -354,35 +354,11 @@ To apply a redirection:
     ```
 
     !!! info "v2"
-    
-    ```bash tab="CLI"
-    ## static configuration
-    
-    --entrypoints.web.address=:80
-    --entrypoints.web.http.redirections.entrypoint.to=websecure
-    --entrypoints.web.http.redirections.entrypoint.scheme=https
-    --entrypoints.websecure.address=:443
-    --providers.docker=true
-    ```
-    
-    ```toml tab="File (TOML)"
-    # traefik.toml
-    ## static configuration
-    
-    [entryPoints.web]
-      address = ":80"
-      [entryPoints.web.http.redirections.entryPoint]
-        to = "websecure"
-        scheme = "https"
-   
-    [entryPoints.websecure]
-      address = ":443"
-    ```
-    
+
     ```yaml tab="File (YAML)"
-    # traefik.yaml
+    # traefik.yml
     ## static configuration
-    
+
     entryPoints:
       web:
         address: ":80"
@@ -391,15 +367,39 @@ To apply a redirection:
             entrypoint:
               to: websecure
               scheme: https
-    
+
       websecure:
         address: ":443"
     ```
 
+    ```toml tab="File (TOML)"
+    # traefik.toml
+    ## static configuration
+
+    [entryPoints.web]
+      address = ":80"
+      [entryPoints.web.http.redirections.entryPoint]
+        to = "websecure"
+        scheme = "https"
+
+    [entryPoints.websecure]
+      address = ":443"
+    ```
+
+    ```bash tab="CLI"
+    ## static configuration
+
+    --entrypoints.web.address=:80
+    --entrypoints.web.http.redirections.entrypoint.to=websecure
+    --entrypoints.web.http.redirections.entrypoint.scheme=https
+    --entrypoints.websecure.address=:443
+    --providers.docker=true
+    ```
+
 !!! example "HTTP to HTTPS redirection per domain"
 
     !!! info "v1"
-    
+
     ```toml tab="File (TOML)"
     [entryPoints]
       [entryPoints.web]
@@ -408,9 +408,9 @@ To apply a redirection:
       [entryPoints.websecure]
         address = ":443"
         [entryPoints.websecure.tls]
-    
+
     [file]
-    
+
     [frontends]
       [frontends.frontend1]
         entryPoints = ["web", "websecure"]
@@ -428,11 +428,11 @@ To apply a redirection:
       traefik.http.routers.app.rule: Host(`example.net`)
       traefik.http.routers.app.entrypoints: web
       traefik.http.routers.app.middlewares: https_redirect
-    
+
       traefik.http.routers.appsecured.rule: Host(`example.net`)
       traefik.http.routers.appsecured.entrypoints: websecure
       traefik.http.routers.appsecured.tls: true
-    
+
       traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
       traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
     ```
@@ -441,8 +441,8 @@ To apply a redirection:
     apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
-      name: http-redirect-ingressRoute
-    
+      name: http-redirect-ingressroute
+
     spec:
       entryPoints:
         - web
@@ -454,13 +454,13 @@ To apply a redirection:
               port: 80
           middlewares:
             - name: https-redirect
-    
+
     ---
     apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
-      name: https-ingressRoute
-    
+      name: https-ingressroute
+
     spec:
       entryPoints:
         - websecure
@@ -471,7 +471,7 @@ To apply a redirection:
             - name: whoami
               port: 80
       tls: {}
-      
+
     ---
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
@@ -483,33 +483,10 @@ To apply a redirection:
         permanent: true
     ```
 
-    ```toml tab="File (TOML)"
-    ## dynamic configuration
-    # dynamic-conf.toml
-    
-    [http.routers]
-      [http.routers.router0]
-        rule = "Host(`example.net`)"
-        service = "my-service"
-        entrypoints = ["web"]
-        middlewares = ["https_redirect"]
-    
-    [http.routers.router1]
-        rule = "Host(`example.net`)"
-        service = "my-service"
-        entrypoints = ["websecure"]
-        [http.routers.router1.tls]
-    
-    [http.middlewares]
-      [http.middlewares.https_redirect.redirectScheme]
-        scheme = "https"
-        permanent = true
-    ```
-
     ```yaml tab="File (YAML)"
     ## dynamic configuration
     # dynamic-conf.yml
-    
+
     http:
       routers:
         router0:
@@ -519,14 +496,14 @@ To apply a redirection:
           middlewares:
             - https_redirect
           service: my-service
-    
+
         router1:
           rule: "Host(`example.net`)"
           entryPoints:
             - websecure
           service: my-service
           tls: {}
-    
+
       middlewares:
         https-redirect:
           redirectScheme:
@@ -534,6 +511,29 @@ To apply a redirection:
             permanent: true
     ```
 
+    ```toml tab="File (TOML)"
+    ## dynamic configuration
+    # dynamic-conf.toml
+
+    [http.routers]
+      [http.routers.router0]
+        rule = "Host(`example.net`)"
+        service = "my-service"
+        entrypoints = ["web"]
+        middlewares = ["https_redirect"]
+
+    [http.routers.router1]
+        rule = "Host(`example.net`)"
+        service = "my-service"
+        entrypoints = ["websecure"]
+        [http.routers.router1.tls]
+
+    [http.middlewares]
+      [http.middlewares.https_redirect.redirectScheme]
+        scheme = "https"
+        permanent = true
+    ```
+
 ## Strip and Rewrite Path Prefixes
 
 With the new core notions of v2 (introduced earlier in the section
@@ -595,7 +595,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
-      name: http-redirect-ingressRoute
+      name: http-redirect-ingressroute
       namespace: admin-web
     spec:
       entryPoints:
@@ -619,23 +619,6 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
           - /admin
     ```
 
-    ```toml tab="File (TOML)"
-    ## Dynamic configuration
-    # dynamic-conf.toml
-
-    [http.routers.router1]
-        rule = "Host(`example.org`) && PathPrefix(`/admin`)"
-        service = "admin-svc"
-        entrypoints = ["web"]
-        middlewares = ["admin-stripprefix"]
-
-    [http.middlewares]
-      [http.middlewares.admin-stripprefix.stripPrefix]
-      prefixes = ["/admin"]
-    
-    # ...
-    ```
-
     ```yaml tab="File (YAML)"
     ## Dynamic Configuration
     # dynamic-conf.yml
@@ -652,12 +635,29 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
       middlewares:
         admin-stripprefix:
           stripPrefix:
-            prefixes: 
+            prefixes:
             - "/admin"
 
     # ...
     ```
 
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    # dynamic-conf.toml
+
+    [http.routers.router1]
+        rule = "Host(`example.org`) && PathPrefix(`/admin`)"
+        service = "admin-svc"
+        entrypoints = ["web"]
+        middlewares = ["admin-stripprefix"]
+
+    [http.middlewares]
+      [http.middlewares.admin-stripprefix.stripPrefix]
+      prefixes = ["/admin"]
+
+    # ...
+    ```
+
 ??? question "What About Other Path Transformations?"
 
     Instead of removing the path prefix with the [`stripprefix` middleware](../../middlewares/stripprefix/), you can also:
@@ -674,11 +674,11 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
 !!! example "ACME from provider to a specific Certificate Resolver"
 
     !!! info "v1"
-    
+
     ```toml tab="File (TOML)"
     # static configuration
     defaultEntryPoints = ["websecure","web"]
-    
+
     [entryPoints.web]
     address = ":80"
       [entryPoints.web.redirect]
@@ -686,7 +686,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     [entryPoints.websecure]
       address = ":443"
       [entryPoints.websecure.tls]
-    
+
     [acme]
       email = "your-email-here@example.com"
       storage = "acme.json"
@@ -708,34 +708,17 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
 
     !!! info "v2"
 
-    ```toml tab="File (TOML)"
-    # static configuration
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-    
-      [entryPoints.websecure]
-        address = ":443"
-      [entryPoints.websecure.http.tls]
-        certResolver = "myresolver"
-    
-    [certificatesResolvers.myresolver.acme]
-      email = "your-email@example.com"
-      storage = "acme.json"
-      [certificatesResolvers.myresolver.acme.tlsChallenge]
-    ```
-
     ```yaml tab="File (YAML)"
     entryPoints:
       web:
         address: ":80"
-    
+
       websecure:
         address: ":443"
         http:
           tls:
             certResolver: myresolver
-    
+
     certificatesResolvers:
       myresolver:
         acme:
@@ -744,6 +727,23 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
           tlsChallenge: {}
     ```
 
+    ```toml tab="File (TOML)"
+    # static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+      [entryPoints.websecure.http.tls]
+        certResolver = "myresolver"
+
+    [certificatesResolvers.myresolver.acme]
+      email = "your-email@example.com"
+      storage = "acme.json"
+      [certificatesResolvers.myresolver.acme.tlsChallenge]
+    ```
+
     ```bash tab="CLI"
     --entrypoints.web.address=:80
     --entrypoints.websecure.address=:443
@@ -764,7 +764,7 @@ There is no more log configuration at the root level.
     ```toml tab="File (TOML)"
     # static configuration
     logLevel = "DEBUG"
-    
+
     [traefikLog]
       filePath = "/path/to/traefik.log"
       format   = "json"
@@ -778,14 +778,6 @@ There is no more log configuration at the root level.
 
     !!! info "v2"
 
-    ```toml tab="File (TOML)"
-    # static configuration
-    [log]
-      level = "DEBUG"
-      filePath = "/path/to/log-file.log"
-      format = "json"
-    ```
-
     ```yaml tab="File (YAML)"
     # static configuration
     log:
@@ -794,6 +786,14 @@ There is no more log configuration at the root level.
       format: json
     ```
 
+    ```toml tab="File (TOML)"
+    # static configuration
+    [log]
+      level = "DEBUG"
+      filePath = "/path/to/log-file.log"
+      format = "json"
+    ```
+
     ```bash tab="CLI"
     --log.level=DEBUG
     --log.filePath=/path/to/traefik.log
@@ -838,17 +838,6 @@ Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is
 
     !!! info "v2"
 
-    ```toml tab="File (TOML)"
-    # static configuration
-    [tracing]
-      servicename = "tracing"
-      [tracing.jaeger]
-        samplingParam = 1.0
-        samplingServerURL = "http://12.0.0.1:5778/sampling"
-        samplingType = "const"
-        localAgentHostPort = "12.0.0.1:6831"
-    ```
-
     ```yaml tab="File (YAML)"
     # static configuration
     tracing:
@@ -860,6 +849,17 @@ Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is
         localAgentHostPort: '12.0.0.1:6831'
     ```
 
+    ```toml tab="File (TOML)"
+    # static configuration
+    [tracing]
+      servicename = "tracing"
+      [tracing.jaeger]
+        samplingParam = 1.0
+        samplingServerURL = "http://12.0.0.1:5778/sampling"
+        samplingType = "const"
+        localAgentHostPort = "12.0.0.1:6831"
+    ```
+
     ```bash tab="CLI"
     --tracing.servicename=tracing
     --tracing.jaeger.localagenthostport=12.0.0.1:6831
@@ -891,13 +891,6 @@ For a basic configuration, the [metrics configuration](../observability/metrics/
 
     !!! info "v2"
 
-    ```toml tab="File (TOML)"
-    # static configuration
-    [metrics.prometheus]
-      buckets = [0.1,0.3,1.2,5.0]
-      entryPoint = "metrics"
-    ```
-
     ```yaml tab="File (YAML)"
     # static configuration
     metrics:
@@ -910,6 +903,13 @@ For a basic configuration, the [metrics configuration](../observability/metrics/
         entryPoint: metrics
     ```
 
+    ```toml tab="File (TOML)"
+    # static configuration
+    [metrics.prometheus]
+      buckets = [0.1,0.3,1.2,5.0]
+      entryPoint = "metrics"
+    ```
+
     ```bash tab="CLI"
     --metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
     --metrics.prometheus.entrypoint=metrics
@@ -955,43 +955,43 @@ Each root item has been moved to a related section or removed.
 
     !!! info "v2"
 
-    ```toml tab="File (TOML)"
-    # static configuration
-    [global]
-      checkNewVersion = true
-      sendAnonymousUsage = true
-    
-    [log]
-      level = "DEBUG"
-    
-    [serversTransport]
-      insecureSkipVerify = true
-      rootCAs = [ "/mycert.cert" ]
-      maxIdleConnsPerHost = 42
-    
-    [providers]
-      providersThrottleDuration = 42
-    ```
-
     ```yaml tab="File (YAML)"
     # static configuration
     global:
       checkNewVersion: true
       sendAnonymousUsage: true
-    
+
     log:
       level: DEBUG
-    
+
     serversTransport:
       insecureSkipVerify: true
       rootCAs:
         - /mycert.cert
       maxIdleConnsPerHost: 42
-    
+
     providers:
       providersThrottleDuration: 42
     ```
 
+    ```toml tab="File (TOML)"
+    # static configuration
+    [global]
+      checkNewVersion = true
+      sendAnonymousUsage = true
+
+    [log]
+      level = "DEBUG"
+
+    [serversTransport]
+      insecureSkipVerify = true
+      rootCAs = [ "/mycert.cert" ]
+      maxIdleConnsPerHost = 42
+
+    [providers]
+      providersThrottleDuration = 42
+    ```
+
     ```bash tab="CLI"
     --global.checknewversion=true
     --global.sendanonymoususage=true
@@ -1018,7 +1018,7 @@ To activate the dashboard, you can either:
     ```toml tab="File (TOML)"
     ## static configuration
     # traefik.toml
-    
+
     [entryPoints.websecure]
       address = ":443"
       [entryPoints.websecure.tls]
@@ -1027,7 +1027,7 @@ To activate the dashboard, you can either:
           users = [
             "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
           ]
-    
+
     [api]
       entryPoint = "websecure"
     ```
@@ -1050,55 +1050,25 @@ To activate the dashboard, you can either:
       - "traefik.http.middlewares.myAuth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
     ```
 
-    ```toml tab="File (TOML)"
-    ## static configuration
-    # traefik.toml
-    
-    [entryPoints.websecure]
-      address = ":443"
-    
-    [api]
-    
-    [providers.file]
-      directory = "/path/to/dynamic/config"
-    
-    ##---------------------##
-    
-    ## dynamic configuration
-    # /path/to/dynamic/config/dynamic-conf.toml
-    
-    [http.routers.api]
-      rule = "Host(`traefik.docker.localhost`)"
-      entrypoints = ["websecure"]
-      service = "api@internal"
-      middlewares = ["myAuth"]
-      [http.routers.api.tls]
-    
-    [http.middlewares.myAuth.basicAuth]
-      users = [
-        "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-      ]
-    ```
-
     ```yaml tab="File (YAML)"
     ## static configuration
-    # traefik.yaml
-    
+    # traefik.yml
+
     entryPoints:
       websecure:
         address: ':443'
-        
+
     api: {}
-    
+
     providers:
       file:
         directory: /path/to/dynamic/config
-   
+
     ##---------------------##
-    
+
     ## dynamic configuration
-    # /path/to/dynamic/config/dynamic-conf.yaml
-    
+    # /path/to/dynamic/config/dynamic-conf.yml
+
      http:
       routers:
         api:
@@ -1109,7 +1079,7 @@ To activate the dashboard, you can either:
           middlewares:
             - myAuth
           tls: {}
-          
+
       middlewares:
         myAuth:
           basicAuth:
@@ -1117,6 +1087,36 @@ To activate the dashboard, you can either:
               - 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
     ```
 
+    ```toml tab="File (TOML)"
+    ## static configuration
+    # traefik.toml
+
+    [entryPoints.websecure]
+      address = ":443"
+
+    [api]
+
+    [providers.file]
+      directory = "/path/to/dynamic/config"
+
+    ##---------------------##
+
+    ## dynamic configuration
+    # /path/to/dynamic/config/dynamic-conf.toml
+
+    [http.routers.api]
+      rule = "Host(`traefik.docker.localhost`)"
+      entrypoints = ["websecure"]
+      service = "api@internal"
+      middlewares = ["myAuth"]
+      [http.routers.api.tls]
+
+    [http.middlewares.myAuth.basicAuth]
+      users = [
+        "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+      ]
+    ```
+
 ## Providers
 
 Supported [providers](../providers/overview.md), for now:

docs/content/migration/v2.md

@@ -8,7 +8,7 @@ In v2.1, a new Kubernetes CRD called `TraefikService` was added.
 While updating an installation to v2.1,
 one should apply that CRD, and update the existing `ClusterRole` definition to allow Traefik to use that CRD.
 
-To add that CRD and enhance the permissions, following definitions need to be applied to the cluster.
+To add that CRD and enhance the permissions, the following definitions need to be applied to the cluster.
 
 ```yaml tab="TraefikService"
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -87,7 +87,7 @@ In v2.2, new Kubernetes CRDs called `TLSStore` and `IngressRouteUDP` were added.
 While updating an installation to v2.2,
 one should apply that CRDs, and update the existing `ClusterRole` definition to allow Traefik to use that CRDs.
 
-To add that CRDs and enhance the permissions, following definitions need to be applied to the cluster.
+To add that CRDs and enhance the permissions, the following definitions need to be applied to the cluster.
 
 ```yaml tab="TLSStore"
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -189,7 +189,7 @@ metadata:
 
 spec:
   tls:
-  - secretName: myTlsSecret
+  - secretName: my-tls-secret
 
   rules:
   - host: example.com
@@ -256,7 +256,7 @@ metadata:
 
 spec:
   tls:
-  - secretName: myTlsSecret
+  - secretName: my-tls-secret
 
   rules:
   - host: example.com
@@ -336,3 +336,42 @@ The file parser has been changed, since v2.3 the unknown options/fields in a dyn
 
 In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced.
 In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated. 
+
+## v2.3 to v2.4
+
+### ServersTransport
+
+In `v2.4.0`, the support of `ServersTransport` has been introduced.
+It is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) definitions.
+
+## v2.4.7 to v2.4.8
+
+### Non-ASCII Domain Names
+
+In `v2.4.8`, we introduced a new check on domain names used in HTTP router rule `Host` and `HostRegexp` expressions,
+and in TCP router rule `HostSNI` expression.
+This check ensures that provided domain names don't contain non-ASCII characters. 
+If not, an error is raised, and the associated router will be shown as invalid in the dashboard.
+
+This new behavior is intended to show what was failing silently previously and to help troubleshooting configuration issues.
+It doesn't change the support for non-ASCII domain names in routers rules, which is not part of the Traefik feature set so far.
+
+In order to use non-ASCII domain names in a router's rule, one should use the Punycode form of the domain name.
+For more information, please read the [HTTP routers rule](../routing/routers/index.md#rule) part or [TCP router rules](../routing/routers/index.md#rule_1) part of the documentation.
+
+## v2.4.8 to v2.4.9
+
+### Tracing Span
+
+In `v2.4.9`, we changed span error to log only server errors (>= 500).
+
+## v2.4.9 to v2.4.10
+
+### K8S CrossNamespace
+
+In `v2.4.10`, the default value for `allowCrossNamespace` has been changed to `false`.
+
+### K8S ExternalName Service
+
+In `v2.4.10`, by default, it is no longer authorized to reference Kubernetes ExternalName services.
+To allow it, the `allowExternalNameServices` option should be set to `true`.

docs/content/observability/access-logs.md

@@ -5,18 +5,18 @@ Who Calls Whom?
 
 By default, logs are written to stdout, in text format.
 
-## Configuration 
+## Configuration
 
 To enable the access logs:
 
-```toml tab="File (TOML)"
-[accessLog]
-```
-
 ```yaml tab="File (YAML)"
 accessLog: {}
 ```
 
+```toml tab="File (TOML)"
+[accessLog]
+```
+
 ```bash tab="CLI"
 --accesslog=true
 ```
@@ -26,28 +26,28 @@ accessLog: {}
 By default access logs are written to the standard output.
 To write the logs into a log file, use the `filePath` option.
 
-```toml tab="File (TOML)"
-[accessLog]
-  filePath = "/path/to/access.log"
-```
-
 ```yaml tab="File (YAML)"
 accessLog:
   filePath: "/path/to/access.log"
 ```
 
+```toml tab="File (TOML)"
+[accessLog]
+  filePath = "/path/to/access.log"
+```
+
 ```bash tab="CLI"
 --accesslog.filepath=/path/to/access.log
 ```
 
 ### `format`
- 
+
 By default, logs are written using the Common Log Format (CLF).
 To write logs in JSON, use `json` in the `format` option.
 If the given format is unsupported, the default (CLF) is used instead.
 
 !!! info "Common Log Format"
-    
+
     ```html
     <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
     ```
@@ -58,13 +58,6 @@ To write the logs in an asynchronous fashion, specify a  `bufferingSize` option.
 This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.
 In some cases, this option can greatly help performances.
 
-```toml tab="File (TOML)"
-# Configuring a buffer of 100 lines
-[accessLog]
-  filePath = "/path/to/access.log"
-  bufferingSize = 100
-```
-
 ```yaml tab="File (YAML)"
 # Configuring a buffer of 100 lines
 accessLog:
@@ -72,6 +65,13 @@ accessLog:
   bufferingSize: 100
 ```
 
+```toml tab="File (TOML)"
+# Configuring a buffer of 100 lines
+[accessLog]
+  filePath = "/path/to/access.log"
+  bufferingSize = 100
+```
+
 ```bash tab="CLI"
 # Configuring a buffer of 100 lines
 --accesslog.filepath=/path/to/access.log
@@ -80,40 +80,40 @@ accessLog:
 
 ### Filtering
 
-To filter logs, you can specify a set of filters which are logically "OR-connected". 
+To filter logs, you can specify a set of filters which are logically "OR-connected".
 Thus, specifying multiple filters will keep more access logs than specifying only one.
 
-The available filters are: 
+The available filters are:
 
 - `statusCodes`, to limit the access logs to requests with a status codes in the specified range
 - `retryAttempts`, to keep the access logs when at least one retry has happened
 - `minDuration`, to keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration))
 
+```yaml tab="File (YAML)"
+# Configuring Multiple Filters
+accessLog:
+  filePath: "/path/to/access.log"
+  format: json
+  filters:
+    statusCodes:
+      - "200"
+      - "300-302"
+    retryAttempts: true
+    minDuration: "10ms"
+```
+
 ```toml tab="File (TOML)"
 # Configuring Multiple Filters
 [accessLog]
   filePath = "/path/to/access.log"
   format = "json"
 
-  [accessLog.filters]    
+  [accessLog.filters]
     statusCodes = ["200", "300-302"]
     retryAttempts = true
     minDuration = "10ms"
 ```
 
-```yaml tab="File (YAML)"
-# Configuring Multiple Filters
-accessLog:
-  filePath: "/path/to/access.log"
-  format: json
-  filters:    
-    statusCodes:
-      - "200"
-      - "300-302"
-    retryAttempts: true
-    minDuration: "10ms"
-```
-
 ```bash tab="CLI"
 # Configuring Multiple Filters
 --accesslog.filepath=/path/to/access.log
@@ -135,27 +135,9 @@ Each field can be set to:
 
 The `defaultMode` for `fields.headers` is `drop`.
 
-```toml tab="File (TOML)"
-# Limiting the Logs to Specific Fields
-[accessLog]
-  filePath = "/path/to/access.log"
-  format = "json"
-
   [accessLog.fields]
     defaultMode = "keep"
 
-    [accessLog.fields.names]
-      "ClientUsername" = "drop"
-
-    [accessLog.fields.headers]
-      defaultMode = "keep"
-  
-      [accessLog.fields.headers.names]
-        "User-Agent" = "redact"
-        "Authorization" = "drop"
-        "Content-Type" = "keep"
-```
-
 ```yaml tab="File (YAML)"
 # Limiting the Logs to Specific Fields
 accessLog:
@@ -173,6 +155,24 @@ accessLog:
           Content-Type: keep
 ```
 
+```toml tab="File (TOML)"
+# Limiting the Logs to Specific Fields
+[accessLog]
+  filePath = "/path/to/access.log"
+  format = "json"
+
+    [accessLog.fields.names]
+      "ClientUsername" = "drop"
+
+    [accessLog.fields.headers]
+      defaultMode = "keep"
+
+      [accessLog.fields.headers.names]
+        "User-Agent" = "redact"
+        "Authorization" = "drop"
+        "Content-Type" = "keep"
+```
+
 ```bash tab="CLI"
 # Limiting the Logs to Specific Fields
 --accesslog.filepath=/path/to/access.log

docs/content/observability/logs.md

@@ -16,18 +16,18 @@ Traefik logs concern everything that happens to Traefik itself (startup, configu
 By default, the logs are written to the standard output.
 You can configure a file path instead using the `filePath` option.
 
-```toml tab="File (TOML)"
-# Writing Logs to a File
-[log]
-  filePath = "/path/to/traefik.log"
-```
-
 ```yaml tab="File (YAML)"
 # Writing Logs to a File
 log:
   filePath: "/path/to/traefik.log"
 ```
 
+```toml tab="File (TOML)"
+# Writing Logs to a File
+[log]
+  filePath = "/path/to/traefik.log"
+```
+
 ```bash tab="CLI"
 # Writing Logs to a File
 --log.filePath=/path/to/traefik.log
@@ -35,14 +35,7 @@ log:
 
 #### `format`
 
-By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option.   
-
-```toml tab="File (TOML)"
-# Writing Logs to a File, in JSON
-[log]
-  filePath = "/path/to/log-file.log"
-  format = "json"
-```
+By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option.
 
 ```yaml tab="File (YAML)"
 # Writing Logs to a File, in JSON
@@ -51,6 +44,13 @@ log:
   format: json
 ```
 
+```toml tab="File (TOML)"
+# Writing Logs to a File, in JSON
+[log]
+  filePath = "/path/to/log-file.log"
+  format = "json"
+```
+
 ```bash tab="CLI"
 # Writing Logs to a File, in JSON
 --log.filePath=/path/to/traefik.log
@@ -59,18 +59,18 @@ log:
 
 #### `level`
 
-By default, the `level` is set to `ERROR`. Alternative logging levels are `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`. 
-
-```toml tab="File (TOML)"
-[log]
-  level = "DEBUG"
-```
+By default, the `level` is set to `ERROR`. Alternative logging levels are `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`.
 
 ```yaml tab="File (YAML)"
 log:
   level: DEBUG
 ```
 
+```toml tab="File (TOML)"
+[log]
+  level = "DEBUG"
+```
+
 ```bash tab="CLI"
 --log.level=DEBUG
 ```

docs/content/observability/metrics/datadog.md

@@ -2,16 +2,16 @@
 
 To enable the Datadog:
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.datadog]
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   datadog: {}
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+```
+
 ```bash tab="CLI"
 --metrics.datadog=true
 ```
@@ -22,18 +22,18 @@ _Required, Default="127.0.0.1:8125"_
 
 Address instructs exporter to send metrics to datadog-agent at this address.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.datadog]
-    address = "127.0.0.1:8125"
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   datadog:
     address: 127.0.0.1:8125
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+    address = "127.0.0.1:8125"
+```
+
 ```bash tab="CLI"
 --metrics.datadog.address=127.0.0.1:8125
 ```
@@ -44,18 +44,18 @@ _Optional, Default=true_
 
 Enable metrics on entry points.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.datadog]
-    addEntryPointsLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   datadog:
     addEntryPointsLabels: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+    addEntryPointsLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.datadog.addEntryPointsLabels=true
 ```
@@ -66,18 +66,18 @@ _Optional, Default=true_
 
 Enable metrics on services.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.datadog]
-    addServicesLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   datadog:
     addServicesLabels: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+    addServicesLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.datadog.addServicesLabels=true
 ```
@@ -88,18 +88,18 @@ _Optional, Default=10s_
 
 The interval used by the exporter to push metrics to datadog-agent.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.datadog]
-    pushInterval = 10s
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   datadog:
     pushInterval: 10s
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+    pushInterval = 10s
+```
+
 ```bash tab="CLI"
 --metrics.datadog.pushInterval=10s
 ```

docs/content/observability/metrics/influxdb.md

@@ -2,16 +2,16 @@
 
 To enable the InfluxDB:
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB: {}
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+```
+
 ```bash tab="CLI"
 --metrics.influxdb=true
 ```
@@ -22,18 +22,18 @@ _Required, Default="localhost:8089"_
 
 Address instructs exporter to send metrics to influxdb at this address.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    address = "localhost:8089"
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
     address: localhost:8089
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    address = "localhost:8089"
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.address=localhost:8089
 ```
@@ -44,18 +44,18 @@ _Required, Default="udp"_
 
 InfluxDB's address protocol (udp or http).
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    protocol = "udp"
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
     protocol: udp
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    protocol = "udp"
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.protocol=udp
 ```
@@ -66,18 +66,18 @@ _Optional, Default=""_
 
 InfluxDB database used when protocol is http.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    database = "db"
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
     database: "db"
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    database = "db"
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.database=db
 ```
@@ -88,18 +88,18 @@ _Optional, Default=""_
 
 InfluxDB retention policy used when protocol is http.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    retentionPolicy = "two_hours"
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
     retentionPolicy: "two_hours"
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    retentionPolicy = "two_hours"
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.retentionPolicy=two_hours
 ```
@@ -110,18 +110,18 @@ _Optional, Default=""_
 
 InfluxDB username (only with http).
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    username = "john"
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
     username: "john"
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    username = "john"
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.username=john
 ```
@@ -132,18 +132,18 @@ _Optional, Default=""_
 
 InfluxDB password (only with http).
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    password = "secret"
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
     password: "secret"
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    password = "secret"
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.password=secret
 ```
@@ -154,18 +154,18 @@ _Optional, Default=true_
 
 Enable metrics on entry points.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    addEntryPointsLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
     addEntryPointsLabels: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    addEntryPointsLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.addEntryPointsLabels=true
 ```
@@ -176,18 +176,18 @@ _Optional, Default=true_
 
 Enable metrics on services.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    addServicesLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
     addServicesLabels: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    addServicesLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.addServicesLabels=true
 ```
@@ -198,18 +198,18 @@ _Optional, Default=10s_
 
 The interval used by the exporter to push metrics to influxdb.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    pushInterval = 10s
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
     pushInterval: 10s
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    pushInterval = 10s
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.pushInterval=10s
 ```

docs/content/observability/metrics/overview.md

@@ -1,6 +1,4 @@
 # Metrics
-Metrics system
-{: .subtitle }
 
 Traefik supports 4 metrics backends:
 
@@ -13,14 +11,317 @@ Traefik supports 4 metrics backends:
 
 To enable metrics:
 
-```toml tab="File (TOML)"
-[metrics]
-```
-
 ```yaml tab="File (YAML)"
 metrics: {}
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+```
+
 ```bash tab="CLI"
 --metrics=true
 ```
+
+## Server Metrics
+
+| Metric                                                                  | DataDog | InfluxDB | Prometheus | StatsD |
+|-------------------------------------------------------------------------|---------|----------|------------|--------|
+| [Configuration reloads](#configuration-reloads)                         | ✓       | ✓        | ✓          | ✓      |
+| [Configuration reload failures](#configuration-reload-failures)         | ✓       | ✓        | ✓          | ✓      |
+| [Last Configuration Reload Success](#last-configuration-reload-success) | ✓       | ✓        | ✓          | ✓      |
+| [Last Configuration Reload Failure](#last-configuration-reload-failure) | ✓       | ✓        | ✓          | ✓      |
+
+### Configuration Reloads
+The total count of configuration reloads.
+
+```dd tab="Datadog"
+config.reload.total
+```
+
+```influxdb tab="InfluDB"
+traefik.config.reload.total
+```
+
+```prom tab="Prometheus"
+traefik_config_reloads_total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.config.reload.total
+```
+
+### Configuration Reload Failures
+The total count of configuration reload failures.
+
+```dd tab="Datadog"
+config.reload.total (with tag "failure" to true)
+```
+
+```influxdb tab="InfluDB"
+traefik.config.reload.total.failure
+```
+
+```prom tab="Prometheus"
+traefik_config_reloads_failure_total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.config.reload.total.failure
+```
+
+### Last Configuration Reload Success
+The timestamp of the last configuration reload success.
+
+```dd tab="Datadog"
+config.reload.lastSuccessTimestamp
+```
+
+```influxdb tab="InfluDB"
+traefik.config.reload.lastSuccessTimestamp
+```
+
+```prom tab="Prometheus"
+traefik_config_last_reload_success
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.config.reload.lastSuccessTimestamp
+```
+
+### Last Configuration Reload Failure
+The timestamp of the last configuration reload failure.
+
+```dd tab="Datadog"
+config.reload.lastFailureTimestamp
+```
+
+```influxdb tab="InfluDB"
+traefik.config.reload.lastFailureTimestamp
+```
+
+```prom tab="Prometheus"
+traefik_config_last_reload_failure
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.config.reload.lastFailureTimestamp
+```
+
+## EntryPoint Metrics
+
+| Metric                                                    | DataDog | InfluxDB | Prometheus | StatsD |
+|-----------------------------------------------------------|---------|----------|------------|--------|
+| [HTTP Requests Count](#http-requests-count)               | ✓       | ✓        | ✓          | ✓      |
+| [HTTPS Requests Count](#https-requests-count)             |         |          | ✓          |        |
+| [Request Duration Histogram](#request-duration-histogram) | ✓       | ✓        | ✓          | ✓      |
+| [Open Connections Count](#open-connections-count)         | ✓       | ✓        | ✓          | ✓      |
+
+### HTTP Requests Count
+The total count of HTTP requests processed on an entrypoint.
+
+Available labels: `code`, `method`, `protocol`, `entrypoint`.
+
+```dd tab="Datadog"
+entrypoint.request.total
+```
+
+```influxdb tab="InfluDB"
+traefik.entrypoint.requests.total
+```
+
+```prom tab="Prometheus"
+traefik_entrypoint_requests_total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.entrypoint.request.total
+```
+
+### HTTPS Requests Count
+The total count of HTTPS requests processed on an entrypoint.
+
+Available labels: `tls_version`, `tls_cipher`, `entrypoint`.
+
+```prom tab="Prometheus"
+traefik_entrypoint_requests_tls_total
+```
+
+### Request Duration Histogram
+Request process time duration histogram on an entrypoint.
+
+Available labels: `code`, `method`, `protocol`, `entrypoint`.
+
+```dd tab="Datadog"
+entrypoint.request.duration
+```
+
+```influxdb tab="InfluDB"
+traefik.entrypoint.request.duration
+```
+
+```prom tab="Prometheus"
+traefik_entrypoint_request_duration_seconds
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.entrypoint.request.duration
+```
+
+### Open Connections Count
+The current count of open connections on an entrypoint.
+
+Available labels: `method`, `protocol`, `entrypoint`.
+
+```dd tab="Datadog"
+entrypoint.connections.open
+```
+
+```influxdb tab="InfluDB"
+traefik.entrypoint.connections.open
+```
+
+```prom tab="Prometheus"
+traefik_entrypoint_open_connections
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.entrypoint.connections.open
+```
+
+## Service Metrics
+
+| Metric                                                      | DataDog | InfluxDB | Prometheus | StatsD |
+|-------------------------------------------------------------|---------|----------|------------|--------|
+| [HTTP Requests Count](#http-requests-count_1)               | ✓       | ✓        | ✓          | ✓      |
+| [HTTPS Requests Count](#https-requests-count_1)             |         |          | ✓          |        |
+| [Request Duration Histogram](#request-duration-histogram_1) | ✓       | ✓        | ✓          | ✓      |
+| [Open Connections Count](#open-connections-count_1)         | ✓       | ✓        | ✓          | ✓      |
+| [Requests Retries Count](#requests-retries-count)           | ✓       | ✓        | ✓          | ✓      |
+| [Service Server UP](#service-server-up)                     | ✓       | ✓        | ✓          | ✓      |
+
+### HTTP Requests Count
+The total count of HTTP requests processed on a service.
+
+Available labels: `code`, `method`, `protocol`, `service`.
+
+```dd tab="Datadog"
+service.request.total
+```
+
+```influxdb tab="InfluDB"
+traefik.service.requests.total
+```
+
+```prom tab="Prometheus"
+traefik_service_requests_total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.service.request.total
+```
+
+### HTTPS Requests Count
+The total count of HTTPS requests processed on a service.
+
+Available labels: `tls_version`, `tls_cipher`, `service`.
+
+```prom tab="Prometheus"
+traefik_service_requests_tls_total
+```
+
+### Request Duration Histogram
+Request process time duration histogram on a service.
+
+Available labels: `code`, `method`, `protocol`, `service`.
+
+```dd tab="Datadog"
+service.request.duration
+```
+
+```influxdb tab="InfluDB"
+traefik.service.request.duration
+```
+
+```prom tab="Prometheus"
+traefik_service_request_duration_seconds
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.service.request.duration
+```
+
+### Open Connections Count
+The current count of open connections on a service.
+
+Available labels: `method`, `protocol`, `service`.
+
+```dd tab="Datadog"
+service.connections.open
+```
+
+```influxdb tab="InfluDB"
+traefik.service.connections.open
+```
+
+```prom tab="Prometheus"
+traefik_service_open_connections
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.service.connections.open
+```
+
+### Requests Retries Count
+The count of requests retries on a service.
+
+Available labels: `service`.
+
+```dd tab="Datadog"
+service.retries.total
+```
+
+```influxdb tab="InfluDB"
+traefik.service.retries.total
+```
+
+```prom tab="Prometheus"
+traefik_service_retries_total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.service.retries.total
+```
+
+### Service Server UP
+Current service's server status, described by a gauge with a value of 0 for a down server or a value of 1 for an up server.
+
+Available labels: `service`, `url`.
+
+```dd tab="Datadog"
+service.server.up
+```
+
+```influxdb tab="InfluDB"
+traefik.service.server.up
+```
+
+```prom tab="Prometheus"
+traefik_service_server_up
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.service.server.up
+```

docs/content/observability/metrics/prometheus.md

@@ -2,16 +2,16 @@
 
 To enable the Prometheus:
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.prometheus]
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   prometheus: {}
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+```
+
 ```bash tab="CLI"
 --metrics.prometheus=true
 ```
@@ -22,12 +22,6 @@ _Optional, Default="0.100000, 0.300000, 1.200000, 5.000000"_
 
 Buckets for latency metrics.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.prometheus]
-    buckets = [0.1,0.3,1.2,5.0]
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   prometheus:
@@ -38,6 +32,12 @@ metrics:
       - 5.0
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    buckets = [0.1,0.3,1.2,5.0]
+```
+
 ```bash tab="CLI"
 --metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000
 ```
@@ -48,18 +48,18 @@ _Optional, Default=true_
 
 Enable metrics on entry points.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.prometheus]
-    addEntryPointsLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   prometheus:
     addEntryPointsLabels: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    addEntryPointsLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.prometheus.addEntryPointsLabels=true
 ```
@@ -70,18 +70,18 @@ _Optional, Default=true_
 
 Enable metrics on services.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.prometheus]
-    addServicesLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   prometheus:
     addServicesLabels: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    addServicesLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.prometheus.addServicesLabels=true
 ```
@@ -92,16 +92,6 @@ _Optional, Default=traefik_
 
 Entry point used to expose metrics.
 
-```toml tab="File (TOML)"
-[entryPoints]
-  [entryPoints.metrics]
-    address = ":8082"
-
-[metrics]
-  [metrics.prometheus]
-    entryPoint = "metrics"
-```
-
 ```yaml tab="File (YAML)"
 entryPoints:
   metrics:
@@ -112,6 +102,16 @@ metrics:
     entryPoint: metrics
 ```
 
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.metrics]
+    address = ":8082"
+
+[metrics]
+  [metrics.prometheus]
+    entryPoint = "metrics"
+```
+
 ```bash tab="CLI"
 --entryPoints.metrics.address=:8082
 --metrics.prometheus.entryPoint=metrics
@@ -123,18 +123,18 @@ _Optional, Default=false_
 
 If `manualRouting` is `true`, it disables the default internal router in order to allow one to create a custom router for the `prometheus@internal` service.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.prometheus]
-    manualRouting = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   prometheus:
     manualRouting: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    manualRouting = true
+```
+
 ```bash tab="CLI"
 --metrics.prometheus.manualrouting=true
 ```

docs/content/observability/metrics/statsd.md

@@ -2,16 +2,16 @@
 
 To enable the Statsd:
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.statsD]
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   statsD: {}
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+```
+
 ```bash tab="CLI"
 --metrics.statsd=true
 ```
@@ -22,18 +22,18 @@ _Required, Default="localhost:8125"_
 
 Address instructs exporter to send metrics to statsd at this address.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.statsD]
-    address = "localhost:8125"
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   statsD:
     address: localhost:8125
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+    address = "localhost:8125"
+```
+
 ```bash tab="CLI"
 --metrics.statsd.address=localhost:8125
 ```
@@ -44,18 +44,18 @@ _Optional, Default=true_
 
 Enable metrics on entry points.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.statsD]
-    addEntryPointsLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   statsD:
     addEntryPointsLabels: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+    addEntryPointsLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.statsd.addEntryPointsLabels=true
 ```
@@ -66,18 +66,18 @@ _Optional, Default=true_
 
 Enable metrics on services.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.statsD]
-    addServicesLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   statsD:
     addServicesLabels: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+    addServicesLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.statsd.addServicesLabels=true
 ```
@@ -88,18 +88,18 @@ _Optional, Default=10s_
 
 The interval used by the exporter to push metrics to statsD.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.statsD]
-    pushInterval = 10s
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   statsD:
     pushInterval: 10s
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+    pushInterval = 10s
+```
+
 ```bash tab="CLI"
 --metrics.statsd.pushInterval=10s
 ```
@@ -110,18 +110,18 @@ _Optional, Default="traefik"_
 
 The prefix to use for metrics collection.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.statsD]
-    prefix = "traefik"
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   statsD:
     prefix: traefik
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+    prefix = "traefik"
+```
+
 ```bash tab="CLI"
 --metrics.statsd.prefix="traefik"
-```
+```

docs/content/observability/tracing/datadog.md

@@ -2,16 +2,16 @@
 
 To enable the Datadog:
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   datadog: {}
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.datadog]
+```
+
 ```bash tab="CLI"
 --tracing.datadog=true
 ```
@@ -22,18 +22,18 @@ _Required, Default="127.0.0.1:8126"_
 
 Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-    localAgentHostPort = "127.0.0.1:8126"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   datadog:
     localAgentHostPort: 127.0.0.1:8126
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.datadog]
+    localAgentHostPort = "127.0.0.1:8126"
+```
+
 ```bash tab="CLI"
 --tracing.datadog.localAgentHostPort=127.0.0.1:8126
 ```
@@ -44,18 +44,18 @@ _Optional, Default=false_
 
 Enable Datadog debug.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-    debug = true
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   datadog:
     debug: true
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.datadog]
+    debug = true
+```
+
 ```bash tab="CLI"
 --tracing.datadog.debug=true
 ```
@@ -66,18 +66,18 @@ _Optional, Default=empty_
 
 Apply shared tag in a form of Key:Value to all the traces.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-    globalTag = "sample"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   datadog:
     globalTag: sample
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.datadog]
+    globalTag = "sample"
+```
+
 ```bash tab="CLI"
 --tracing.datadog.globalTag=sample
 ```
@@ -89,18 +89,18 @@ _Optional, Default=false_
 Enable priority sampling. When using distributed tracing,
 this option must be enabled in order to get all the parts of a distributed trace sampled.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-    prioritySampling = true
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   datadog:
     prioritySampling: true
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.datadog]
+    prioritySampling = true
+```
+
 ```bash tab="CLI"
 --tracing.datadog.prioritySampling=true
 ```

docs/content/observability/tracing/elastic.md

@@ -2,16 +2,16 @@
 
 To enable the Elastic:
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.elastic]
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   elastic: {}
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+```
+
 ```bash tab="CLI"
 --tracing.elastic=true
 ```
@@ -22,18 +22,18 @@ _Optional, Default="http://localhost:8200"_
 
 APM ServerURL is the URL of the Elastic APM server.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.elastic]
-    serverURL = "http://apm:8200"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   elastic:
     serverURL: "http://apm:8200"
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    serverURL = "http://apm:8200"
+```
+
 ```bash tab="CLI"
 --tracing.elastic.serverurl="http://apm:8200"
 ```
@@ -44,18 +44,18 @@ _Optional, Default=""_
 
 APM Secret Token is the token used to connect to Elastic APM Server.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.elastic]
-    secretToken = "mytoken"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   elastic:
     secretToken: "mytoken"
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    secretToken = "mytoken"
+```
+
 ```bash tab="CLI"
 --tracing.elastic.secrettoken="mytoken"
 ```
@@ -66,18 +66,18 @@ _Optional, Default=""_
 
 APM Service Environment is the name of the environment Traefik is deployed in, e.g. `production` or `staging`.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.elastic]
-    serviceEnvironment = "production"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   elastic:
     serviceEnvironment: "production"
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.elastic]
+    serviceEnvironment = "production"
+```
+
 ```bash tab="CLI"
 --tracing.elastic.serviceenvironment="production"
 ```

docs/content/observability/tracing/haystack.md

@@ -2,16 +2,16 @@
 
 To enable the Haystack:
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   haystack: {}
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+```
+
 ```bash tab="CLI"
 --tracing.haystack=true
 ```
@@ -22,18 +22,18 @@ _Require, Default="127.0.0.1"_
 
 Local Agent Host instructs reporter to send spans to haystack-agent at this address.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    localAgentHost = "127.0.0.1"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
     localAgentHost: 127.0.0.1
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    localAgentHost = "127.0.0.1"
+```
+
 ```bash tab="CLI"
 --tracing.haystack.localAgentHost=127.0.0.1
 ```
@@ -44,18 +44,18 @@ _Require, Default=35000_
 
 Local Agent port instructs reporter to send spans to the haystack-agent at this port.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    localAgentPort = 35000
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
     localAgentPort: 35000
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    localAgentPort = 35000
+```
+
 ```bash tab="CLI"
 --tracing.haystack.localAgentPort=35000
 ```
@@ -66,18 +66,18 @@ _Optional, Default=empty_
 
 Apply shared tag in a form of Key:Value to all the traces.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    globalTag = "sample:test"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
     globalTag: sample:test
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    globalTag = "sample:test"
+```
+
 ```bash tab="CLI"
 --tracing.haystack.globalTag=sample:test
 ```
@@ -88,18 +88,18 @@ _Optional, Default=empty_
 
 Specifies the header name that will be used to store the trace ID.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    traceIDHeaderName = "Trace-ID"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
     traceIDHeaderName: Trace-ID
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    traceIDHeaderName = "Trace-ID"
+```
+
 ```bash tab="CLI"
 --tracing.haystack.traceIDHeaderName=Trace-ID
 ```
@@ -110,18 +110,18 @@ _Optional, Default=empty_
 
 Specifies the header name that will be used to store the parent ID.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    parentIDHeaderName = "Parent-Message-ID"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
     parentIDHeaderName: Parent-Message-ID
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    parentIDHeaderName = "Parent-Message-ID"
+```
+
 ```bash tab="CLI"
 --tracing.haystack.parentIDHeaderName=Parent-Message-ID
 ```
@@ -132,18 +132,18 @@ _Optional, Default=empty_
 
 Specifies the header name that will be used to store the span ID.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    spanIDHeaderName = "Message-ID"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
     spanIDHeaderName: Message-ID
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    spanIDHeaderName = "Message-ID"
+```
+
 ```bash tab="CLI"
 --tracing.haystack.spanIDHeaderName=Message-ID
 ```
@@ -154,18 +154,18 @@ _Optional, Default=empty_
 
 Specifies the header name prefix that will be used to store baggage items in a map.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    baggagePrefixHeaderName = "sample"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   haystack:
     baggagePrefixHeaderName: "sample"
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    baggagePrefixHeaderName = "sample"
+```
+
 
 ```bash tab="CLI"
 --tracing.haystack.baggagePrefixHeaderName=sample

docs/content/observability/tracing/instana.md

@@ -2,16 +2,16 @@
 
 To enable the Instana:
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.instana]
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   instana: {}
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.instana]
+```
+
 ```bash tab="CLI"
 --tracing.instana=true
 ```
@@ -22,18 +22,18 @@ _Require, Default="127.0.0.1"_
 
 Local Agent Host instructs reporter to send spans to instana-agent at this address.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.instana]
-    localAgentHost = "127.0.0.1"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   instana:
     localAgentHost: 127.0.0.1
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.instana]
+    localAgentHost = "127.0.0.1"
+```
+
 ```bash tab="CLI"
 --tracing.instana.localAgentHost=127.0.0.1
 ```
@@ -44,18 +44,18 @@ _Require, Default=42699_
 
 Local Agent port instructs reporter to send spans to the instana-agent at this port.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.instana]
-    localAgentPort = 42699
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   instana:
     localAgentPort: 42699
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.instana]
+    localAgentPort = 42699
+```
+
 ```bash tab="CLI"
 --tracing.instana.localAgentPort=42699
 ```
@@ -73,18 +73,18 @@ Valid values for logLevel field are:
 - `debug`
 - `info`
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.instana]
-    logLevel = "info"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   instana:
     logLevel: info
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.instana]
+    logLevel = "info"
+```
+
 ```bash tab="CLI"
 --tracing.instana.logLevel=info
 ```

docs/content/observability/tracing/jaeger.md

@@ -2,16 +2,16 @@
 
 To enable the Jaeger:
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger: {}
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+```
+
 ```bash tab="CLI"
 --tracing.jaeger=true
 ```
@@ -26,18 +26,18 @@ _Required, Default="http://localhost:5778/sampling"_
 
 Sampling Server URL is the address of jaeger-agent's HTTP sampling server.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    samplingServerURL = "http://localhost:5778/sampling"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger:
     samplingServerURL: http://localhost:5778/sampling
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    samplingServerURL = "http://localhost:5778/sampling"
+```
+
 ```bash tab="CLI"
 --tracing.jaeger.samplingServerURL=http://localhost:5778/sampling
 ```
@@ -48,18 +48,18 @@ _Required, Default="const"_
 
 Sampling Type specifies the type of the sampler: `const`, `probabilistic`, `rateLimiting`.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    samplingType = "const"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger:
     samplingType: const
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    samplingType = "const"
+```
+
 ```bash tab="CLI"
 --tracing.jaeger.samplingType=const
 ```
@@ -76,18 +76,18 @@ Valid values for Param field are:
 - for `probabilistic` sampler, a probability between 0 and 1
 - for `rateLimiting` sampler, the number of spans per second
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    samplingParam = 1.0
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger:
     samplingParam: 1.0
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    samplingParam = 1.0
+```
+
 ```bash tab="CLI"
 --tracing.jaeger.samplingParam=1.0
 ```
@@ -98,18 +98,18 @@ _Required, Default="127.0.0.1:6831"_
 
 Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    localAgentHostPort = "127.0.0.1:6831"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger:
     localAgentHostPort: 127.0.0.1:6831
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    localAgentHostPort = "127.0.0.1:6831"
+```
+
 ```bash tab="CLI"
 --tracing.jaeger.localAgentHostPort=127.0.0.1:6831
 ```
@@ -120,18 +120,18 @@ _Optional, Default=false_
 
 Generate 128-bit trace IDs, compatible with OpenCensus.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    gen128Bit = true
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger:
     gen128Bit: true
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    gen128Bit = true
+```
+
 ```bash tab="CLI"
 --tracing.jaeger.gen128Bit
 ```
@@ -146,18 +146,18 @@ This can be either:
 - `jaeger`, jaeger's default trace header.
 - `b3`, compatible with OpenZipkin
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    propagation = "jaeger"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger:
     propagation: jaeger
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    propagation = "jaeger"
+```
+
 ```bash tab="CLI"
 --tracing.jaeger.propagation=jaeger
 ```
@@ -169,18 +169,18 @@ _Required, Default="uber-trace-id"_
 Trace Context Header Name is the http header name used to propagate tracing context.
 This must be in lower-case to avoid mismatches when decoding incoming headers.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    traceContextHeaderName = "uber-trace-id"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger:
     traceContextHeaderName: uber-trace-id
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    traceContextHeaderName = "uber-trace-id"
+```
+
 ```bash tab="CLI"
 --tracing.jaeger.traceContextHeaderName=uber-trace-id
 ```
@@ -192,18 +192,18 @@ _Optional, Default=true_
 Disable the UDP connection helper that periodically re-resolves the agent's hostname and reconnects if there was a change.
 Enabling the re-resolving of UDP address make the client more robust in Kubernetes deployments.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    disableAttemptReconnecting = false
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger:
     disableAttemptReconnecting: false
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    disableAttemptReconnecting = false
+```
+
 ```bash tab="CLI"
 --tracing.jaeger.disableAttemptReconnecting=false
 ```
@@ -215,12 +215,6 @@ _Optional, Default=""_
 
 Collector Endpoint instructs reporter to send spans to jaeger-collector at this URL.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger.collector]
-    endpoint = "http://127.0.0.1:14268/api/traces?format=jaeger.thrift"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger:
@@ -228,6 +222,12 @@ tracing:
         endpoint: http://127.0.0.1:14268/api/traces?format=jaeger.thrift
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger.collector]
+    endpoint = "http://127.0.0.1:14268/api/traces?format=jaeger.thrift"
+```
+
 ```bash tab="CLI"
 --tracing.jaeger.collector.endpoint=http://127.0.0.1:14268/api/traces?format=jaeger.thrift
 ```
@@ -238,12 +238,6 @@ _Optional, Default=""_
 
 User instructs reporter to include a user for basic http authentication when sending spans to jaeger-collector.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger.collector]
-    user = "my-user"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger:
@@ -251,6 +245,12 @@ tracing:
         user: my-user
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger.collector]
+    user = "my-user"
+```
+
 ```bash tab="CLI"
 --tracing.jaeger.collector.user=my-user
 ```
@@ -261,12 +261,6 @@ _Optional, Default=""_
 
 Password instructs reporter to include a password for basic http authentication when sending spans to jaeger-collector.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger.collector]
-    password = "my-password"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   jaeger:
@@ -274,6 +268,12 @@ tracing:
         password: my-password
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger.collector]
+    password = "my-password"
+```
+
 ```bash tab="CLI"
 --tracing.jaeger.collector.password=my-password
 ```

docs/content/observability/tracing/overview.md

@@ -22,14 +22,14 @@ By default, Traefik uses Jaeger as tracing backend.
 
 To enable the tracing:
 
-```toml tab="File (TOML)"
-[tracing]
-```
-
 ```yaml tab="File (YAML)"
 tracing: {}
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+```
+
 ```bash tab="CLI"
 --tracing=true
 ```
@@ -42,16 +42,16 @@ _Required, Default="traefik"_
 
 Service name used in selected backend.
 
-```toml tab="File (TOML)"
-[tracing]
-  serviceName = "traefik"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   serviceName: traefik
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  serviceName = "traefik"
+```
+
 ```bash tab="CLI"
 --tracing.serviceName=traefik
 ```
@@ -65,16 +65,16 @@ This can prevent certain tracing providers to drop traces that exceed their leng
 
 `0` means no truncation will occur.
 
-```toml tab="File (TOML)"
-[tracing]
-  spanNameLimit = 150
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   spanNameLimit: 150
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  spanNameLimit = 150
+```
+
 ```bash tab="CLI"
 --tracing.spanNameLimit=150
 ```

docs/content/observability/tracing/zipkin.md

@@ -2,16 +2,16 @@
 
 To enable the Zipkin:
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.zipkin]
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   zipkin: {}
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.zipkin]
+```
+
 ```bash tab="CLI"
 --tracing.zipkin=true
 ```
@@ -22,18 +22,18 @@ _Required, Default="http://localhost:9411/api/v2/spans"_
 
 Zipkin HTTP endpoint used to send data.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.zipkin]
-    httpEndpoint = "http://localhost:9411/api/v2/spans"
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   zipkin:
     httpEndpoint: http://localhost:9411/api/v2/spans
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.zipkin]
+    httpEndpoint = "http://localhost:9411/api/v2/spans"
+```
+
 ```bash tab="CLI"
 --tracing.zipkin.httpEndpoint=http://localhost:9411/api/v2/spans
 ```
@@ -44,18 +44,18 @@ _Optional, Default=false_
 
 Use Zipkin SameSpan RPC style traces.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.zipkin]
-    sameSpan = true
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   zipkin:
     sameSpan: true
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.zipkin]
+    sameSpan = true
+```
+
 ```bash tab="CLI"
 --tracing.zipkin.sameSpan=true
 ```
@@ -66,18 +66,18 @@ _Optional, Default=true_
 
 Use Zipkin 128 bit trace IDs.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.zipkin]
-    id128Bit = false
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   zipkin:
     id128Bit: false
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.zipkin]
+    id128Bit = false
+```
+
 ```bash tab="CLI"
 --tracing.zipkin.id128Bit=false
 ```
@@ -88,18 +88,18 @@ _Required, Default=1.0_
 
 The rate between 0.0 and 1.0 of requests to trace.
 
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.zipkin]
-    sampleRate = 0.2
-```
-
 ```yaml tab="File (YAML)"
 tracing:
   zipkin:
     sampleRate: 0.2
 ```
 
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.zipkin]
+    sampleRate = 0.2
+```
+
 ```bash tab="CLI"
 --tracing.zipkin.sampleRate=0.2
 ```

docs/content/operations/api.md

@@ -26,16 +26,16 @@ If you enable the API, a new special `service` named `api@internal` is created a
 To enable the API handler, use the following option on the
 [static configuration](../getting-started/configuration-overview.md#the-static-configuration):
 
-```toml tab="File (TOML)"
-# Static Configuration
-[api]
-```
-
 ```yaml tab="File (YAML)"
 # Static Configuration
 api: {}
 ```
 
+```toml tab="File (TOML)"
+# Static Configuration
+[api]
+```
+
 ```bash tab="CLI"
 --api=true
 ```
@@ -74,16 +74,16 @@ Enable the API in `insecure` mode, which means that the API will be available di
 !!! info
     If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080.
 
-```toml tab="File (TOML)"
-[api]
-  insecure = true
-```
-
 ```yaml tab="File (YAML)"
 api:
   insecure: true
 ```
 
+```toml tab="File (TOML)"
+[api]
+  insecure = true
+```
+
 ```bash tab="CLI"
 --api.insecure=true
 ```
@@ -94,16 +94,16 @@ _Optional, Default=true_
 
 Enable the dashboard. More about the dashboard features [here](./dashboard.md).
 
-```toml tab="File (TOML)"
-[api]
-  dashboard = true
-```
-
 ```yaml tab="File (YAML)"
 api:
   dashboard: true
 ```
 
+```toml tab="File (TOML)"
+[api]
+  dashboard = true
+```
+
 ```bash tab="CLI"
 --api.dashboard=true
 ```
@@ -117,16 +117,16 @@ _Optional, Default=false_
 
 Enable additional [endpoints](./api.md#endpoints) for debugging and profiling, served under `/debug/`.
 
-```toml tab="File (TOML)"
-[api]
-  debug = true
-```
-
 ```yaml tab="File (YAML)"
 api:
   debug: true
 ```
 
+```toml tab="File (TOML)"
+[api]
+  debug = true
+```
+
 ```bash tab="CLI"
 --api.debug=true
 ```

docs/content/operations/dashboard.md

@@ -31,16 +31,6 @@ This is the **recommended** method.
 Start by enabling the dashboard by using the following option from [Traefik's API](./api.md)
 on the [static configuration](../getting-started/configuration-overview.md#the-static-configuration):
 
-```toml tab="File (TOML)"
-[api]
-  # Dashboard
-  #
-  # Optional
-  # Default: true
-  #
-  dashboard = true
-```
-
 ```yaml tab="File (YAML)"
 api:
   # Dashboard
@@ -51,6 +41,16 @@ api:
   dashboard: true
 ```
 
+```toml tab="File (TOML)"
+[api]
+  # Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  dashboard = true
+```
+
 ```bash tab="CLI"
 # Dashboard
 #
@@ -105,18 +105,18 @@ This mode is not recommended because it does not allow the use of security featu
 
 To enable the "insecure mode", use the following options from [Traefik's API](./api.md#insecure):
 
-```toml tab="File (TOML)"
-[api]
-  dashboard = true
-  insecure = true
-```
-
 ```yaml tab="File (YAML)"
 api:
   dashboard: true
   insecure: true
 ```
 
+```toml tab="File (TOML)"
+[api]
+  dashboard = true
+  insecure = true
+```
+
 ```bash tab="CLI"
 --api.dashboard=true --api.insecure=true
 ```

docs/content/operations/include-api-examples.md

@@ -69,20 +69,6 @@ labels:
   - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
 
-```toml tab="File (TOML)"
-# Dynamic Configuration
-[http.routers.my-api]
-  rule = "Host(`traefik.example.com`)"
-  service = "api@internal"
-  middlewares = ["auth"]
-
-[http.middlewares.auth.basicAuth]
-  users = [
-    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-  ]
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic Configuration
 http:
@@ -99,3 +85,17 @@ http:
           - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
           - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
+
+```toml tab="File (TOML)"
+# Dynamic Configuration
+[http.routers.my-api]
+  rule = "Host(`traefik.example.com`)"
+  service = "api@internal"
+  middlewares = ["auth"]
+
+[http.middlewares.auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```

docs/content/operations/include-dashboard-examples.md

@@ -69,20 +69,6 @@ labels:
   - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
 
-```toml tab="File (TOML)"
-# Dynamic Configuration
-[http.routers.my-api]
-  rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
-  service = "api@internal"
-  middlewares = ["auth"]
-
-[http.middlewares.auth.basicAuth]
-  users = [
-    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-  ]
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic Configuration
 http:
@@ -99,3 +85,17 @@ http:
           - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
           - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
+
+```toml tab="File (TOML)"
+# Dynamic Configuration
+[http.routers.my-api]
+  rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+  service = "api@internal"
+  middlewares = ["auth"]
+
+[http.middlewares.auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```

docs/content/operations/ping.md

@@ -7,14 +7,14 @@ Checking the Health of Your Traefik Instances
 
 To enable the API handler:
 
-```toml tab="File (TOML)"
-[ping]
-```
-
 ```yaml tab="File (YAML)"
 ping: {}
 ```
 
+```toml tab="File (TOML)"
+[ping]
+```
+
 ```bash tab="CLI"
 --ping=true
 ```
@@ -39,15 +39,6 @@ _Optional, Default="traefik"_
 
 Enabling /ping on a dedicated EntryPoint.
 
-```toml tab="File (TOML)"
-[entryPoints]
-  [entryPoints.ping]
-    address = ":8082"
-
-[ping]
-  entryPoint = "ping"
-```
-
 ```yaml tab="File (YAML)"
 entryPoints:
   ping:
@@ -57,6 +48,15 @@ ping:
   entryPoint: "ping"
 ```
 
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.ping]
+    address = ":8082"
+
+[ping]
+  entryPoint = "ping"
+```
+
 ```bash tab="CLI"
 --entryPoints.ping.address=:8082
 --ping.entryPoint=ping
@@ -68,16 +68,16 @@ _Optional, Default=false_
 
 If `manualRouting` is `true`, it disables the default internal router in order to allow one to create a custom router for the `ping@internal` service.
 
-```toml tab="File (TOML)"
-[ping]
-  manualRouting = true
-```
-
 ```yaml tab="File (YAML)"
 ping:
   manualRouting: true
 ```
 
+```toml tab="File (TOML)"
+[ping]
+  manualRouting = true
+```
+
 ```bash tab="CLI"
 --ping.manualrouting=true
 ```
@@ -93,16 +93,16 @@ be expected as the signal for graceful termination. In which case, the
 terminatingStatusCode can be used to set the code returned by the ping
 handler during termination.
 
-```toml tab="File (TOML)"
-[ping]
-  terminatingStatusCode = 204
-```
-
 ```yaml tab="File (YAML)"
 ping:
   terminatingStatusCode: 204
 ```
 
+```toml tab="File (TOML)"
+[ping]
+  terminatingStatusCode = 204
+```
+
 ```bash tab="CLI"
 --ping.terminatingStatusCode=204
 ```

docs/content/providers/consul-catalog.md

@@ -13,15 +13,15 @@ Attach tags to your services and let Traefik do the rest!
 
     Enabling the consul catalog provider
 
-    ```toml tab="File (TOML)"
-    [providers.consulCatalog]
-    ```
-    
     ```yaml tab="File (YAML)"
     providers:
       consulCatalog: {}
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [providers.consulCatalog]
+    ```
+
     ```bash tab="CLI"
     --providers.consulcatalog=true
     ```
@@ -42,11 +42,7 @@ See the dedicated section in [routing](../routing/providers/consul-catalog.md).
 
 _Optional, Default=15s_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  refreshInterval = "30s"
-  # ...
-```
+Defines the polling interval.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -55,22 +51,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  refreshInterval = "30s"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.refreshInterval=30s
 # ...
 ```
 
-Defines the polling interval.
-
 ### `prefix`
 
 _required, Default="traefik"_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  prefix = "test"
-  # ...
-```
+The prefix for Consul Catalog tags defining Traefik labels.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -79,22 +75,28 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  prefix = "test"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.prefix=test
 # ...
 ```
 
-The prefix for Consul Catalog tags defining traefik labels.
-
 ### `requireConsistent`
 
 _Optional, Default=false_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  requireConsistent = true
-  # ...
-```
+Forces the read to be fully consistent.
+
+!!! note ""
+
+    It is more expensive due to an extra round-trip but prevents ever performing a stale read.
+
+    For more information, see the consul [documentation on consistency](https://www.consul.io/api-docs/features/consistency).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -103,22 +105,28 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  requireConsistent = true
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.requireConsistent=true
 # ...
 ```
 
-Forces the read to be fully consistent.
-
 ### `stale`
 
 _Optional, Default=false_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  stale = true
-  # ...
-```
+Use stale consistency for catalog reads.
+
+!!! note ""
+
+    This makes reads very fast and scalable at the cost of a higher likelihood of stale values.
+
+    For more information, see the consul [documentation on consistency](https://www.consul.io/api-docs/features/consistency).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -127,22 +135,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  stale = true
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.stale=true
 # ...
 ```
 
-Use stale consistency for catalog reads.
-
 ### `cache`
 
 _Optional, Default=false_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  cache = true
-  # ...
-```
+Use local agent caching for catalog reads.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -151,27 +159,26 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  cache = true
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.cache=true
 # ...
 ```
 
-Use local agent caching for catalog reads.
-
 ### `endpoint`
 
 Defines the Consul server endpoint.
 
 #### `address`
 
-_Optional, Default="127.0.0.1:8500"_
+Defines the address of the Consul server.
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  [providers.consulCatalog.endpoint]
-    address = "127.0.0.1:8500"
-    # ...
-```
+_Optional, Default="127.0.0.1:8500"_
 
 ```yaml tab="File (YAML)"
 providers:
@@ -181,23 +188,23 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    address = "127.0.0.1:8500"
+    # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.address=127.0.0.1:8500
 # ...
 ```
 
-Defines the address of the Consul server.
-
 #### `scheme`
 
 _Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  [providers.consulCatalog.endpoint]
-    scheme = "https"
-    # ...
-```
+Defines the URI scheme for the Consul server.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -207,23 +214,24 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    scheme = "https"
+    # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.scheme=https
 # ...
 ```
 
-Defines the URI scheme for the Consul server.
-
 #### `datacenter`
 
 _Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  [providers.consulCatalog.endpoint]
-    datacenter = "test"
-    # ...
-```
+Defines the datacenter to use.
+If not provided in Traefik, Consul uses the default agent datacenter.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -233,24 +241,23 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    datacenter = "test"
+    # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.datacenter=test
 # ...
 ```
 
-Defines the Data center to use.
-If not provided, the default agent data center is used.
-
 #### `token`
 
 _Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  [providers.consulCatalog.endpoint]
-    token = "test"
-    # ...
-```
+Token is used to provide a per-request ACL token which overwrites the agent's default token.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -260,23 +267,24 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    token = "test"
+    # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.token=test
 # ...
 ```
 
-Token is used to provide a per-request ACL token which overrides the agent's default token.
-
 #### `endpointWaitTime`
 
 _Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  [providers.consulCatalog.endpoint]
-    endpointWaitTime = "15s"
-    # ...
-```
+Limits the duration for which a Watch can block.
+If not provided, the agent default values will be used.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -286,28 +294,29 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  [providers.consulCatalog.endpoint]
+    endpointWaitTime = "15s"
+    # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.endpointwaittime=15s
 # ...
 ```
 
-WaitTime limits how long a Watch will block.
-If not provided, the agent default values will be used
-
 #### `httpAuth`
 
 _Optional_
 
-Used to authenticate http client with HTTP Basic Authentication.
+Used to authenticate the HTTP client using HTTP Basic Authentication.
 
 ##### `username`
 
-_Optional_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.httpAuth]
-  username = "test"
-```
+Username to use for HTTP Basic Authentication.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -317,20 +326,20 @@ providers:
         username: test
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.httpAuth]
+  username = "test"
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.httpauth.username=test
 ```
 
-Username to use for HTTP Basic Authentication
-
 ##### `password`
 
-_Optional_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.httpAuth]
-  password = "test"
-```
+Password to use for HTTP Basic Authentication.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -340,12 +349,15 @@ providers:
         password: test
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.httpAuth]
+  password = "test"
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.httpauth.password=test
 ```
 
-Password to use for HTTP Basic Authentication
-
 #### `tls`
 
 _Optional_
@@ -356,10 +368,7 @@ Defines TLS options for Consul server endpoint.
 
 _Optional_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.tls]
-  ca = "path/to/ca.crt"
-```
+`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -369,20 +378,28 @@ providers:
         ca: path/to/ca.crt
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  ca = "path/to/ca.crt"
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.tls.ca=path/to/ca.crt
 ```
 
-`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
-
 ##### `caOptional`
 
 _Optional_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.tls]
-  caOptional = true
-```
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
+
+!!! warning ""
+
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -392,26 +409,22 @@ providers:
         caOptional: true
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  caOptional = true
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.tls.caoptional=true
 ```
 
-Policy followed for the secured connection with TLS Client Authentication to Consul.
-Requires `tls.ca` to be defined.
-
-- `true`: VerifyClientCertIfGiven
-- `false`: RequireAndVerifyClientCert
-- if `tls.ca` is undefined NoClientCert
-
 ##### `cert`
 
 _Optional_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+`cert` is the path to the public certificate to use for Consul communication.
+
+When using this option, setting the `key` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -422,23 +435,24 @@ providers:
         key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.tls.cert=path/to/foo.cert
 --providers.consulcatalog.endpoint.tls.key=path/to/foo.key
 ```
 
-`cert` is the path to the public certificate for Consul communication.
-If this is set then you need to also set `key.
-
 ##### `key`
 
 _Optional_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+`key` is the path to the private key for Consul communication.
+
+When using this option, setting the `cert` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -449,22 +463,22 @@ providers:
         key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.tls.cert=path/to/foo.cert
 --providers.consulcatalog.endpoint.tls.key=path/to/foo.key
 ```
 
-`key` is the path to the private key for Consul communication.
-If this is set then you need to also set `cert`.
-
 ##### `insecureSkipVerify`
 
 _Optional_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.tls]
-  insecureSkipVerify = true
-```
+If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -474,21 +488,23 @@ providers:
         insecureSkipVerify: true
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog.endpoint.tls]
+  insecureSkipVerify = true
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.endpoint.tls.insecureskipverify=true
 ```
 
-If `insecureSkipVerify` is `true`, TLS for the connection to Consul server accepts any certificate presented by the server and any host name in that certificate.
-
 ### `exposedByDefault`
 
 _Optional, Default=true_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  exposedByDefault = false
-  # ...
-```
+Expose Consul Catalog services by default in Traefik.
+If set to `false`, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -497,25 +513,30 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  exposedByDefault = false
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.exposedByDefault=false
 # ...
 ```
 
-Expose Consul Catalog services by default in Traefik.
-If set to false, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
 ### `defaultRule`
 
 _Optional, Default=```Host(`{{ normalize .Name }}`)```_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-  # ...
-```
+The default host rule for all services.
+
+For a given service, if no routing rule was defined by a tag, it is defined by this `defaultRule` instead.
+The `defaultRule` must be set to a valid [Go template](https://golang.org/pkg/text/template/),
+and can include [sprig template functions](http://masterminds.github.io/sprig/).
+The service name can be accessed with the `Name` identifier,
+and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
+
+The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -524,46 +545,24 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.consulcatalog.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
 # ...
 ```
 
-The default host rule for all services.
-
-For a given service if no routing rule was defined by a tag, it is defined by this defaultRule instead.
-It must be a valid [Go template](https://golang.org/pkg/text/template/),
-augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
-The service name can be accessed as the `Name` identifier,
-and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
-
-The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
-
 ### `constraints`
 
 _Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.consulCatalog]
-  constraints = "Tag(`a.tag.name`)"
-  # ...
-```
-
-```yaml tab="File (YAML)"
-providers:
-  consulCatalog:
-    constraints: "Tag(`a.tag.name`)"
-    # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.constraints="Tag(`a.tag.name`)"
-# ...
-```
-
-Constraints is an expression that Traefik matches against the service's tags to determine whether to create any route for that service.
-That is to say, if none of the service's tags match the expression, no route for that service is created.
-If the expression is empty, all detected services are included.
+The `constraints` option can be set to an expression that Traefik matches against the service tags to determine whether
+to create any route for that service. If none of the service tags match the expression, no route for that service is
+created. If the expression is empty, all detected services are included.
 
 The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
 as well as the usual boolean logic, as shown in examples below.
@@ -574,30 +573,48 @@ as well as the usual boolean logic, as shown in examples below.
     # Includes only services having the tag `a.tag.name=foo`
     constraints = "Tag(`a.tag.name=foo`)"
     ```
-    
+
     ```toml
     # Excludes services having any tag `a.tag.name=foo`
     constraints = "!Tag(`a.tag.name=foo`)"
     ```
-    
+
     ```toml
     # With logical AND.
     constraints = "Tag(`a.tag.name`) && Tag(`another.tag.name`)"
     ```
-    
+
     ```toml
     # With logical OR.
     constraints = "Tag(`a.tag.name`) || Tag(`another.tag.name`)"
     ```
-    
+
     ```toml
     # With logical AND and OR, with precedence set by parentheses.
     constraints = "Tag(`a.tag.name`) && (Tag(`another.tag.name`) || Tag(`yet.another.tag.name`))"
     ```
-    
+
     ```toml
     # Includes only services having a tag matching the `a\.tag\.t.+` regular expression.
     constraints = "TagRegex(`a\.tag\.t.+`)"
     ```
 
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    constraints: "Tag(`a.tag.name`)"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  constraints = "Tag(`a.tag.name`)"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.constraints="Tag(`a.tag.name`)"
+# ...
+```
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

docs/content/providers/consul.md

@@ -17,11 +17,6 @@ _Required, Default="127.0.0.1:8500"_
 
 Defines how to access to Consul.
 
-```toml tab="File (TOML)"
-[providers.consul]
-  endpoints = ["127.0.0.1:8500"]
-```
-
 ```yaml tab="File (YAML)"
 providers:
   consul:
@@ -29,20 +24,20 @@ providers:
       - "127.0.0.1:8500"
 ```
 
+```toml tab="File (TOML)"
+[providers.consul]
+  endpoints = ["127.0.0.1:8500"]
+```
+
 ```bash tab="CLI"
 --providers.consul.endpoints=127.0.0.1:8500
 ```
 
 ### `rootKey`
 
-Defines the root key of the configuration.
-
 _Required, Default="traefik"_
 
-```toml tab="File (TOML)"
-[providers.consul]
-  rootKey = "traefik"
-```
+Defines the root key of the configuration.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -50,21 +45,20 @@ providers:
     rootKey: "traefik"
 ```
 
+```toml tab="File (TOML)"
+[providers.consul]
+  rootKey = "traefik"
+```
+
 ```bash tab="CLI"
 --providers.consul.rootkey=traefik
 ```
 
 ### `username`
 
-Defines a username to connect with Consul.
-
 _Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.consul]
-  # ...
-  username = "foo"
-```
+Defines a username to connect to Consul with.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -73,6 +67,12 @@ providers:
     usename: "foo"
 ```
 
+```toml tab="File (TOML)"
+[providers.consul]
+  # ...
+  username = "foo"
+```
+
 ```bash tab="CLI"
 --providers.consul.username=foo
 ```
@@ -81,13 +81,7 @@ providers:
 
 _Optional, Default=""_
 
-Defines a password to connect with Consul.
-
-```toml tab="File (TOML)"
-[providers.consul]
-  # ...
-  password = "bar"
-```
+Defines a password with which to connect to Consul.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -96,6 +90,12 @@ providers:
     password: "bar"
 ```
 
+```toml tab="File (TOML)"
+[providers.consul]
+  # ...
+  password = "bar"
+```
+
 ```bash tab="CLI"
 --providers.consul.password=foo
 ```
@@ -106,12 +106,7 @@ _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secured connection to Consul.
-
-```toml tab="File (TOML)"
-[providers.consul.tls]
-  ca = "path/to/ca.crt"
-```
+Certificate Authority used for the secure connection to Consul.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -120,23 +115,26 @@ providers:
       ca: path/to/ca.crt
 ```
 
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  ca = "path/to/ca.crt"
+```
+
 ```bash tab="CLI"
 --providers.consul.tls.ca=path/to/ca.crt
 ```
 
 #### `tls.caOptional`
 
-Policy followed for the secured connection with TLS Client Authentication to Consul.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
 
-- `true`: VerifyClientCertIfGiven
-- `false`: RequireAndVerifyClientCert
-- if `tls.ca` is undefined NoClientCert
+!!! warning ""
 
-```toml tab="File (TOML)"
-[providers.consul.tls]
-  caOptional = true
-```
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -145,19 +143,18 @@ providers:
       caOptional: true
 ```
 
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  caOptional = true
+```
+
 ```bash tab="CLI"
 --providers.consul.tls.caOptional=true
 ```
 
 #### `tls.cert`
 
-Public certificate used for the secured connection to Consul.
-
-```toml tab="File (TOML)"
-[providers.consul.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+Public certificate used for the secure connection to Consul.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -167,6 +164,12 @@ providers:
       key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.consul.tls.cert=path/to/foo.cert
 --providers.consul.tls.key=path/to/foo.key
@@ -174,13 +177,7 @@ providers:
 
 #### `tls.key`
 
-Private certificate used for the secured connection to Consul.
-
-```toml tab="File (TOML)"
-[providers.consul.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+Private certificate used for the secure connection to Consul.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -190,6 +187,12 @@ providers:
       key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.consul.tls.cert=path/to/foo.cert
 --providers.consul.tls.key=path/to/foo.key
@@ -197,12 +200,7 @@ providers:
 
 #### `tls.insecureSkipVerify`
 
-If `insecureSkipVerify` is `true`, TLS for the connection to Consul accepts any certificate presented by the server and any host name in that certificate.
-
-```toml tab="File (TOML)"
-[providers.consul.tls]
-  insecureSkipVerify = true
-```
+If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -211,6 +209,11 @@ providers:
       insecureSkipVerify: true
 ```
 
+```toml tab="File (TOML)"
+[providers.consul.tls]
+  insecureSkipVerify = true
+```
+
 ```bash tab="CLI"
 --providers.consul.tls.insecureSkipVerify=true
 ```

docs/content/providers/docker.md

@@ -11,23 +11,24 @@ Traefik works with both [Docker (standalone) Engine](https://docs.docker.com/eng
 and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
 
 !!! tip "The Quick Start Uses Docker"
-    If you haven't already, maybe you'd like to go through the [quick start](../getting-started/quick-start.md) that uses the docker provider!
+
+    If you have not already read it, maybe you would like to go through the [quick start guide](../getting-started/quick-start.md) that uses the Docker provider.
 
 ## Configuration Examples
 
 ??? example "Configuring Docker & Deploying / Exposing Services"
 
     Enabling the docker provider
-    
-    ```toml tab="File (TOML)"
-    [providers.docker]
-    ```
-    
+
     ```yaml tab="File (YAML)"
     providers:
       docker: {}
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+    ```
+
     ```bash tab="CLI"
     --providers.docker=true
     ```
@@ -47,15 +48,6 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
 
     Enabling the docker provider (Swarm Mode)
 
-    ```toml tab="File (TOML)"
-    [providers.docker]
-      # swarm classic (1.12-)
-      # endpoint = "tcp://127.0.0.1:2375"
-      # docker swarm mode (1.12+)
-      endpoint = "tcp://127.0.0.1:2377"
-      swarmMode = true
-    ```
-    
     ```yaml tab="File (YAML)"
     providers:
       docker:
@@ -65,7 +57,16 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
         endpoint: "tcp://127.0.0.1:2377"
         swarmMode: true
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      # swarm classic (1.12-)
+      # endpoint = "tcp://127.0.0.1:2375"
+      # docker swarm mode (1.12+)
+      endpoint = "tcp://127.0.0.1:2377"
+      swarmMode = true
+    ```
+
     ```bash tab="CLI"
     # swarm classic (1.12-)
     # --providers.docker.endpoint=tcp://127.0.0.1:2375
@@ -102,20 +103,21 @@ When using Docker Compose, labels are specified by the directive
 ["services" objects](https://docs.docker.com/compose/compose-file/compose-file-v3/#service-configuration-reference).
 
 !!! tip "Not Only Docker"
+
     Please note that any tool like Nomad, Terraform, Ansible, etc.
     that is able to define a Docker container with labels can work
-    with Traefik & the Docker provider.
+    with Traefik and the Docker provider.
 
 ### Port Detection
 
 Traefik retrieves the private IP and port of containers from the Docker API.
 
-Ports detection works as follows:
+Port detection works as follows:
 
-- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) only one port,
+- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) a single port,
   then Traefik uses this port for private communication.
 - If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) multiple ports,
-  or does not expose any port, then you must manually specify which port Traefik should use for communication 
+  or does not expose any port, then you must manually specify which port Traefik should use for communication
   by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
   (Read more on this label in the dedicated section in [routing](../routing/providers/docker.md#port)).
 
@@ -126,12 +128,11 @@ the IP address of the host is resolved as follows:
 
 <!-- TODO: verify and document the swarm mode case with container.Node.IPAddress coming from the API -->
 - try a lookup of `host.docker.internal`
-- otherwise fall back to `127.0.0.1`
+- if the lookup was unsuccessful, fall back to `127.0.0.1`
 
-On Linux, (and until [github.com/moby/moby/pull/40007](https://github.com/moby/moby/pull/40007) is included in a release),
-for `host.docker.internal` to be defined, it should be provided as an `extra_host` to the Traefik container,
-using the `--add-host` flag. For example, to set it to the IP address of the bridge interface (docker0 by default):
-`--add-host=host.docker.internal:172.17.0.1`
+On Linux, for versions of Docker older than 20.10.0, for `host.docker.internal` to be defined, it should be provided
+as an `extra_host` to the Traefik container, using the `--add-host` flag. For example, to set it to the IP address of
+the bridge interface (`docker0` by default): `--add-host=host.docker.internal:172.17.0.1`
 
 ### Docker API Access
 
@@ -145,9 +146,10 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
     If Traefik is attacked, then the attacker might get access to the underlying host.
     {: #security-note }
 
-    As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/#docker-daemon-attack-surface)):
+    As explained in the [Docker Daemon Attack Surface documentation](https://docs.docker.com/engine/security/#docker-daemon-attack-surface):
 
     !!! quote
+
         [...] only **trusted** users should be allowed to control your Docker daemon [...]
 
     ??? success "Solutions"
@@ -155,7 +157,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
         Expose the Docker socket over TCP or SSH, instead of the default Unix socket file.
         It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
 
-        - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
+        - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/protect-access/)
         - Authorize and filter requests to restrict possible actions with [the TecnativaDocker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy).
         - Authorization with the [Docker Authorization Plugin Mechanism](https://web.archive.org/web/20190920092526/https://docs.docker.com/engine/extend/plugins_authorization/)
         - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
@@ -165,6 +167,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
         - SSH public key authentication (SSH is supported with Docker > 18.09)
 
     ??? info "More Resources and Examples"
+
         - ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c)
         - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
         - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
@@ -194,15 +197,15 @@ This behavior is only enabled for docker-compose version 3+ ([Compose file refer
 
 Docker Swarm does not provide any [port detection](#port-detection) information to Traefik.
 
-Therefore you **must** specify the port to use for communication by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
+Therefore, you **must** specify the port to use for communication by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
 (Check the reference for this label in the [routing section for Docker](../routing/providers/docker.md#port)).
 
 ### Docker API Access
 
 Docker Swarm Mode follows the same rules as Docker [API Access](#docker-api-access).
 
-As the Swarm API is only exposed on the [manager nodes](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#manager-nodes), you should schedule Traefik on the Swarm manager nodes by default,
-by deploying Traefik with a constraint on the node's "role":
+Since the Swarm API is only exposed on the [manager nodes](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#manager-nodes),
+these are the nodes that Traefik should be scheduled on by deploying Traefik with a constraint on the node "role":
 
 ```shell tab="With Docker CLI"
 docker service create \
@@ -223,13 +226,13 @@ services:
 ```
 
 !!! tip "Scheduling Traefik on Worker Nodes"
-    
+
     Following the guidelines given in the previous section ["Docker API Access"](#docker-api-access),
     if you expose the Docker API through TCP, then Traefik can be scheduled on any node if the TCP
     socket is reachable.
-    
+
     Please consider the security implications by reading the [Security Note](#security-note).
-    
+
     A good example can be found on [Bret Fisher's repository](https://github.com/BretFisher/dogvscat/blob/master/stack-proxy-global.yml#L124).
 
 ## Provider Configuration
@@ -238,21 +241,6 @@ services:
 
 _Required, Default="unix:///var/run/docker.sock"_
 
-```toml tab="File (TOML)"
-[providers.docker]
-  endpoint = "unix:///var/run/docker.sock"
-```
-
-```yaml tab="File (YAML)"
-providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
-```
-
-```bash tab="CLI"
---providers.docker.endpoint=unix:///var/run/docker.sock
-```
-
 See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API Access](#docker-api-access_1) for more information.
 
 ??? example "Using the docker.sock"
@@ -273,19 +261,19 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
 
     We specify the docker.sock in traefik's configuration file.
 
-    ```toml tab="File (TOML)"
-    [providers.docker]
-      endpoint = "unix:///var/run/docker.sock"
-      # ...
-    ```
-    
     ```yaml tab="File (YAML)"
     providers:
       docker:
         endpoint: "unix:///var/run/docker.sock"
          # ...
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      endpoint = "unix:///var/run/docker.sock"
+      # ...
+    ```
+
     ```bash tab="CLI"
     --providers.docker.endpoint=unix:///var/run/docker.sock
     # ...
@@ -297,52 +285,49 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
     We specify the SSH host and user in Traefik's configuration file.
     Note that is server requires public keys for authentication you must have those accessible for user who runs Traefik.
 
-    ```toml tab="File (TOML)"
-    [providers.docker]
-      endpoint = "ssh://traefik@192.168.2.5:2022"
-      # ...
-    ```
-    
     ```yaml tab="File (YAML)"
     providers:
       docker:
         endpoint: "ssh://traefik@192.168.2.5:2022"
          # ...
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      endpoint = "ssh://traefik@192.168.2.5:2022"
+      # ...
+    ```
+
     ```bash tab="CLI"
     --providers.docker.endpoint=ssh://traefik@192.168.2.5:2022
     # ...
     ```
 
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+```
+
+```toml tab="File (TOML)"
+[providers.docker]
+  endpoint = "unix:///var/run/docker.sock"
+```
+
+```bash tab="CLI"
+--providers.docker.endpoint=unix:///var/run/docker.sock
+```
+
 ### `useBindPortIP`
 
 _Optional, Default=false_
 
-```toml tab="File (TOML)"
-[providers.docker]
-  useBindPortIP = true
-  # ...
-```
-
-```yaml tab="File (YAML)"
-providers:
-  docker:
-    useBindPortIP: true
-    # ...
-```
-
-```bash tab="CLI"
---providers.docker.useBindPortIP=true
-# ...
-```
-
-Traefik routes requests to the IP/Port of the matching container.
+Traefik routes requests to the IP/port of the matching container.
 When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
 
 When used in conjunction with the `traefik.http.services.<name>.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
 Traefik tries to find a binding on port `traefik.http.services.<name>.loadbalancer.server.port`.
-If it can't find such a binding, Traefik falls back on the internal network IP of the container,
+If it cannot find such a binding, Traefik falls back on the internal network IP of the container,
 but still uses the `traefik.http.services.<name>.loadbalancer.server.port` that is set in the label.
 
 ??? example "Examples of `usebindportip` in different situations."
@@ -359,21 +344,38 @@ but still uses the `traefik.http.services.<name>.loadbalancer.server.port` that
 
     !!! info ""
         In the above table:
-        
+
         - `ExtIp` stands for "external IP found in the binding"
         - `IntIp` stands for "internal network container's IP",
         - `ExtPort` stands for "external Port found in the binding"
         - `IntPort` stands for "internal network container's port."
 
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    useBindPortIP: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.docker]
+  useBindPortIP = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.docker.useBindPortIP=true
+# ...
+```
+
 ### `exposedByDefault`
 
 _Optional, Default=true_
 
-```toml tab="File (TOML)"
-[providers.docker]
-  exposedByDefault = false
-  # ...
-```
+Expose containers by default through Traefik.
+If set to `false`, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -382,25 +384,24 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.docker]
+  exposedByDefault = false
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.docker.exposedByDefault=false
 # ...
 ```
 
-Expose containers by default through Traefik.
-If set to false, containers that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
 ### `network`
 
-_Optional, Default=empty_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.docker]
-  network = "test"
-  # ...
-```
+Defines a default docker network to use for connections to all containers.
+
+This option can be overridden on a per-container basis with the `traefik.docker.network` label.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -409,24 +410,27 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.docker]
+  network = "test"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.docker.network=test
 # ...
 ```
 
-Defines a default docker network to use for connections to all containers.
-
-This option can be overridden on a container basis with the `traefik.docker.network` label.
-
 ### `defaultRule`
 
 _Optional, Default=```Host(`{{ normalize .Name }}`)```_
 
-```toml tab="File (TOML)"
-[providers.docker]
-  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-  # ...
-```
+The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
+
+It must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
+[sprig template functions](http://masterminds.github.io/sprig/).
+The container service name can be accessed with the `Name` identifier,
+and the template has access to all the labels defined on this container.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -435,26 +439,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.docker]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.docker.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
 # ...
 ```
 
-For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
-It must be a valid [Go template](https://golang.org/pkg/text/template/),
-augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
-The container service name can be accessed as the `Name` identifier,
-and the template has access to all the labels defined on this container.
-
 ### `swarmMode`
 
 _Optional, Default=false_
 
-```toml tab="File (TOML)"
-[providers.docker]
-  swarmMode = true
-  # ...
-```
+Enables the Swarm Mode (instead of standalone Docker).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -463,22 +463,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.docker]
+  swarmMode = true
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.docker.swarmMode=true
 # ...
 ```
 
-Activates the Swarm Mode (instead of standalone Docker).
-
 ### `swarmModeRefreshSeconds`
 
 _Optional, Default=15_
 
-```toml tab="File (TOML)"
-[providers.docker]
-  swarmModeRefreshSeconds = 30
-  # ...
-```
+Defines the polling interval (in seconds) for Swarm Mode.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -487,22 +487,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.docker]
+  swarmModeRefreshSeconds = 30
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.docker.swarmModeRefreshSeconds=30
 # ...
 ```
 
-Defines the polling interval (in seconds) in Swarm Mode.
-
 ### `httpClientTimeout`
 
 _Optional, Default=0_
 
-```toml tab="File (TOML)"
-[providers.docker]
-  httpClientTimeout = 300
-  # ...
-```
+Defines the client timeout (in seconds) for HTTP connections. If its value is `0`, no timeout is set.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -511,22 +511,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.docker]
+  httpClientTimeout = 300
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.docker.httpClientTimeout=300
 # ...
 ```
 
-Defines the client timeout (in seconds) for HTTP connections. If zero, no timeout is set.
-
 ### `watch`
 
 _Optional, Default=true_
 
-```toml tab="File (TOML)"
-[providers.docker]
-  watch = false
-  # ...
-```
+Watch Docker Swarm events.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -535,22 +535,61 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.docker]
+  watch = false
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.docker.watch=false
 # ...
 ```
 
-Watch Docker Swarm events.
-
 ### `constraints`
 
 _Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.docker]
-  constraints = "Label(`a.label.name`,`foo`)"
-  # ...
-```
+The `constraints` option can be set to an expression that Traefik matches against the container tags to determine whether
+to create any route for that container. If none of the container tags match the expression, no route for that container is
+created. If the expression is empty, all detected containers are included.
+
+The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
+as well as the usual boolean logic, as shown in examples below.
+
+??? example "Constraints Expression Examples"
+
+    ```toml
+    # Includes only containers having a label with key `a.label.name` and value `foo`
+    constraints = "Label(`a.label.name`, `foo`)"
+    ```
+
+    ```toml
+    # Excludes containers having any label with key `a.label.name` and value `foo`
+    constraints = "!Label(`a.label.name`, `value`)"
+    ```
+
+    ```toml
+    # With logical AND.
+    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
+    ```
+
+    ```toml
+    # With logical OR.
+    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
+    ```
+
+    ```toml
+    # With logical AND and OR, with precedence set by parentheses.
+    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
+    ```
+
+    ```toml
+    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
+    ```
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -559,63 +598,24 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.docker]
+  constraints = "Label(`a.label.name`,`foo`)"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.docker.constraints=Label(`a.label.name`,`foo`)
 # ...
 ```
 
-Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
-That is to say, if none of the container's labels match the expression, no route for the container is created.
-If the expression is empty, all detected containers are included.
-
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
-
-??? example "Constraints Expression Examples"
-
-    ```toml
-    # Includes only containers having a label with key `a.label.name` and value `foo`
-    constraints = "Label(`a.label.name`, `foo`)"
-    ```
-    
-    ```toml
-    # Excludes containers having any label with key `a.label.name` and value `foo`
-    constraints = "!Label(`a.label.name`, `value`)"
-    ```
-    
-    ```toml
-    # With logical AND.
-    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
-    ```
-    
-    ```toml
-    # With logical OR.
-    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
-    ```
-    
-    ```toml
-    # With logical AND and OR, with precedence set by parentheses.
-    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
-    ```
-    
-    ```toml
-    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegex(`a.label.name`, `a.+`)"
-    ```
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
 ### `tls`
 
 _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secured connection to Docker.
-
-```toml tab="File (TOML)"
-[providers.docker.tls]
-  ca = "path/to/ca.crt"
-```
+Certificate Authority used for the secure connection to Docker.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -624,23 +624,26 @@ providers:
       ca: path/to/ca.crt
 ```
 
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  ca = "path/to/ca.crt"
+```
+
 ```bash tab="CLI"
 --providers.docker.tls.ca=path/to/ca.crt
 ```
 
 #### `tls.caOptional`
 
-Policy followed for the secured connection with TLS Client Authentication to Docker.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.
 
-- `true`: VerifyClientCertIfGiven
-- `false`: RequireAndVerifyClientCert
-- if `tls.ca` is undefined NoClientCert
+!!! warning ""
 
-```toml tab="File (TOML)"
-[providers.docker.tls]
-  caOptional = true
-```
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -649,19 +652,18 @@ providers:
       caOptional: true
 ```
 
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  caOptional = true
+```
+
 ```bash tab="CLI"
 --providers.docker.tls.caOptional=true
 ```
 
 #### `tls.cert`
 
-Public certificate used for the secured connection to Docker.
-
-```toml tab="File (TOML)"
-[providers.docker.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+Public certificate used for the secure connection to Docker.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -671,6 +673,12 @@ providers:
       key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.docker.tls.cert=path/to/foo.cert
 --providers.docker.tls.key=path/to/foo.key
@@ -678,13 +686,7 @@ providers:
 
 #### `tls.key`
 
-Private certificate used for the secured connection to Docker.
-
-```toml tab="File (TOML)"
-[providers.docker.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+Private certificate used for the secure connection to Docker.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -694,6 +696,12 @@ providers:
       key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.docker.tls.cert=path/to/foo.cert
 --providers.docker.tls.key=path/to/foo.key
@@ -701,12 +709,7 @@ providers:
 
 #### `tls.insecureSkipVerify`
 
-If `insecureSkipVerify` is `true`, TLS for the connection to Docker accepts any certificate presented by the server and any host name in that certificate.
-
-```toml tab="File (TOML)"
-[providers.docker.tls]
-  insecureSkipVerify = true
-```
+If `insecureSkipVerify` is `true`, the TLS connection to Docker accepts any certificate presented by the server regardless of the hostnames it covers.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -715,6 +718,11 @@ providers:
       insecureSkipVerify: true
 ```
 
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  insecureSkipVerify = true
+```
+
 ```bash tab="CLI"
 --providers.docker.tls.insecureSkipVerify=true
 ```

docs/content/providers/ecs.md

@@ -10,16 +10,16 @@ Attach labels to your ECS containers and let Traefik do the rest!
 ??? example "Configuring ECS provider"
 
     Enabling the ECS provider:
-    
-    ```toml tab="File (TOML)"
-    [providers.ecs]
-    ```
-    
+
     ```yaml tab="File (YAML)"
     providers:
       ecs: {}
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [providers.ecs]
+    ```
+
     ```bash tab="CLI"
     --providers.ecs=true
     ```
@@ -52,17 +52,16 @@ Traefik needs the following policy to read ECS information:
 }
 ```
 
-## Provider configuration
+## Provider Configuration
 
 ### `autoDiscoverClusters`
 
 _Optional, Default=false_
 
-```toml tab="File (TOML)"
-[providers.ecs]
-  autoDiscoverClusters = true
-  # ...
-```
+Search for services in cluster list.
+
+- If set to `true` service discovery is disabled on configured clusters, but enabled for all other clusters.
+- If set to `false` service discovery is enabled on configured clusters only.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -71,25 +70,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.ecs]
+  autoDiscoverClusters = true
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.ecs.autoDiscoverClusters=true
 # ...
 ```
 
-Search for services in clusters list.
-
-- If set to `true` the configured clusters will be ignored and the clusters will be discovered.
-- If set to `false` the services will be discovered only in configured clusters.
-
 ### `clusters`
 
 _Optional, Default=["default"]_
 
-```toml tab="File (TOML)"
-[providers.ecs]
-  clusters = ["default"]
-  # ...
-```
+Search for services in cluster list.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -99,22 +95,24 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.ecs]
+  clusters = ["default"]
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.ecs.clusters=default
 # ...
 ```
 
-Search for services in clusters list.
-
 ### `exposedByDefault`
 
 _Optional, Default=true_
 
-```toml tab="File (TOML)"
-[providers.ecs]
-  exposedByDefault = false
-  # ...
-```
+Expose ECS services by default in Traefik.
+
+If set to `false`, services that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -123,23 +121,27 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.ecs]
+  exposedByDefault = false
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.ecs.exposedByDefault=false
 # ...
 ```
 
-Expose ECS services by default in Traefik.
-If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
-
 ### `defaultRule`
 
 _Optional, Default=```Host(`{{ normalize .Name }}`)```_
 
-```toml tab="File (TOML)"
-[providers.ecs]
-  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-  # ...
-```
+The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
+
+It must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
+[sprig template functions](http://masterminds.github.io/sprig/).
+The container service name can be accessed with the `Name` identifier,
+and the template has access to all the labels defined on this container.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -148,26 +150,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.ecs]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.ecs.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
 # ...
 ```
 
-For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
-It must be a valid [Go template](https://golang.org/pkg/text/template/),
-augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
-The service name can be accessed as the `Name` identifier,
-and the template has access to all the labels defined on this container.
-
 ### `refreshSeconds`
 
 _Optional, Default=15_
 
-```toml tab="File (TOML)"
-[providers.ecs]
-  refreshSeconds = 15
-  # ...
-```
+Polling interval (in seconds).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -176,23 +174,29 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.ecs]
+  refreshSeconds = 15
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.ecs.refreshSeconds=15
 # ...
 ```
 
-Polling interval (in seconds).
-
 ### Credentials
 
 _Optional_
 
-```toml tab="File (TOML)"
-[providers.ecs]
-  region = "us-east-1"
-  accessKeyID = "abc"
-  secretAccessKey = "123"
-```
+If `region` is not provided, it is resolved from the EC2 metadata endpoint for EC2 tasks.
+In a FARGATE context it is resolved from the `AWS_REGION` environment variable.
+
+If `accessKeyID` and `secretAccessKey` are not provided, credentials are resolved in the following order:
+
+- Using the environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
+- Using shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
+- Using EC2 instance role or ECS task role
 
 ```yaml tab="File (YAML)"
 providers:
@@ -203,18 +207,16 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.ecs]
+  region = "us-east-1"
+  accessKeyID = "abc"
+  secretAccessKey = "123"
+```
+
 ```bash tab="CLI"
 --providers.ecs.region="us-east-1"
 --providers.ecs.accessKeyID="abc"
 --providers.ecs.secretAccessKey="123"
 # ...
 ```
-
-If `region` is not provided, it will be resolved from the EC2 metadata endpoint for EC2 tasks. 
-In a FARGATE context it will be resolved from the `AWS_REGION` env variable.
-
-If `accessKeyID` / `secretAccessKey` are not provided, credentials will be resolved in the following order:
-
-- From environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
-- Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to default and `~/.aws/credentials`.
-- EC2 instance role or ECS task role

docs/content/providers/etcd.md

@@ -3,7 +3,7 @@
 A Story of KV store & Containers
 {: .subtitle }
 
-Store your configuration in Etcd and let Traefik do the rest!
+Store your configuration in etcd and let Traefik do the rest!
 
 ## Routing Configuration
 
@@ -15,12 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).
 
 _Required, Default="127.0.0.1:2379"_
 
-Defines how to access to Etcd.
-
-```toml tab="File (TOML)"
-[providers.etcd]
-  endpoints = ["127.0.0.1:2379"]
-```
+Defines how to access etcd.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -29,20 +24,20 @@ providers:
       - "127.0.0.1:2379"
 ```
 
+```toml tab="File (TOML)"
+[providers.etcd]
+  endpoints = ["127.0.0.1:2379"]
+```
+
 ```bash tab="CLI"
 --providers.etcd.endpoints=127.0.0.1:2379
 ```
 
 ### `rootKey`
 
-Defines the root key of the configuration.
-
 _Required, Default="traefik"_
 
-```toml tab="File (TOML)"
-[providers.etcd]
-  rootKey = "traefik"
-```
+Defines the root key of the configuration.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -50,21 +45,20 @@ providers:
     rootKey: "traefik"
 ```
 
+```toml tab="File (TOML)"
+[providers.etcd]
+  rootKey = "traefik"
+```
+
 ```bash tab="CLI"
 --providers.etcd.rootkey=traefik
 ```
 
 ### `username`
 
-Defines a username to connect with Etcd.
-
 _Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.etcd]
-  # ...
-  username = "foo"
-```
+Defines a username with which to connect to etcd.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -73,6 +67,12 @@ providers:
     usename: "foo"
 ```
 
+```toml tab="File (TOML)"
+[providers.etcd]
+  # ...
+  username = "foo"
+```
+
 ```bash tab="CLI"
 --providers.etcd.username=foo
 ```
@@ -81,13 +81,7 @@ providers:
 
 _Optional, Default=""_
 
-Defines a password to connect with Etcd.
-
-```toml tab="File (TOML)"
-[providers.etcd]
-  # ...
-  password = "bar"
-```
+Defines a password with which to connect to etcd.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -96,6 +90,12 @@ providers:
     password: "bar"
 ```
 
+```toml tab="File (TOML)"
+[providers.etcd]
+  # ...
+  password = "bar"
+```
+
 ```bash tab="CLI"
 --providers.etcd.password=foo
 ```
@@ -106,12 +106,7 @@ _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secured connection to Etcd.
-
-```toml tab="File (TOML)"
-[providers.etcd.tls]
-  ca = "path/to/ca.crt"
-```
+Certificate Authority used for the secure connection to etcd.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -120,23 +115,26 @@ providers:
       ca: path/to/ca.crt
 ```
 
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  ca = "path/to/ca.crt"
+```
+
 ```bash tab="CLI"
 --providers.etcd.tls.ca=path/to/ca.crt
 ```
 
 #### `tls.caOptional`
 
-Policy followed for the secured connection with TLS Client Authentication to Etcd.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.
 
-- `true`: VerifyClientCertIfGiven
-- `false`: RequireAndVerifyClientCert
-- if `tls.ca` is undefined NoClientCert
+!!! warning ""
 
-```toml tab="File (TOML)"
-[providers.etcd.tls]
-  caOptional = true
-```
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -145,19 +143,18 @@ providers:
       caOptional: true
 ```
 
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  caOptional = true
+```
+
 ```bash tab="CLI"
 --providers.etcd.tls.caOptional=true
 ```
 
 #### `tls.cert`
 
-Public certificate used for the secured connection to Etcd.
-
-```toml tab="File (TOML)"
-[providers.etcd.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+Public certificate used for the secure connection to etcd.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -167,6 +164,12 @@ providers:
       key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.etcd.tls.cert=path/to/foo.cert
 --providers.etcd.tls.key=path/to/foo.key
@@ -174,13 +177,7 @@ providers:
 
 #### `tls.key`
 
-Private certificate used for the secured connection to Etcd.
-
-```toml tab="File (TOML)"
-[providers.etcd.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+Private certificate used for the secure connection to etcd.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -190,6 +187,12 @@ providers:
       key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.etcd.tls.cert=path/to/foo.cert
 --providers.etcd.tls.key=path/to/foo.key
@@ -197,12 +200,7 @@ providers:
 
 #### `tls.insecureSkipVerify`
 
-If `insecureSkipVerify` is `true`, TLS for the connection to Etcd accepts any certificate presented by the server and any host name in that certificate.
-
-```toml tab="File (TOML)"
-[providers.etcd.tls]
-  insecureSkipVerify = true
-```
+If `insecureSkipVerify` is `true`, the TLS connection to etcd accepts any certificate presented by the server regardless of the hostnames it covers.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -211,6 +209,11 @@ providers:
       insecureSkipVerify: true
 ```
 
+```toml tab="File (TOML)"
+[providers.etcd.tls]
+  insecureSkipVerify = true
+```
+
 ```bash tab="CLI"
 --providers.etcd.tls.insecureSkipVerify=true
 ```

docs/content/providers/file.md

@@ -1,70 +1,43 @@
 # Traefik & File
 
 Good Old Configuration File
-{: .subtitle } 
+{: .subtitle }
 
-The file provider lets you define the [dynamic configuration](./overview.md) in a TOML or YAML file.
-You can write one of these mutually exclusive configuration elements:
+The file provider lets you define the [dynamic configuration](./overview.md) in a YAML or TOML file.
 
-* In [a dedicated file](#filename)
-* In [several dedicated files](#directory)
+It supports providing configuration through a [single configuration file](#filename) or [multiple separate files](#directory).
 
 !!! info
-    The file provider is the default format used throughout the documentation to show samples of the configuration for many features. 
+
+    The file provider is the default format used throughout the documentation to show samples of the configuration for many features.
 
 !!! tip
-    The file provider can be a good location for common elements you'd like to re-use from other providers; e.g. declaring whitelist middlewares, basic authentication, ...
+
+    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring whitelist middlewares, basic authentication, ...)
 
 ## Configuration Examples
 
 ??? example "Declaring Routers, Middlewares & Services"
 
     Enabling the file provider:
-    
-    ```toml tab="File (TOML)"
-    [providers.file]
-      directory = "/path/to/dynamic/conf"
-    ```
-    
+
     ```yaml tab="File (YAML)"
     providers:
       file:
         directory: "/path/to/dynamic/conf"
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [providers.file]
+      directory = "/path/to/dynamic/conf"
+    ```
+
     ```bash tab="CLI"
     --providers.file.directory=/path/to/dynamic/conf
     ```
-    
+
     Declaring Routers, Middlewares & Services:
-    
-    ```toml tab="TOML"
-    [http]
-      # Add the router
-      [http.routers]
-        [http.routers.router0]
-          entryPoints = ["web"]
-          middlewares = ["my-basic-auth"]
-          service = "service-foo"
-          rule = "Path(`/foo`)"
-      
-      # Add the middleware
-      [http.middlewares]    
-        [http.middlewares.my-basic-auth.basicAuth]
-          users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
-                    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
-          usersFile = "etc/traefik/.htpasswd"
-      
-      # Add the service
-      [http.services]
-        [http.services.service-foo]
-          [http.services.service-foo.loadBalancer]
-            [[http.services.service-foo.loadBalancer.servers]]
-              url = "http://foo/"
-            [[http.services.service-foo.loadBalancer.servers]]
-              url = "http://bar/"
-    ```
-    
+
     ```yaml tab="YAML"
     http:
       # Add the router
@@ -76,7 +49,7 @@ You can write one of these mutually exclusive configuration elements:
           - my-basic-auth
           service: service-foo
           rule: Path(`/foo`)
-      
+
       # Add the middleware
       middlewares:
         my-basic-auth:
@@ -85,7 +58,7 @@ You can write one of these mutually exclusive configuration elements:
             - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
             - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
             usersFile: etc/traefik/.htpasswd
-      
+
       # Add the service
       services:
         service-foo:
@@ -96,39 +69,61 @@ You can write one of these mutually exclusive configuration elements:
             passHostHeader: false
     ```
 
+    ```toml tab="TOML"
+    [http]
+      # Add the router
+      [http.routers]
+        [http.routers.router0]
+          entryPoints = ["web"]
+          middlewares = ["my-basic-auth"]
+          service = "service-foo"
+          rule = "Path(`/foo`)"
+
+      # Add the middleware
+      [http.middlewares]
+        [http.middlewares.my-basic-auth.basicAuth]
+          users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+                    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
+          usersFile = "etc/traefik/.htpasswd"
+
+      # Add the service
+      [http.services]
+        [http.services.service-foo]
+          [http.services.service-foo.loadBalancer]
+            [[http.services.service-foo.loadBalancer.servers]]
+              url = "http://foo/"
+            [[http.services.service-foo.loadBalancer.servers]]
+              url = "http://bar/"
+    ```
+
 ## Provider Configuration
 
-If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../reference/dynamic-configuration/file.md) references and the [static configuration](../reference/static-configuration/overview.md).
+For an overview of all the options that can be set with the file provider, see the [dynamic configuration](../reference/dynamic-configuration/file.md) and [static configuration](../reference/static-configuration/overview.md) references.
 
 !!! warning "Limitations"
 
     With the file provider, Traefik listens for file system notifications to update the dynamic configuration.
-    
+
     If you use a mounted/bound file system in your orchestrator (like docker or kubernetes), the way the files are linked may be a source of errors.
-    If the link between the file systems is broken, when a source file/directory is changed/renamed, nothing will be reported to the linked file/directory, so the file system notifications will be neither triggered nor caught. 
-    
-    For example, in docker, if the host file is renamed, the link to the mounted file will be broken and the container's file will not be updated.
-    To avoid this kind of issue, a good practice is to:
-        
+    If the link between the file systems is broken, when a source file/directory is changed/renamed, nothing will be reported to the linked file/directory, so the file system notifications will be neither triggered nor caught.
+
+    For example, in Docker, if the host file is renamed, the link to the mounted file is broken and the container's file is no longer updated.
+    To avoid this kind of issue, it is recommended to:
+
     * set the Traefik [**directory**](#directory) configuration with the parent directory
     * mount/bind the parent directory
 
-    As it is very difficult to listen to all file system notifications, Traefik use [fsnotify](https://github.com/fsnotify/fsnotify).
+    As it is very difficult to listen to all file system notifications, Traefik uses [fsnotify](https://github.com/fsnotify/fsnotify).
     If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.
-    
+
 ### `filename`
 
 Defines the path to the configuration file.
 
 !!! warning ""
-    `filename` and `directory` are mutually exclusive.
-    The recommendation is to use `directory`.
 
-```toml tab="File (TOML)"
-[providers]
-  [providers.file]
-    filename = "/path/to/config/dynamic_conf.toml"
-```
+    The `filename` and `directory` options are mutually exclusive.
+    It is recommended to use `directory`.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -136,8 +131,14 @@ providers:
     filename: /path/to/config/dynamic_conf.yml
 ```
 
+```toml tab="File (TOML)"
+[providers]
+  [providers.file]
+    filename = "/path/to/config/dynamic_conf.toml"
+```
+
 ```bash tab="CLI"
---providers.file.filename=/path/to/config/dynamic_conf.toml
+--providers.file.filename=/path/to/config/dynamic_conf.yml
 ```
 
 ### `directory`
@@ -145,14 +146,9 @@ providers:
 Defines the path to the directory that contains the configuration files.
 
 !!! warning ""
-    `filename` and `directory` are mutually exclusive.
-    The recommendation is to use `directory`.
 
-```toml tab="File (TOML)"
-[providers]
-  [providers.file]
-    directory = "/path/to/config"
-```
+    The `filename` and `directory` options are mutually exclusive.
+    It is recommended to use `directory`.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -160,22 +156,21 @@ providers:
     directory: /path/to/config
 ```
 
+```toml tab="File (TOML)"
+[providers]
+  [providers.file]
+    directory = "/path/to/config"
+```
+
 ```bash tab="CLI"
 --providers.file.directory=/path/to/config
 ```
 
 ### `watch`
 
-Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.  
+Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.
 It works with both the `filename` and the `directory` options.
 
-```toml tab="File (TOML)"
-[providers]
-  [providers.file]
-    directory = "/path/to/dynamic/conf"
-    watch = true
-```
-
 ```yaml tab="File (YAML)"
 providers:
   file:
@@ -183,6 +178,13 @@ providers:
     watch: true
 ```
 
+```toml tab="File (TOML)"
+[providers]
+  [providers.file]
+    directory = "/path/to/dynamic/conf"
+    watch = true
+```
+
 ```bash tab="CLI"
 --providers.file.directory=/my/path/to/dynamic/conf
 --providers.file.watch=true
@@ -191,63 +193,18 @@ providers:
 ### Go Templating
 
 !!! warning
+
     Go Templating only works with dedicated dynamic configuration files.
     Templating does not work in the Traefik main static configuration file.
 
-Traefik supports using Go templating to automatically generate repetitive portions of configuration files.
-These sections must be valid [Go templates](https://golang.org/pkg/text/template/),
-augmented with the [Sprig template functions](http://masterminds.github.io/sprig/).
+Traefik supports using Go templating to automatically generate repetitive sections of configuration files.
+These sections must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
+[sprig template functions](http://masterminds.github.io/sprig/).
 
-To illustrate, it's possible to easily define multiple routers, services, and TLS certificates as described in the following examples:
+To illustrate, it is possible to easily define multiple routers, services, and TLS certificates as described in the following examples:
 
 ??? example "Configuring Using Templating"
-    
-    ```toml tab="TOML"
-    # template-rules.toml
-    [http]
-    
-      [http.routers]
-      {{ range $i, $e := until 100 }}
-        [http.routers.router{{ $e }}-{{ env "MY_ENV_VAR" }}]
-        # ...
-      {{ end }}  
-      
-      
-      [http.services]
-      {{ range $i, $e := until 100 }}
-          [http.services.service{{ $e }}]
-          # ...
-      {{ end }}  
-      
-    [tcp]
-    
-      [tcp.routers]
-      {{ range $i, $e := until 100 }}
-        [tcp.routers.router{{ $e }}]
-        # ...
-      {{ end }}  
-      
-      
-      [tcp.services]
-      {{ range $i, $e := until 100 }}
-          [http.services.service{{ $e }}]
-          # ...
-      {{ end }}  
-    
-    {{ range $i, $e := until 10 }}
-    [[tls.certificates]]
-      certFile = "/etc/traefik/cert-{{ $e }}.pem"
-      keyFile = "/etc/traefik/cert-{{ $e }}.key"
-      stores = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
-    {{ end }}
-    
-    [tls.config]
-    {{ range $i, $e := until 10 }}
-      [tls.config.TLS{{ $e }}]
-      # ...
-    {{ end }}
-    ```
-    
+
     ```yaml tab="YAML"
     http:
       routers:
@@ -255,26 +212,26 @@ To illustrate, it's possible to easily define multiple routers, services, and TL
         router{{ $e }}-{{ env "MY_ENV_VAR" }}:
           # ...
         {{end}}
-    
+
       services:
         {{range $i, $e := until 100 }}
         application{{ $e }}:
           # ...
         {{end}}
-    
+
     tcp:
       routers:
         {{range $i, $e := until 100 }}
         router{{ $e }}:
           # ...
         {{end}}
-    
+
       services:
         {{range $i, $e := until 100 }}
         service{{ $e }}:
           # ...
         {{end}}
-    
+
     tls:
       certificates:
       {{ range $i, $e := until 10 }}
@@ -285,3 +242,47 @@ To illustrate, it's possible to easily define multiple routers, services, and TL
         - "my-store-bar-{{ $e }}"
       {{end}}
     ```
+
+    ```toml tab="TOML"
+    # template-rules.toml
+    [http]
+
+      [http.routers]
+      {{ range $i, $e := until 100 }}
+        [http.routers.router{{ $e }}-{{ env "MY_ENV_VAR" }}]
+        # ...
+      {{ end }}
+
+      [http.services]
+      {{ range $i, $e := until 100 }}
+          [http.services.service{{ $e }}]
+          # ...
+      {{ end }}
+
+    [tcp]
+
+      [tcp.routers]
+      {{ range $i, $e := until 100 }}
+        [tcp.routers.router{{ $e }}]
+        # ...
+      {{ end }}
+
+      [tcp.services]
+      {{ range $i, $e := until 100 }}
+          [http.services.service{{ $e }}]
+          # ...
+      {{ end }}
+
+    {{ range $i, $e := until 10 }}
+    [[tls.certificates]]
+      certFile = "/etc/traefik/cert-{{ $e }}.pem"
+      keyFile = "/etc/traefik/cert-{{ $e }}.key"
+      stores = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
+    {{ end }}
+
+    [tls.config]
+    {{ range $i, $e := until 10 }}
+      [tls.config.TLS{{ $e }}]
+      # ...
+    {{ end }}
+    ```

docs/content/providers/http.md

@@ -1,6 +1,6 @@
 # Traefik & HTTP
 
-Provide your [dynamic configuration](./overview.md) via an HTTP(s) endpoint and let Traefik do the rest!
+Provide your [dynamic configuration](./overview.md) via an HTTP(S) endpoint and let Traefik do the rest!
 
 ## Routing Configuration
 
@@ -12,12 +12,7 @@ The HTTP provider uses the same configuration as the [File Provider](./file.md)
 
 _Required_
 
-Defines the HTTP(s) endpoint to poll.
-
-```toml tab="File (TOML)"
-[providers.http]
-  endpoint = "http://127.0.0.1:9000/api"
-```
+Defines the HTTP(S) endpoint to poll.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -26,6 +21,11 @@ providers:
       - "http://127.0.0.1:9000/api"
 ```
 
+```toml tab="File (TOML)"
+[providers.http]
+  endpoint = "http://127.0.0.1:9000/api"
+```
+
 ```bash tab="CLI"
 --providers.http.endpoint=http://127.0.0.1:9000/api
 ```
@@ -36,17 +36,17 @@ _Optional, Default="5s"_
 
 Defines the polling interval.
 
-```toml tab="File (TOML)"
-[providers.http]
-  pollInterval = "5s"
-```
-
 ```yaml tab="File (YAML)"
 providers:
   http:
     pollInterval: "5s"
 ```
 
+```toml tab="File (TOML)"
+[providers.http]
+  pollInterval = "5s"
+```
+
 ```bash tab="CLI"
 --providers.http.pollInterval=5s
 ```
@@ -57,17 +57,17 @@ _Optional, Default="5s"_
 
 Defines the polling timeout when connecting to the configured endpoint.
 
-```toml tab="File (TOML)"
-[providers.http]
-  pollTimeout = "5s"
-```
-
 ```yaml tab="File (YAML)"
 providers:
   http:
     pollTimeout: "5s"
 ```
 
+```toml tab="File (TOML)"
+[providers.http]
+  pollTimeout = "5s"
+```
+
 ```bash tab="CLI"
 --providers.http.pollTimeout=5s
 ```
@@ -78,12 +78,7 @@ _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secured connection to the configured Endpoint.
-
-```toml tab="File (TOML)"
-[providers.http.tls]
-  ca = "path/to/ca.crt"
-```
+Certificate Authority used for the secure connection to the configured endpoint.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -92,23 +87,26 @@ providers:
       ca: path/to/ca.crt
 ```
 
+```toml tab="File (TOML)"
+[providers.http.tls]
+  ca = "path/to/ca.crt"
+```
+
 ```bash tab="CLI"
 --providers.http.tls.ca=path/to/ca.crt
 ```
 
 #### `tls.caOptional`
 
-Policy followed for the secured connection with TLS Client Authentication to the configured Endpoint.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the configured endpoint.
 
-- `true`: VerifyClientCertIfGiven
-- `false`: RequireAndVerifyClientCert
-- if `tls.ca` is undefined NoClientCert
+!!! warning ""
 
-```toml tab="File (TOML)"
-[providers.http.tls]
-  caOptional = true
-```
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -117,19 +115,18 @@ providers:
       caOptional: true
 ```
 
+```toml tab="File (TOML)"
+[providers.http.tls]
+  caOptional = true
+```
+
 ```bash tab="CLI"
 --providers.http.tls.caOptional=true
 ```
 
 #### `tls.cert`
 
-Public certificate used for the secured connection to the configured Endpoint.
-
-```toml tab="File (TOML)"
-[providers.http.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+Public certificate used for the secure connection to the configured endpoint.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -139,6 +136,12 @@ providers:
       key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.http.tls.cert=path/to/foo.cert
 --providers.http.tls.key=path/to/foo.key
@@ -146,13 +149,7 @@ providers:
 
 #### `tls.key`
 
-Private certificate used for the secured connection to the configured Endpoint.
-
-```toml tab="File (TOML)"
-[providers.http.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+Private certificate used for the secure connection to the configured endpoint.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -162,6 +159,12 @@ providers:
       key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.http.tls.cert=path/to/foo.cert
 --providers.http.tls.key=path/to/foo.key
@@ -169,13 +172,7 @@ providers:
 
 #### `tls.insecureSkipVerify`
 
-If `insecureSkipVerify` is `true`, TLS connection to the configured Endpoint accepts any certificate presented by the 
-server and any host name in that certificate.
-
-```toml tab="File (TOML)"
-[providers.http.tls]
-  insecureSkipVerify = true
-```
+If `insecureSkipVerify` is `true`, the TLS connection to the endpoint accepts any certificate presented by the server regardless of the hostnames it covers.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -184,6 +181,11 @@ providers:
       insecureSkipVerify: true
 ```
 
+```toml tab="File (TOML)"
+[providers.http.tls]
+  insecureSkipVerify = true
+```
+
 ```bash tab="CLI"
 --providers.http.tls.insecureSkipVerify=true
 ```

docs/content/providers/kubernetes-crd.md

@@ -3,10 +3,11 @@
 The Kubernetes Ingress Controller, The Custom Resource Way.
 {: .subtitle }
 
-Traefik used to support Kubernetes only through the [Kubernetes Ingress provider](./kubernetes-ingress.md), which is a Kubernetes Ingress controller in the strict sense of the term.
+In early versions, Traefik supported Kubernetes only through the [Kubernetes Ingress provider](./kubernetes-ingress.md), which is a Kubernetes Ingress controller in the strict sense of the term.
 
 However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
-we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
+the Traefik engineering team developed a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+(CRD) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
 
 ## Configuration Requirements
 
@@ -14,11 +15,11 @@ we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/co
 
     * Add/update **all** the Traefik resources [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions)
     * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources
-    * Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment 
+    * Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment
         * Enable the kubernetesCRD provider
         * Apply the needed kubernetesCRD provider [configuration](#provider-configuration)
-    * Add all needed traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
- 
+    * Add all necessary Traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
+
 ??? example "Initializing Resource Definition and RBAC"
 
     ```yaml tab="Traefik Resource Definition"
@@ -37,13 +38,11 @@ Traefik uses [Custom Resource Definition](https://kubernetes.io/docs/concepts/ex
 Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are:
 
 * The usage of `name` **and** `namespace` to refer to another Kubernetes resource.
-* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensible data like:
-    * TLS certificate.
-    * Authentication data.
+* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensitive data (TLS certificates and credentials).
 * The structure of the configuration.
-* The obligation to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).
+* The requirement to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).
 
-The Traefik CRD are building blocks which you can assemble according to your needs.
+The Traefik CRDs are building blocks that you can assemble according to your needs.
 See the list of CRDs in the dedicated [routing section](../routing/providers/kubernetes-crd.md).
 
 ## LetsEncrypt Support with the Custom Resource Definition Provider
@@ -51,29 +50,36 @@ See the list of CRDs in the dedicated [routing section](../routing/providers/kub
 By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
 For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
 
-When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
-Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
-Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+When using a single instance of Traefik with Let's Encrypt, you should encounter no issues. However, this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik Proxy 2.0 with Let's Encrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request and subsequent responses.
+Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance that feature was dropped in 2.0.
 
-If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) where distributed LetsEncrypt is a supported feature.
+If you need Let's Encrypt with HA in a Kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/), which includes distributed Let's Encrypt as a supported feature.
 
-If you want to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
-When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
-When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot interface directly with the CRDs _yet_, but this is being worked on by our team.
+If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+When using Cert-Manager to manage certificates, it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs.
 A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
-Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once created, Cert-Manager will keep the certificate renewed.
+Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once the certificates are created, Cert-Manager keeps them renewed.
 
 ## Provider Configuration
 
 ### `endpoint`
 
-_Optional, Default=empty_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
-  endpoint = "http://localhost:8080"
-  # ...
-```
+The Kubernetes server endpoint URL.
+
+When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
+
+The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+Both are mounted automatically when deployed inside Kubernetes.
+
+The endpoint may be specified to override the environment variable values inside a cluster.
+
+When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
+In this case, the endpoint is required.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -82,32 +88,21 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  endpoint = "http://localhost:8080"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetescrd.endpoint=http://localhost:8080
 ```
 
-The Kubernetes server endpoint as URL.
-
-When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
-
-The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
-Both are provided mounted automatically when deployed inside Kubernetes.
-
-The endpoint may be specified to override the environment variable values inside a cluster.
-
-When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
-In this case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
-
 ### `token`
 
-_Optional, Default=empty_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
-  token = "mytoken"
-  # ...
-```
+Bearer token used for the Kubernetes client configuration.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -116,21 +111,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  token = "mytoken"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetescrd.token=mytoken
 ```
 
-Bearer token used for the Kubernetes client configuration.
-
 ### `certAuthFilePath`
 
-_Optional, Default=empty_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
-  certAuthFilePath = "/my/ca.crt"
-  # ...
-```
+Path to the certificate authority file.
+Used for the Kubernetes client configuration.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -139,22 +135,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  certAuthFilePath = "/my/ca.crt"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetescrd.certauthfilepath=/my/ca.crt
 ```
 
-Path to the certificate authority file.
-Used for the Kubernetes client configuration.
-
 ### `namespaces`
 
-_Optional, Default: all namespaces (empty array)_
+_Optional, Default: []_
 
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
-  namespaces = ["default", "production"]
-  # ...
-```
+Array of namespaces to watch.
+If left empty, watches all namespaces if the value of `namespaces`.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -165,21 +161,30 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  namespaces = ["default", "production"]
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetescrd.namespaces=default,production
 ```
 
-Array of namespaces to watch.
-
 ### `labelselector`
 
-_Optional,Default: empty (process all resources)_
+_Optional, Default: ""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
-  labelselector = "app=traefik"
-  # ...
-```
+A label selector can be defined to filter on specific resource objects only,
+this applies only to Traefik [Custom Resources](../routing/providers/kubernetes-crd.md#custom-resource-definition-crd)
+and has no effect on Kubernetes `Secrets`, `Endpoints` and `Services`.
+If left empty, Traefik processes all resource objects in the configured namespaces.
+
+See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
+
+!!! warning
+
+    Because the label selector is applied to all Traefik Custom Resources, they all must match the filter.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -188,30 +193,24 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  labelselector = "app=traefik"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetescrd.labelselector="app=traefik"
 ```
 
-By default, Traefik processes all resource objects in the configured namespaces.
-A label selector can be defined to filter on specific resource objects only,
-this will apply only on Traefik [Custom Resources](../routing/providers/kubernetes-crd.md#custom-resource-definition-crd)
-and has no effect on Kubernetes `Secrets`, `Endpoints` and `Services`.
-
-See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
-
-!!! warning
-
-    As the LabelSelector is applied to all Traefik Custom Resources, they all must match the filter. 
-
 ### `ingressClass`
 
-_Optional, Default: empty_
+_Optional, Default: ""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
-  ingressClass = "traefik-internal"
-  # ...
-```
+Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.
+
+If the parameter is set, only resources containing an annotation with the same value are processed.
+Otherwise, resources missing the annotation, having an empty value, or the value `traefik` are processed.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -220,24 +219,27 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  ingressClass = "traefik-internal"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetescrd.ingressclass=traefik-internal
 ```
 
-Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.
-
-If the parameter is non-empty, only resources containing an annotation with the same value are processed.
-Otherwise, resources missing the annotation, having an empty value, or the value `traefik` are processed.
-
 ### `throttleDuration`
 
-_Optional, Default: 0 (no throttling)_
+_Optional, Default: 0_
 
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
-  throttleDuration = "10s"
-  # ...
-```
+The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
+a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
+
+If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
+
+The value of `throttleDuration` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -246,38 +248,62 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  throttleDuration = "10s"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetescrd.throttleDuration=10s
 ```
 
 ### `allowCrossNamespace`
 
-_Optional, Default: true_
+_Optional, Default: false_
 
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
-  allowCrossNamespace = false
-  # ...
-```
+If the parameter is set to `true`, IngressRoutes are  able to reference  resources in other namespaces than theirs.
 
 ```yaml tab="File (YAML)"
 providers:
   kubernetesCRD:
-    allowCrossNamespace: false
+    allowCrossNamespace: true
     # ...
 ```
 
-```bash tab="CLI"
---providers.kubernetescrd.allowCrossNamespace=false
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  allowCrossNamespace = true
+  # ...
 ```
 
-If the parameter is set to `false`, an IngressRoute will not be able to reference any resources
-in another namespace than the IngressRoute namespace.
+```bash tab="CLI"
+--providers.kubernetescrd.allowCrossNamespace=true
+```
 
-!!! warning "Deprecation"
-    
-    Please notice that the default value for this option will be set to `false` in a future version.
+### `allowExternalNameServices`
 
-## Further
+_Optional, Default: false_
 
-Also see the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
+If the parameter is set to `true`, IngressRoutes are able to reference ExternalName services.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    allowExternalNameServices: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  allowExternalNameServices = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.allowexternalnameservices=true
+```
+
+## Full Example
+
+For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.

docs/content/providers/kubernetes-gateway.md

@@ -3,35 +3,35 @@
 The Kubernetes Gateway API, The Experimental Way.
 {: .subtitle }
 
-Gateway API is the evolution of Kubernetes APIs that relate to `Services`, e.g. `Ingress`.
+Gateway API is the evolution of Kubernetes APIs that relate to `Services`, such as `Ingress`.
 The Gateway API project is part of Kubernetes, working under SIG-NETWORK.
 
-The Kubernetes Gateway provider is a Traefik implementation of the [service apis](https://github.com/kubernetes-sigs/service-apis)
-specifications from the Kubernetes SIGs.   
+The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
+specifications from the Kubernetes Special Interest Groups (SIGs).
 
-This provider is proposed as an experimental feature and partially supports the service apis [v0.1.0](https://github.com/kubernetes-sigs/service-apis/releases/tag/v0.1.0) specification. 
+This provider is proposed as an experimental feature and partially supports the Gateway API [v0.2.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.2.0) specification.
 
 !!! warning "Enabling The Experimental Kubernetes Gateway Provider"
-    
-    As this provider is in experimental stage, it needs to be activated in the experimental section of the static configuration. 
-    
-    ```toml tab="File (TOML)"
-    [experimental]
-      kubernetesGateway = true
-    
-    [providers.kubernetesGateway]
-    #...
-    ```
-    
+
+    Since this provider is still experimental, it needs to be activated in the experimental section of the static configuration.
+
     ```yaml tab="File (YAML)"
     experimental:
       kubernetesGateway: true
-    
+
     providers:
       kubernetesGateway: {}
       #...
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [experimental]
+      kubernetesGateway = true
+
+    [providers.kubernetesGateway]
+    #...
+    ```
+
     ```bash tab="CLI"
     --experimental.kubernetesgateway=true --providers.kubernetesgateway=true #...
     ```
@@ -39,7 +39,7 @@ This provider is proposed as an experimental feature and partially supports the
 ## Configuration Requirements
 
 !!! tip "All Steps for a Successful Deployment"
-  
+
     * Add/update the Kubernetes Gateway API [definitions](../reference/dynamic-configuration/kubernetes-gateway.md#definitions).
     * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources.
     * Add all needed Kubernetes Gateway API [resources](../reference/dynamic-configuration/kubernetes-gateway.md#resources).
@@ -55,11 +55,11 @@ This provider is proposed as an experimental feature and partially supports the
     ```yaml tab="Whoami Service"
     --8<-- "content/reference/dynamic-configuration/kubernetes-whoami-svc.yml"
     ```
-    
+
     ```yaml tab="Traefik Service"
     --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml"
     ```
-    
+
     ```yaml tab="Gateway API CRDs"
     # All resources definition must be declared
     --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gatewayclasses.yaml"
@@ -70,43 +70,52 @@ This provider is proposed as an experimental feature and partially supports the
     ```yaml tab="RBAC"
     --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml"
     ```
-    
-The Kubernetes Service APIs provides several [guides](https://kubernetes-sigs.github.io/service-apis/guides/) of how to use their API.
-Those guides will help you to go further than the example above.
-The [getting started](https://kubernetes-sigs.github.io/service-apis/getting-started/) show you how to install the CRDs from their repository.
-Thus, keep in mind that the Traefik Gateway provider only supports the `v0.1.0`.
 
-For now, the Traefik Gateway Provider could be used to achieve the following set-up guides:
+The Kubernetes Gateway API project provides several guides on how to use the APIs.
+These guides can help you to go further than the example above.
+The [getting started guide](https://gateway-api.sigs.k8s.io/v1alpha1/guides/getting-started/) details how to install the CRDs from their repository.
 
-* [Simple Gateway](https://kubernetes-sigs.github.io/service-apis/simple-gateway/)
-* [HTTP routing](https://kubernetes-sigs.github.io/service-apis/http-routing/)
-* [TLS](https://kubernetes-sigs.github.io/service-apis/tls/) (Partial support: only on listeners with terminate mode)
+!!! note ""
+
+    Keep in mind that the Traefik Gateway provider only supports the `v0.1.0` (v1alpha1).
+
+For now, the Traefik Gateway Provider can be used while following the below guides:
+
+* [Simple Gateway](https://gateway-api.sigs.k8s.io/v1alpha1/guides/simple-gateway/)
+* [HTTP routing](https://gateway-api.sigs.k8s.io/v1alpha1/guides/http-routing/)
+* [TLS](https://gateway-api.sigs.k8s.io/v1alpha1/guides/tls/) (Partial support: only on listeners with terminate mode)
 
 ## Resource Configuration
 
-When using Kubernetes Gateway API as a provider,
-Traefik uses Kubernetes 
-[Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+When using Kubernetes Gateway API as a provider, Traefik uses Kubernetes
+[Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
 to retrieve its routing configuration.
 
-All concepts can be found in the official API concepts [documentation](https://kubernetes-sigs.github.io/service-apis/api-overview/).
+All concepts can be found in the official API concepts [documentation](https://gateway-api.sigs.k8s.io/concepts/api-overview/).
 Traefik implements the following resources:
 
 * `GatewayClass` defines a set of Gateways that share a common configuration and behaviour.
 * `Gateway` describes how traffic can be translated to Services within the cluster.
 * `HTTPRoute` define HTTP rules for mapping requests from a Gateway to Kubernetes Services.
 
-## Provider Configuration 
+## Provider Configuration
 
 ### `endpoint`
 
-_Optional, Default=empty_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
-  endpoint = "http://localhost:8080"
-  # ...
-```
+The Kubernetes server endpoint URL.
+
+When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
+
+The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+Both are mounted automatically when deployed inside Kubernetes.
+
+The endpoint may be specified to override the environment variable values inside a cluster.
+
+When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
+In this case, the endpoint is required.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -115,32 +124,21 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  endpoint = "http://localhost:8080"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesgateway.endpoint=http://localhost:8080
 ```
 
-The Kubernetes server endpoint as URL.
-
-When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
-
-The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
-Both are mounted automatically when deployed inside Kubernetes.
-
-The endpoint may be specified to override the environment variable values inside a cluster.
-
-When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
-In this case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
-
 ### `token`
 
-_Optional, Default=empty_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
-  token = "mytoken"
-  # ...
-```
+Bearer token used for the Kubernetes client configuration.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -149,21 +147,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  token = "mytoken"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesgateway.token=mytoken
 ```
 
-Bearer token used for the Kubernetes client configuration.
-
 ### `certAuthFilePath`
 
-_Optional, Default=empty_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
-  certAuthFilePath = "/my/ca.crt"
-  # ...
-```
+Path to the certificate authority file.
+Used for the Kubernetes client configuration.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -172,22 +171,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  certAuthFilePath = "/my/ca.crt"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesgateway.certauthfilepath=/my/ca.crt
 ```
 
-Path to the certificate authority file.
-Used for the Kubernetes client configuration.
-
 ### `namespaces`
 
-_Optional, Default: all namespaces (empty array)_
+_Optional, Default: []_
 
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
-  namespaces = ["default", "production"]
-  # ...
-```
+Array of namespaces to watch.
+If left empty, watches all namespaces if the value of `namespaces`.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -198,21 +197,24 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  namespaces = ["default", "production"]
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesgateway.namespaces=default,production
 ```
 
-Array of namespaces to watch.
-
 ### `labelselector`
 
-_Optional, Default: empty (process all resources)_
+_Optional, Default: ""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
-  labelselector = "app=traefik"
-  # ...
-```
+A label selector can be defined to filter on specific GatewayClass objects only.
+If left empty, Traefik processes all GatewayClass objects in the configured namespaces.
+
+See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -221,24 +223,27 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  labelselector = "app=traefik"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesgateway.labelselector="app=traefik"
 ```
 
-By default, Traefik processes all resource objects in the configured namespaces.
-A label selector can be defined to filter on specific GatewayClass objects only.
-
-See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
-
 ### `throttleDuration`
 
-_Optional, Default: 0 (no throttling)_
+_Optional, Default: 0_
 
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
-  throttleDuration = "10s"
-  # ...
-```
+The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
+a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
+
+If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
+
+The value of `throttleDuration` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -247,6 +252,12 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  throttleDuration = "10s"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesgateway.throttleDuration=10s
 ```

docs/content/providers/kubernetes-ingress.md

@@ -12,24 +12,24 @@ See the dedicated section in [routing](../routing/providers/kubernetes-ingress.m
 
 ## Enabling and Using the Provider
 
-As usual, the provider is enabled through the static configuration:
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
-```
+You can enable the provider in the static configuration:
 
 ```yaml tab="File (YAML)"
 providers:
   kubernetesIngress: {}
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+```
+
 ```bash tab="CLI"
 --providers.kubernetesingress=true
 ```
 
 The provider then watches for incoming ingresses events, such as the example below,
 and derives the corresponding dynamic configuration from it,
-which in turn will create the resulting routers, services, handlers, etc.
+which in turn creates the resulting routers, services, handlers, etc.
 
 ```yaml tab="File (YAML)"
 kind: Ingress
@@ -61,32 +61,39 @@ without additional configuration.
 For this reason, users can run multiple instances of Traefik at the same time to achieve HA,
 as is a common pattern in the kubernetes ecosystem.
 
-When using a single instance of Traefik with LetsEncrypt, no issues should be encountered,
-however this could be a single point of failure.
-Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled,
-because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
+When using a single instance of Traefik Proxy with Let's Encrypt, you should encounter no issues.
+However, this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with Let's Encrypt enabled,
+because there is no way to ensure that the correct instance of Traefik receives the challenge request, and subsequent responses.
 Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this,
-but due to sub-optimal performance was dropped as a feature in 2.0.
+but due to sub-optimal performance that feature was dropped in 2.0.
 
-If you require LetsEncrypt with HA in a kubernetes environment,
-we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) where distributed LetsEncrypt is a supported feature.
+If you need Let's Encrypt with high availability in a Kubernetes environment,
+we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) which includes distributed Let's Encrypt as a supported feature.
 
-If you are wanting to continue to run Traefik Community Edition,
+If you want to keep using Traefik Proxy,
 LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
 When using Cert-Manager to manage certificates,
-it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 
 ## Provider Configuration
 
 ### `endpoint`
 
-_Optional, Default=empty_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
-  endpoint = "http://localhost:8080"
-  # ...
-```
+The Kubernetes server endpoint URL.
+
+When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
+
+The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+Both are mounted automatically when deployed inside Kubernetes.
+
+The endpoint may be specified to override the environment variable values inside a cluster.
+
+When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
+In this case, the endpoint is required.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -95,31 +102,21 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  endpoint = "http://localhost:8080"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesingress.endpoint=http://localhost:8080
 ```
 
-The Kubernetes server endpoint as URL, which is only used when the behavior based on environment variables described below does not apply.
-
-When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
-
-The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
-They are both provided automatically as mounts in the pod where Traefik is deployed.
-
-When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
-In which case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication
-and authorization of the associated kubeconfig.
-
 ### `token`
 
-_Optional, Default=empty_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
-  token = "mytoken"
-  # ...
-```
+Bearer token used for the Kubernetes client configuration.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -128,21 +125,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  token = "mytoken"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesingress.token=mytoken
 ```
 
-Bearer token used for the Kubernetes client configuration.
-
 ### `certAuthFilePath`
 
-_Optional, Default=empty_
+_Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
-  certAuthFilePath = "/my/ca.crt"
-  # ...
-```
+Path to the certificate authority file.
+Used for the Kubernetes client configuration.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -151,22 +149,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  certAuthFilePath = "/my/ca.crt"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesingress.certauthfilepath=/my/ca.crt
 ```
 
-Path to the certificate authority file.
-Used for the Kubernetes client configuration.
-
 ### `namespaces`
 
-_Optional, Default: all namespaces (empty array)_
+_Optional, Default: []_
 
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
-  namespaces = ["default", "production"]
-  # ...
-```
+Array of namespaces to watch.
+If left empty, watches all namespaces if the value of `namespaces`.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -177,21 +175,24 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  namespaces = ["default", "production"]
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesingress.namespaces=default,production
 ```
 
-Array of namespaces to watch.
-
 ### `labelSelector`
 
-_Optional,Default: empty (process all Ingresses)_
+_Optional, Default: ""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
-  labelSelector = "app=traefik"
-  # ...
-```
+A label selector can be defined to filter on specific Ingress objects only.
+If left empty, Traefik processes all Ingress objects in the configured namespaces.
+
+See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -200,58 +201,42 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  labelSelector = "app=traefik"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesingress.labelselector="app=traefik"
 ```
 
-By default, Traefik processes all `Ingress` objects in the configured namespaces.
-A label selector can be defined to filter on specific `Ingress` objects only.
-
-See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
-
 ### `ingressClass`
 
-_Optional, Default: empty_
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
-  ingressClass = "traefik-internal"
-  # ...
-```
-
-```yaml tab="File (YAML)"
-providers:
-  kubernetesIngress:
-    ingressClass: "traefik-internal"
-    # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.ingressclass=traefik-internal
-```
+_Optional, Default: ""_
 
 Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
 
-If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
-Otherwise, Ingresses missing the annotation, having an empty value, or with the value `traefik` are processed.
+If the parameter is set, only Ingresses containing an annotation with the same value are processed.
+Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
 
 !!! info "Kubernetes 1.18+"
 
     If the Kubernetes cluster version is 1.18+,
     the new `IngressClass` resource can be leveraged to identify Ingress objects that should be processed.
     In that case, Traefik will look for an `IngressClass` in the cluster with the controller value equal to *traefik.io/ingress-controller*. 
-    
+
     Please see [this article](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/) for more information or the example below.
 
     ```yaml tab="IngressClass"
     apiVersion: networking.k8s.io/v1beta1
     kind: IngressClass
-    metadata: 
+    metadata:
       name: traefik-lb
-    spec: 
+    spec:
       controller: traefik.io/ingress-controller
     ```
-  
+
     ```yaml tab="Ingress"
     apiVersion: "networking.k8s.io/v1beta1"
     kind: "Ingress"
@@ -269,17 +254,30 @@ Otherwise, Ingresses missing the annotation, having an empty value, or with the
               servicePort: 80
     ```
 
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    ingressClass: "traefik-internal"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  ingressClass = "traefik-internal"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.ingressclass=traefik-internal
+```
+
 ### `ingressEndpoint`
 
 #### `hostname`
 
-_Optional, Default: empty_
+_Optional, Default: ""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesIngress.ingressEndpoint]
-  hostname = "example.net"
-  # ...
-```
+Hostname used for Kubernetes Ingress endpoints.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -289,21 +287,21 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesIngress.ingressEndpoint]
+  hostname = "example.net"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesingress.ingressendpoint.hostname=example.net
 ```
 
-Hostname used for Kubernetes Ingress endpoints.
-
 #### `ip`
 
-_Optional, Default: empty_
+_Optional, Default: ""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesIngress.ingressEndpoint]
-  ip = "1.2.3.4"
-  # ...
-```
+IP used for Kubernetes Ingress endpoints.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -313,21 +311,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesIngress.ingressEndpoint]
+  ip = "1.2.3.4"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesingress.ingressendpoint.ip=1.2.3.4
 ```
 
-IP used for Kubernetes Ingress endpoints.
-
 #### `publishedService`
 
-_Optional, Default: empty_
+_Optional, Default: ""_
 
-```toml tab="File (TOML)"
-[providers.kubernetesIngress.ingressEndpoint]
-  publishedService = "namespace/foo-service"
-  # ...
-```
+Published Kubernetes Service to copy status from.
+Format: `namespace/servicename`.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -337,22 +336,27 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesIngress.ingressEndpoint]
+  publishedService = "namespace/foo-service"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesingress.ingressendpoint.publishedservice=namespace/foo-service
 ```
 
-Published Kubernetes Service to copy status from.
-Format: `namespace/servicename`.
-
 ### `throttleDuration`
 
-_Optional, Default: 0 (no throttling)_
+_Optional, Default: 0_
 
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
-  throttleDuration = "10s"
-  # ...
-```
+The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
+a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
+
+If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
+
+The value of `throttleDuration` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -361,11 +365,40 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  throttleDuration = "10s"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.kubernetesingress.throttleDuration=10s
 ```
 
+### `allowExternalNameServices`
+
+_Optional, Default: false_
+
+If the parameter is set to `true`, Ingresses are able to reference ExternalName services.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    allowExternalNameServices: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  allowExternalNameServices = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.allowexternalnameservices=true
+```
+
 ### Further
 
-If one wants to know more about the various aspects of the Ingress spec that Traefik supports,
-many examples of Ingresses definitions are located in the tests [data](https://github.com/traefik/traefik/tree/v2.4/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+To learn more about the various aspects of the Ingress specification that Traefik supports,
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.4/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

docs/content/providers/marathon.md

@@ -3,28 +3,28 @@
 Traefik can be configured to use Marathon as a provider.
 {: .subtitle }
 
-See also [Marathon user guide](../user-guides/marathon.md).
+For additional information, refer to [Marathon user guide](../user-guides/marathon.md).
 
 ## Configuration Examples
 
 ??? example "Configuring Marathon & Deploying / Exposing Applications"
 
-    Enabling the marathon provider
+    Enabling the Marathon provider
 
-    ```toml tab="File (TOML)"
-    [providers.marathon]
-    ```
-    
     ```yaml tab="File (YAML)"
     providers:
       marathon: {}
     ```
-    
+
+    ```toml tab="File (TOML)"
+    [providers.marathon]
+    ```
+
     ```bash tab="CLI"
     --providers.marathon=true
     ```
 
-    Attaching labels to marathon applications
+    Attaching labels to Marathon applications
 
     ```json
 	{
@@ -59,11 +59,7 @@ See the dedicated section in [routing](../routing/providers/marathon.md).
 
 _Optional_
 
-```toml tab="File (TOML)"
-[providers.marathon.basic]
-  httpBasicAuthUser = "foo"
-  httpBasicPassword = "bar"
-```
+Enables Marathon basic authentication.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -73,22 +69,24 @@ providers:
       httpBasicPassword: bar
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon.basic]
+  httpBasicAuthUser = "foo"
+  httpBasicPassword = "bar"
+```
+
 ```bash tab="CLI"
 --providers.marathon.basic.httpbasicauthuser=foo
 --providers.marathon.basic.httpbasicpassword=bar
 ```
 
-Enables Marathon basic authentication.
-
 ### `dcosToken`
 
 _Optional_
 
-```toml tab="File (TOML)"
-[providers.marathon]
-  dcosToken = "xxxxxx"
-  # ...
-```
+Datacenter Operating System (DCOS) Token for DCOS environment.
+
+If set, it overrides the Authorization header.
 
 ```toml tab="File (YAML)"
 providers:
@@ -97,23 +95,29 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon]
+  dcosToken = "xxxxxx"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.marathon.dcosToken=xxxxxx
 ```
 
-DCOSToken for DCOS environment.
-
-If set, it overrides the Authorization header.
-
 ### `defaultRule`
 
 _Optional, Default=```Host(`{{ normalize .Name }}`)```_
 
-```toml tab="File (TOML)"
-[providers.marathon]
-  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-  # ...
-```
+The default host rule for all services.
+
+For a given application, if no routing rule was defined by a label, it is defined by this `defaultRule` instead.
+
+It must be a valid [Go template](https://golang.org/pkg/text/template/),
+and can include [sprig template functions](http://masterminds.github.io/sprig/).
+
+The app ID can be accessed with the `Name` identifier,
+and the template has access to all the labels defined on this Marathon application.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -122,82 +126,78 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.marathon.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
 # ...
 ```
 
-For a given application if no routing rule was defined by a label, it is defined by this defaultRule instead.
-
-It must be a valid [Go template](https://golang.org/pkg/text/template/),
-augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
-
-The app ID can be accessed as the Name identifier,
-and the template has access to all the labels defined on this Marathon application.
-
 ### `dialerTimeout`
 
 _Optional, Default=5s_
 
+Amount of time the Marathon provider should wait before timing out,
+when trying to open a TCP connection to a Marathon master.
+
+The value of `dialerTimeout` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    dialerTimeout: "10s"
+    # ...
+```
+
 ```toml tab="File (TOML)"
 [providers.marathon]
   dialerTimeout = "10s"
   # ...
 ```
 
-```toml tab="File (YAML)"
-providers:
-  marathon:
-    dialerTimeout: "10s"
-    # ...
-```
-
 ```bash tab="CLI"
 --providers.marathon.dialerTimeout=10s
 ```
 
-Overrides DialerTimeout.
-
-Amount of time the Marathon provider should wait before timing out,
-when trying to open a TCP connection to a Marathon master.
-
-Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
-or directly as a number of seconds.
-
 ### `endpoint`
 
 _Optional, Default=http://127.0.0.1:8080_
 
+Marathon server endpoint.
+
+You can optionally specify multiple endpoints.
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    endpoint: "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
+    # ...
+```
+
 ```toml tab="File (TOML)"
 [providers.marathon]
   endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
   # ...
 ```
 
-```toml tab="File (YAML)"
-providers:
-  marathon:
-    endpoint: "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
-    # ...
-```
-
 ```bash tab="CLI"
 --providers.marathon.endpoint=http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080
 ```
 
-Marathon server endpoint.
-
-You can optionally specify multiple endpoints:
-
 ### `exposedByDefault`
 
 _Optional, Default=true_
 
-```toml tab="File (TOML)"
-[providers.marathon]
-  exposedByDefault = false
-  # ...
-```
+Exposes Marathon applications by default through Traefik.
+
+If set to `false`, applications that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -206,46 +206,29 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon]
+  exposedByDefault = false
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.marathon.exposedByDefault=false
 # ...
 ```
 
-Exposes Marathon applications by default through Traefik.
-
-If set to false, applications that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
-
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
 ### `constraints`
 
 _Optional, Default=""_
 
-```toml tab="File (TOML)"
-[providers.marathon]
-  constraints = "Label(`a.label.name`,`foo`)"
-  # ...
-```
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    constraints: "Label(`a.label.name`,`foo`)"
-    # ...
-```
-
-```bash tab="CLI"
---providers.marathon.constraints=Label(`a.label.name`,`foo`)
-# ...
-```
-
-Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
-That is to say, if none of the application's labels match the expression, no route for the application is created.
-In addition, the expression also matched against the application's constraints, such as described in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
+The `constraints` option can be set to an expression that Traefik matches against the application labels to determine whether
+to create any route for that application. If none of the application labels match the expression, no route for that application is
+created. In addition, the expression is also matched against the application constraints, such as described
+in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
 If the expression is empty, all detected applications are included.
 
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")`, as well as the usual boolean logic.
-In addition, to match against marathon constraints, the function `MarathonConstraint("field:operator:value")` can be used, where the field, operator, and value parts are joined together in a single string with the `:` separator.
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic.
+In addition, to match against Marathon constraints, the function `MarathonConstraint("field:operator:value")` can be used, where the field, operator, and value parts are concatenated in a single string using the `:` separator.
 
 ??? example "Constraints Expression Examples"
 
@@ -253,27 +236,27 @@ In addition, to match against marathon constraints, the function `MarathonConstr
     # Includes only applications having a label with key `a.label.name` and value `foo`
     constraints = "Label(`a.label.name`, `foo`)"
     ```
-    
+
     ```toml
     # Excludes applications having any label with key `a.label.name` and value `foo`
     constraints = "!Label(`a.label.name`, `value`)"
     ```
-    
+
     ```toml
     # With logical AND.
     constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
     ```
-    
+
     ```toml
     # With logical OR.
     constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
     ```
-    
+
     ```toml
     # With logical AND and OR, with precedence set by parentheses.
     constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
     ```
-    
+
     ```toml
     # Includes only applications having a label with key `a.label.name` and a value matching the `a.+` regular expression.
     constraints = "LabelRegex(`a.label.name`, `a.+`)"
@@ -289,17 +272,33 @@ In addition, to match against marathon constraints, the function `MarathonConstr
     constraints = "MarathonConstraint(`A:B:C`) && Label(`a.label.name`, `value`)"
     ```
 
-See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    constraints: "Label(`a.label.name`,`foo`)"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.marathon]
+  constraints = "Label(`a.label.name`,`foo`)"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.constraints=Label(`a.label.name`,`foo`)
+# ...
+```
 
 ### `forceTaskHostname`
 
 _Optional, Default=false_
 
-```toml tab="File (TOML)"
-[providers.marathon]
-  forceTaskHostname = true
-  # ...
-```
+By default, the task IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
+otherwise, the name of the host running the task is used.
+The latter behavior can be enforced by setting this option to `true`.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -308,24 +307,24 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon]
+  forceTaskHostname = true
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.marathon.forceTaskHostname=true
 # ...
 ```
 
-By default, a task's IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
-otherwise, the name of the host running the task is used.
-The latter behavior can be enforced by enabling this switch.
-
 ### `keepAlive`
 
 _Optional, Default=10s_
 
-```toml tab="File (TOML)"
-[providers.marathon]
-  keepAlive = "30s"
-  # ...
-```
+Set the TCP Keep Alive duration for the Marathon HTTP Client.
+The value of `keepAlive` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -334,24 +333,26 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon]
+  keepAlive = "30s"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.marathon.keepAlive=30s
 # ...
 ```
 
-Set the TCP Keep Alive interval for the Marathon HTTP Client.
-Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
-or directly as a number of seconds.
-
 ### `respectReadinessChecks`
 
 _Optional, Default=false_
 
-```toml tab="File (TOML)"
-[providers.marathon]
-  respectReadinessChecks = true
-  # ...
-```
+Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
+Enabling `respectReadinessChecks` causes Traefik to filter out tasks whose readiness checks have not succeeded.
+Note that the checks are only valid during deployments.
+
+See the Marathon guide for details.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -360,26 +361,26 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon]
+  respectReadinessChecks = true
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.marathon.respectReadinessChecks=true
 # ...
 ```
 
-Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
-Enabling respectReadinessChecks causes Traefik to filter out tasks whose readiness checks have not succeeded.
-Note that the checks are only valid at deployment times.
-
-See the Marathon guide for details.
-
 ### `responseHeaderTimeout`
 
 _Optional, Default=60s_
 
-```toml tab="File (TOML)"
-[providers.marathon]
-  responseHeaderTimeout = "66s"
-  # ...
-```
+Amount of time the Marathon provider should wait before timing out when waiting for the first response header
+from a Marathon master.
+
+The value of `responseHeaderTimeout` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -388,29 +389,24 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon]
+  responseHeaderTimeout = "66s"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.marathon.responseHeaderTimeout=66s
 # ...
 ```
 
-Overrides ResponseHeaderTimeout.
-Amount of time the Marathon provider should wait before timing out,
-when waiting for the first response header from a Marathon master.
-
-Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration), or directly as a number of seconds.
-
 ### `tls`
 
 _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secured connection to Marathon.
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  ca = "path/to/ca.crt"
-```
+Certificate Authority used for the secure connection to Marathon.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -419,23 +415,26 @@ providers:
       ca: path/to/ca.crt
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  ca = "path/to/ca.crt"
+```
+
 ```bash tab="CLI"
 --providers.marathon.tls.ca=path/to/ca.crt
 ```
 
 #### `tls.caOptional`
 
-Policy followed for the secured connection to Marathon with TLS Client Authentication.
-Requires `tls.ca` to be defined.
+The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.
 
-- `true`: VerifyClientCertIfGiven
-- `false`: RequireAndVerifyClientCert
-- if `tls.ca` is undefined NoClientCert
+!!! warning ""
 
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  caOptional = true
-```
+    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+
+When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
+
+When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -444,19 +443,18 @@ providers:
       caOptional: true
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  caOptional = true
+```
+
 ```bash tab="CLI"
 --providers.marathon.tls.caOptional=true
 ```
 
 #### `tls.cert`
 
-Public certificate used for the secured connection to Marathon.
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+Public certificate used for the secure connection to Marathon.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -466,6 +464,12 @@ providers:
       key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.marathon.tls.cert=path/to/foo.cert
 --providers.marathon.tls.key=path/to/foo.key
@@ -473,13 +477,7 @@ providers:
 
 #### `tls.key`
 
-Private certificate used for the secured connection to Marathon.
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
+Private certificate used for the secure connection to Marathon.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -489,6 +487,12 @@ providers:
       key: path/to/foo.key
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
 ```bash tab="CLI"
 --providers.marathon.tls.cert=path/to/foo.cert
 --providers.marathon.tls.key=path/to/foo.key
@@ -496,12 +500,7 @@ providers:
 
 #### `tls.insecureSkipVerify`
 
-If `insecureSkipVerify` is `true`, TLS for the connection to Marathon accepts any certificate presented by the server and any host name in that certificate.
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  insecureSkipVerify = true
-```
+If `insecureSkipVerify` is `true`, the TLS connection to Marathon accepts any certificate presented by the server regardless of the hostnames it covers.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -510,6 +509,11 @@ providers:
       insecureSkipVerify: true
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  insecureSkipVerify = true
+```
+
 ```bash tab="CLI"
 --providers.marathon.tls.insecureSkipVerify=true
 ```
@@ -518,11 +522,11 @@ providers:
 
 _Optional, Default=5s_
 
-```toml tab="File (TOML)"
-[providers.marathon]
-  responseHeaderTimeout = "10s"
-  # ...
-```
+Amount of time the Marathon provider should wait before timing out,
+when waiting for the TLS handshake to complete.
+
+The value of `tlsHandshakeTimeout` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -531,27 +535,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon]
+  responseHeaderTimeout = "10s"
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.marathon.responseHeaderTimeout=10s
 # ...
 ```
 
-Overrides TLSHandshakeTimeout.
-
-Amount of time the Marathon provider should wait before timing out,
-when waiting for the TLS handshake to complete.
-Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
-or directly as a number of seconds.
-
 ### `trace`
 
 _Optional, Default=false_
 
-```toml tab="File (TOML)"
-[providers.marathon]
-  trace = true
-  # ...
-```
+Displays additional provider logs when available.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -560,22 +559,22 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon]
+  trace = true
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.marathon.trace=true
 # ...
 ```
 
-Displays additional provider logs (if available).
-
 ### `watch`
 
 _Optional, Default=true_
 
-```toml tab="File (TOML)"
-[providers.marathon]
-  watch = false
-  # ...
-```
+When set to `true`, watches for Marathon changes.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -584,9 +583,13 @@ providers:
     # ...
 ```
 
+```toml tab="File (TOML)"
+[providers.marathon]
+  watch = false
+  # ...
+```
+
 ```bash tab="CLI"
 --providers.marathon.watch=false
 # ...
 ```
-
-Enables watching for Marathon changes.

docs/content/providers/overview.md

@@ -7,30 +7,30 @@ Traefik's Many Friends
 
 Configuration discovery in Traefik is achieved through _Providers_.
 
-The _providers_ are existing infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores. 
-The idea is that Traefik will query the providers' API in order to find relevant information about routing,
-and each time Traefik detects a change, it dynamically updates the routes.
-
-Deploy and forget is Traefik's credo.
+The _providers_ are infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores.
+The idea is that Traefik queries the provider APIs in order to find relevant information about routing,
+and when Traefik detects a change, it dynamically updates the routes.
 
 ## Orchestrators
 
-Even if each provider is different, we can categorize them in four groups:
+While each provider is different, you can think of each as belonging to one of four categories:
 
-- Label based (each deployed container has a set of labels attached to it)
-- Key-Value based (each deployed container updates a key-value store with relevant information)
-- Annotation based (a separate object, with annotations, defines the characteristics of the container)
-- File based (the good old configuration file)
+- Label-based: each deployed container has a set of labels attached to it
+- Key-Value-based: each deployed container updates a key-value store with relevant information
+- Annotation-based: a separate object, with annotations, defines the characteristics of the container
+- File-based: uses files to define configuration
 
 ## Provider Namespace
 
-When you declare certain objects, in Traefik dynamic configuration,
-such as middleware, service, TLS options or servers transport, they live in its provider's namespace.
-For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.
+When you declare certain objects in the Traefik dynamic configuration,
+such as middleware, services, TLS options or server transports, they reside in their provider's namespace.
+For example, if you declare a middleware using a Docker label, it resides in the Docker provider namespace.
 
-If you use multiple providers and wish to reference such an object declared in another provider 
-(aka referencing a cross-provider object, e.g. middleware), then you'll have to append the `@` separator, 
-followed by the provider name to the object name.
+If you use multiple providers and wish to reference such an object declared in another provider
+(e.g. referencing a cross-provider object like middleware), then the object name should be suffixed by the `@`
+separator, and the provider name.
+
+For the list of the providers names, see the [supported providers](#supported-providers) table below.
 
 ```text
 <resource-name>@<provider-name>
@@ -39,23 +39,18 @@ followed by the provider name to the object name.
 !!! important "Kubernetes Namespace"
 
     As Kubernetes also has its own notion of namespace,
-    one should not confuse the "provider namespace" with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.  
-    In this case, since the definition of a traefik dynamic configuration object is not in kubernetes,
-    specifying a "kubernetes namespace" when referring to the resource does not make any sense,
-    and therefore this specification would be ignored even if present.  
-    On the other hand, if you, say, declare a middleware as a Custom Resource in Kubernetes and use the non-crd Ingress objects,
-    you'll have to add the Kubernetes namespace of the middleware to the annotation like this `<middleware-namespace>-<middleware-name>@kubernetescrd`.
+    one should not confuse the _provider namespace_ with the _Kubernetes Namespace_ of a resource when in the context of cross-provider usage.
 
-!!! abstract "Referencing a Traefik dynamic configuration object from Another Provider"
+    In this case, since the definition of a Traefik dynamic configuration object is not in Kubernetes,
+    specifying a Kubernetes Namespace when referring to the resource does not make any sense.
+
+    On the other hand, if you were to declare a middleware as a Custom Resource in Kubernetes and use the non-CRD Ingress objects,
+    you would have to add the Kubernetes Namespace of the middleware to the annotation like this `<middleware-namespace>-<middleware-name>@kubernetescrd`.
+
+!!! abstract "Referencing a Traefik Dynamic Configuration Object from Another Provider"
 
     Declaring the add-foo-prefix in the file provider.
 
-    ```toml tab="File (TOML)"
-    [http.middlewares]
-      [http.middlewares.add-foo-prefix.addPrefix]
-        prefix = "/foo"
-    ```
-    
     ```yaml tab="File (YAML)"
     http:
       middlewares:
@@ -64,6 +59,12 @@ followed by the provider name to the object name.
             prefix: "/foo"
     ```
 
+    ```toml tab="File (TOML)"
+    [http.middlewares]
+      [http.middlewares.add-foo-prefix.addPrefix]
+        prefix = "/foo"
+    ```
+
     Using the add-foo-prefix middleware from other providers:
 
     ```yaml tab="Docker"
@@ -96,7 +97,7 @@ followed by the provider name to the object name.
             # A namespace specification such as above is ignored
             # when the cross-provider syntax is used.
     ```
-    
+
     ```yaml tab="Kubernetes Ingress"
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
@@ -107,7 +108,7 @@ followed by the provider name to the object name.
       stripPrefix:
         prefixes:
           - /stripit
-    
+
     ---
     apiVersion: networking.k8s.io/v1
     kind: Ingress
@@ -122,58 +123,66 @@ followed by the provider name to the object name.
       # ... regular ingress definition
     ```
 
-## Supported Providers 
+## Supported Providers
 
-Below is the list of the currently supported providers in Traefik. 
+Below is the list of the currently supported providers in Traefik.
 
-| Provider                              | Type         | Configuration Type         |
-|---------------------------------------|--------------|----------------------------|
-| [Docker](./docker.md)                 | Orchestrator | Label                      |
-| [Kubernetes](./kubernetes-crd.md)     | Orchestrator | Custom Resource or Ingress |
-| [Consul Catalog](./consul-catalog.md) | Orchestrator | Label                      |
-| [ECS](./ecs.md)                       | Orchestrator | Label                      |
-| [Marathon](./marathon.md)             | Orchestrator | Label                      |
-| [Rancher](./rancher.md)               | Orchestrator | Label                      |
-| [File](./file.md)                     | Manual       | TOML/YAML format           |
-| [Consul](./consul.md)                 | KV           | KV                         |
-| [Etcd](./etcd.md)                     | KV           | KV                         |
-| [ZooKeeper](./zookeeper.md)           | KV           | KV                         |
-| [Redis](./redis.md)                   | KV           | KV                         |
-| [HTTP](./http.md)                     | Manual       | JSON format                |
+| Provider                                          | Type         | Configuration Type   | Provider Name       |
+|---------------------------------------------------|--------------|----------------------|---------------------|
+| [Docker](./docker.md)                             | Orchestrator | Label                | `docker`            |
+| [Kubernetes IngressRoute](./kubernetes-crd.md)    | Orchestrator | Custom Resource      | `kubernetescrd`     |
+| [Kubernetes Ingress](./kubernetes-ingress.md)     | Orchestrator | Ingress              | `kubernetes`        |
+| [Kubernetes Gateway API](./kubernetes-gateway.md) | Orchestrator | Gateway API Resource | `kubernetesgateway` |
+| [Consul Catalog](./consul-catalog.md)             | Orchestrator | Label                | `consulcatalog`     |
+| [ECS](./ecs.md)                                   | Orchestrator | Label                | `ecs`               |
+| [Marathon](./marathon.md)                         | Orchestrator | Label                | `marathon`          |
+| [Rancher](./rancher.md)                           | Orchestrator | Label                | `rancher`           |
+| [File](./file.md)                                 | Manual       | YAML/TOML format     | `file`              |
+| [Consul](./consul.md)                             | KV           | KV                   | `consul`            |
+| [Etcd](./etcd.md)                                 | KV           | KV                   | `etcd`              |
+| [ZooKeeper](./zookeeper.md)                       | KV           | KV                   | `zookeeper`         |
+| [Redis](./redis.md)                               | KV           | KV                   | `redis`             |
+| [HTTP](./http.md)                                 | Manual       | JSON format          | `http`              |
 
 !!! info "More Providers"
 
-    The current version of Traefik doesn't support (yet) every provider.
+    The current version of Traefik does not yet support every provider that Traefik v1.7 did.
     See the [previous version (v1.7)](https://doc.traefik.io/traefik/v1.7/) for more providers.
 
-### Configuration reload frequency
+### Configuration Reload Frequency
+
+#### `providers.providersThrottleDuration`
+
+_Optional, Default: 2s_
 
 In some cases, some providers might undergo a sudden burst of changes,
 which would generate a lot of configuration change events.
 If Traefik took them all into account,
-that would trigger a lot more configuration reloads than what is necessary,
+that would trigger a lot more configuration reloads than is necessary,
 or even useful.
 
 In order to mitigate that, the `providers.providersThrottleDuration` option can be set.
 It is the duration that Traefik waits for, after a configuration reload,
 before taking into account any new configuration refresh event.
-If any event arrives during that duration, only the most recent one is taken into account,
-and all the previous others are dropped.
+If multiple events occur within this time, only the most recent one is taken into account,
+and all others are discarded.
 
 This option cannot be set per provider,
-but the throttling algorithm applies independently to each of them.
-It defaults to 2 seconds.
+but the throttling algorithm applies to each of them independently.
 
-```toml tab="File (TOML)"
-[providers]
-  providers.providersThrottleDuration = 10s
-```
+The value of `providers.providersThrottleDuration` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
 
 ```yaml tab="File (YAML)"
 providers:
   providersThrottleDuration: 10s
 ```
 
+```toml tab="File (TOML)"
+[providers]
+  providers.providersThrottleDuration = 10s
+```
+
 ```bash tab="CLI"
 --providers.providersThrottleDuration=10s
 ```
@@ -184,17 +193,18 @@ TODO (document TCP VS HTTP dynamic configuration)
 
 ## Restrict the Scope of Service Discovery
 
-By default Traefik will create routes for all detected containers.
+By default, Traefik creates routes for all detected containers.
 
-If you want to limit the scope of Traefik's service discovery,
+If you want to limit the scope of the Traefik service discovery,
 i.e. disallow route creation for some containers,
 you can do so in two different ways:
-either with the generic configuration option `exposedByDefault`,
-or with a finer granularity mechanism based on constraints.
+
+- the generic configuration option `exposedByDefault`,
+- a finer granularity mechanism based on constraints.
 
 ### `exposedByDefault` and `traefik.enable`
 
-List of providers that support that feature:
+List of providers that support these features:
 
 - [Docker](./docker.md#exposedbydefault)
 - [Consul Catalog](./consul-catalog.md#exposedbydefault)
@@ -211,3 +221,4 @@ List of providers that support constraints:
 - [Marathon](./marathon.md#constraints)
 - [Kubernetes CRD](./kubernetes-crd.md#labelselector)
 - [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
+- [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)