Prepare release v2.9.2

Handle capture on redefined http.responseWriters
Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>
2025-09-24 21:44:26 +03:00 · 2022-10-27 16:53:16 +02:00 · 2022-10-27 16:08:06 +02:00 · 2022-10-26 18:22:05 +02:00 · 2022-10-24 10:52:04 +02:00 · 2022-10-23 14:16:05 +02:00
966 changed files with 83812 additions and 34596 deletions
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -8,7 +8,7 @@ DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 The issue tracker is for reporting bugs and feature requests only.
 For end-user related support questions, please refer to one of the following:

- the Traefik community forum: https://community.containo.us/
+- the Traefik community forum: https://community.traefik.io/

 -->

--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -1,82 +0,0 @@
---
-name: Bug report
-about: Create a report to help us improve
-
---
-<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
-
-### Do you want to request a *feature* or report a *bug*?
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
- the Traefik community forum: https://community.containo.us/
-
-->
-
-Bug
-
-<!--
-
-The configurations between 1.X and 2.X are NOT compatible.
-Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.
-
-->
-
-### What did you do?
-
-<!--
-
-HOW TO WRITE A GOOD BUG REPORT?
-
- Respect the issue template as much as possible.
- The title should be short and descriptive.
- Explain the conditions which led you to report this issue: the context.
- The context should lead to something, an idea or a problem that you’re facing.
- Remain clear and concise.
- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
-->
-
-### What did you expect to see?
-
-
-
-### What did you see instead?
-
-
-
-### Output of `traefik version`: (_What version of Traefik are you using?_)
-
-<!--
-`latest` is not considered as a valid version.
-
-For the Traefik Docker image:
-    docker run [IMAGE] version
-    ex: docker run traefik version
-
-->
-
-```
-(paste your output here)
-```
-
-### What is your environment & configuration (arguments, toml, provider, platform, ...)?
-
-```toml
-# (paste your configuration here)
-```
-
-<!--
-Add more configuration information here.
-->
-
-
-### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
-
-```
-(paste your output here)
-```
--- a/.github/ISSUE_TEMPLATE/Feature_request.md
+++ b/.github/ISSUE_TEMPLATE/Feature_request.md
@@ -1,35 +0,0 @@
---
-name: Feature request
-about: Suggest an idea for this project
-
---
-<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
-
-### Do you want to request a *feature* or report a *bug*?
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
- the Traefik community forum: https://community.containo.us/
-
-->
-
-Feature
-
-### What did you expect to see?
-
-<!--
-
-HOW TO WRITE A GOOD ISSUE?
-
- Respect the issue template as much as possible.
- The title should be short and descriptive.
- Explain the conditions which led you to report this issue: the context.
- The context should lead to something, an idea or a problem that you’re facing.
- Remain clear and concise.
- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
-->
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,82 @@
+name: Bug Report (Traefik)
+description: Create a report to help us improve.
+body:
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Welcome!
+      description: |
+        The issue tracker is for reporting bugs and feature requests only.
+        For end-user related support questions, please use the [Traefik community forum](https://community.traefik.io/).
+
+        All new/updated issues are triaged regularly by the maintainers.
+        All issues closed by a bot are subsequently double-checked by the maintainers.
+
+        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+
+      options:
+        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
+          required: true
+        - label: Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: What did you do?
+      description: |
+        How to write a good bug report?
+
+        - Respect the issue template as much as possible.
+        - The title should be short and descriptive.
+        - Explain the conditions which led you to report this issue: the context.
+        - The context should lead to something, an idea or a problem that you’re facing.
+        - Remain clear and concise.
+        - Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+      placeholder: What did you do?
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What did you see instead?
+      placeholder: What did you see instead?
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What version of Traefik are you using?
+      description: |
+        `latest` is not considered as a valid version.
+
+        Output of `traefik version`.
+
+        For the Traefik Docker image (`docker run [IMAGE] version`), example:
+        ```console
+        $ docker run traefik version
+        ```
+      placeholder: Paste your output here.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What is your environment & configuration?
+      description: arguments, toml, provider, platform, ...
+      placeholder: Add information here.
+      value: |
+        ```yaml
+        # (paste your configuration here)
+        ```
+
+        Add more configuration information here.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: If applicable, please paste the log output in DEBUG level
+      description: "`--log.level=DEBUG` switch."
+      placeholder: Paste your output here.
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/feature-request.yml
+++ b/.github/ISSUE_TEMPLATE/feature-request.yml
@@ -0,0 +1,33 @@
+name: Feature Request (Traefik)
+description: Suggest an idea for this project.
+body:
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Welcome!
+      description: |
+        The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
+        - the Traefik community forum: https://community.traefik.io/
+
+        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+      options:
+        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
+          required: true
+        - label: Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: What did you expect to see?
+      description: |
+        How to write a good issue?
+
+        - Respect the issue template as much as possible.
+        - The title should be short and descriptive.
+        - Explain the conditions which led you to report this issue: the context.
+        - The context should lead to something, an idea or a problem that you’re facing.
+        - Remain clear and concise.
+        - Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+      placeholder: What did you expect to see?
+    validations:
+      required: true
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
 - for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.4
+- for Traefik v2: use branch v2.9

 Bug fixes:
 - for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.4
+- for Traefik v2: use branch v2.9

 Enhancements:
 - for Traefik v1: we only accept bug fixes
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,79 @@
+name: Build Binaries
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.19
+  CGO_ENABLED: 0
+  IN_DOCKER: ""
+
+jobs:
+
+  build-webui:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Build webui
+        run: |
+          make clean-webui generate-webui
+          tar czvf webui.tar.gz ./webui/static/
+
+      - name: Artifact webui
+        uses: actions/upload-artifact@v2
+        with:
+          name: webui.tar.gz
+          path: webui.tar.gz
+
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ ubuntu-20.04, macos-latest, windows-latest ]
+    needs:
+      - build-webui
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+            ~/Library/Caches/go-build
+            '%LocalAppData%\go-build'
+          key: ${{ runner.os }}-build-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-build-go-
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v2
+        with:
+          name: webui.tar.gz
+          path: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+      - name: Untar webui
+        run: tar xvf webui.tar.gz
+
+      - name: Build
+        run: make binary
--- a/.github/workflows/check_doc.yml
+++ b/.github/workflows/check_doc.yml
@@ -2,15 +2,16 @@ name: Check Documentation

 on:
  pull_request:
+    branches:
+      - '*'

 jobs:

  docs:
    name: Check, verify and build documentation
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04

    steps:
-
      - name: Check out code
        uses: actions/checkout@v2
        with:
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -6,18 +6,18 @@ on:
      - master
      - v*

+env:
+  STRUCTOR_VERSION: v1.11.2
+  MIXTUS_VERSION: v0.4.1
+
 jobs:

  docs:
    name: Doc Process
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
    if: github.repository == 'traefik/traefik'
-    env:
-      STRUCTOR_VERSION: v1.11.2
-      MIXTUS_VERSION: v0.4.1

    steps:
-
      - name: Check out code
        uses: actions/checkout@v2
        with:
@@ -44,7 +44,7 @@ jobs:
          STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}

      - name: Apply seo
-        run: $HOME/bin/seo -path=./site
+        run: $HOME/bin/seo -path=./site -product=traefik

      - name: Publish documentation
        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
--- a/.github/workflows/experimental.yaml
+++ b/.github/workflows/experimental.yaml
@@ -0,0 +1,37 @@
+name: Build experimental image on branch
+
+on:
+  push:
+    branches:
+      - master
+      - v*
+
+jobs:
+
+  experimental:
+    if: github.repository == 'traefik/traefik'
+    name: Build experimental image on branch
+    runs-on: ubuntu-20.04
+
+    steps:
+
+      # https://github.com/marketplace/actions/checkout
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Branch name
+        run: echo ${GITHUB_REF##*/}
+
+      - name: Build docker experimental image
+        run: docker build -t traefik/traefik:experimental-${GITHUB_REF##*/} -f exp.Dockerfile .
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Push to Docker Hub
+        run: docker push traefik/traefik:experimental-${GITHUB_REF##*/}
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -0,0 +1,46 @@
+name: Test Unit
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.19
+  IN_DOCKER: ""
+
+jobs:
+
+  test-unit:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-test-unit-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-test-unit-go-
+
+      - name: Avoid generating webui
+        run: touch webui/static/index.html
+
+      - name: Tests
+        run: make test-unit
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -0,0 +1,97 @@
+name: Validate
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+env:
+  GO_VERSION: 1.19
+  GOLANGCI_LINT_VERSION: v1.50.0
+  MISSSPELL_VERSION: v0.4.0
+  IN_DOCKER: ""
+
+jobs:
+
+  validate:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-validate-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-validate-go-
+
+      - name: Install golangci-lint ${{ env.GOLANGCI_LINT_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
+
+      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
+        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
+
+      - name: Avoid generating webui
+        run: touch webui/static/index.html
+
+      - name: Validate
+        run: make validate
+
+  validate-generate:
+    runs-on: ubuntu-20.04
+
+    defaults:
+      run:
+        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+
+    steps:
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: go/src/github.com/traefik/traefik
+          fetch-depth: 0
+
+      - name: Cache Go modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: ${{ runner.os }}-validate-generate-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-validate-generate-go-
+
+      - name: go generate
+        run: |
+          go generate
+          git diff --exit-code
+
+      - name: go mod tidy
+        run: |
+          go mod tidy
+          git diff --exit-code
+
+      - name: make generate-crd
+        run: |
+          make generate-crd
+          git diff --exit-code
--- a/.gitignore
+++ b/.gitignore
@@ -7,7 +7,6 @@
 /webui/.tmp/
 /site/
 /docs/site/
-/static/
 /autogen/
 /traefik
 /traefik.toml
@@ -17,4 +16,6 @@
 cover.out
 vendor/
 plugins-storage/
+plugins-local/
 traefik_changelog.md
+integration/tailscale.secret
--- a/.golangci.toml
+++ b/.golangci.toml
@@ -1,149 +0,0 @@
-[run]
-  timeout = "10m"
-  skip-files = []
-  skip-dirs = [
-    "pkg/provider/kubernetes/crd/generated/",
-  ]
-
-[linters-settings]
-
-  [linters-settings.govet]
-    check-shadowing = false
-
-  [linters-settings.golint]
-    min-confidence = 0.0
-
-  [linters-settings.gocyclo]
-    min-complexity = 14.0
-
-  [linters-settings.maligned]
-    suggest-new = true
-
-  [linters-settings.goconst]
-    min-len = 3.0
-    min-occurrences = 4.0
-
-  [linters-settings.misspell]
-    locale = "US"
-
-  [linters-settings.funlen]
-    lines = 230 # default 60
-    statements = 120 # default 40
-
-  [linters-settings.forbidigo]
-    forbid = [
-      '^print(ln)?$',
-      '^spew\.Print(f|ln)?$',
-      '^spew\.Dump$',
-    ]
-
-  [linters-settings.depguard]
-    list-type = "blacklist"
-    include-go-root = false
-    packages = ["github.com/pkg/errors"]
-
-  [linters-settings.godox]
-    keywords = ["FIXME"]
-
-  [linters-settings.importas]
-    corev1 = "k8s.io/api/core/v1"
-    networkingv1beta1 = "k8s.io/api/networking/v1beta1"
-    extensionsv1beta1 = "k8s.io/api/extensions/v1beta1"
-    metav1 = "k8s.io/apimachinery/pkg/apis/meta/v1"
-    kubeerror = "k8s.io/apimachinery/pkg/api/errors"
-
-  [linters-settings.gomoddirectives]
-    replace-allow-list = [
-      "github.com/abbot/go-http-auth",
-      "github.com/go-check/check",
-      "github.com/gorilla/mux",
-      "github.com/mailgun/minheap",
-      "github.com/mailgun/multibuf",
-    ]
-
-[linters]
-  enable-all = true
-  disable = [
-    "scopelint", # Deprecated
-    "interfacer", # Deprecated
-    "maligned", # Deprecated
-    "sqlclosecheck", # Not relevant (SQL)
-    "rowserrcheck", # Not relevant (SQL)
-    "lll", # Not relevant
-    "gocyclo", # FIXME must be fixed
-    "cyclop", # Duplicate of gocyclo
-    "gocognit", # Too strict
-    "nestif", # Too many false-positive.
-    "prealloc", # Too many false-positive.
-    "makezero", # Not relevant
-    "ifshort", # Not relevant
-    "dupl", # Too strict
-    "gosec", # Too strict
-    "gochecknoinits",
-    "gochecknoglobals",
-    "wsl", # Too strict
-    "nlreturn", # Not relevant
-    "gomnd", # Too strict
-    "stylecheck", # skip because report issues related to some generated files.
-    "testpackage", # Too strict
-    "tparallel", # Not relevant
-    "paralleltest", # Not relevant
-    "exhaustive", # Not relevant
-    "exhaustivestruct", # Not relevant
-    "goerr113", # Too strict
-    "wrapcheck", # Too strict
-    "noctx", # Too strict
-    "bodyclose", # Too many false-positive and panics.
-    "unparam", # Too strict
-    "godox", # Too strict
-    "forcetypeassert", # Too strict
-  ]
-
-[issues]
-  exclude-use-default = false
-  max-per-linter = 0
-  max-same-issues = 0
-  exclude = [
-    "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked",
-    "should have a package comment, unless it's in another file for this package",
-    "SA1019: http.CloseNotifier has been deprecated",  # FIXME must be fixed
-  ]
- [[issues.exclude-rules]]
-    path = "(.+)_test.go"
-    linters = ["goconst", "funlen", "godot"]
- [[issues.exclude-rules]]
-    path = "integration/.+_test.go"
-    text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
- [[issues.exclude-rules]]
-    path = "integration/(consul_catalog_test|constraint_test).go"
-    text = "Error return value of `(s.deregisterService|s.deregisterAgentService)` is not checked"
- [[issues.exclude-rules]]
-    path = "integration/grpc_test.go"
-    text = "Error return value of `closer` is not checked"
- [[issues.exclude-rules]]
-    path = "pkg/h2c/h2c.go"
-    text = "Error return value of `rw.Write` is not checked"
- [[issues.exclude-rules]]
-    path = "pkg/provider/docker/builder_test.go"
-    text = "(U1000: func )?`(.+)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
-    text = "(U1000: func )?`(.+)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/server/service/bufferpool.go"
-    text = "SA6002: argument should be pointer-like to avoid allocations"
- [[issues.exclude-rules]]
-    path = "cmd/configuration.go"
-    text = "string `traefik` has (\\d) occurrences, make it a constant"
- [[issues.exclude-rules]]
-    path = "pkg/server/middleware/middlewares.go"
-    text = "Function 'buildConstructor' has too many statements"
- [[issues.exclude-rules]]
-    path = "pkg/tracing/haystack/logger.go"
-    linters = ["goprintffuncname"]
- [[issues.exclude-rules]]
-    path = "pkg/tracing/tracing.go"
-    text = "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
- [[issues.exclude-rules]]
-    path = "pkg/log/deprecated.go"
-    linters = ["godot"]
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,189 @@
+run:
+  timeout: 10m
+  skip-files: []
+  skip-dirs:
+    - pkg/provider/kubernetes/crd/generated/
+
+linters-settings:
+  govet:
+    check-shadowing: false
+  golint:
+    min-confidence: 0
+  gocyclo:
+    min-complexity: 14
+  goconst:
+    min-len: 3
+    min-occurrences: 4
+  misspell:
+    locale: US
+  funlen:
+    lines: -1
+    statements: 120
+  forbidigo:
+    forbid:
+      - ^print(ln)?$
+      - ^spew\.Print(f|ln)?$
+      - ^spew\.Dump$
+  depguard:
+    list-type: denylist
+    include-go-root: false
+    packages:
+      - github.com/pkg/errors
+  godox:
+    keywords:
+      - FIXME
+  importas:
+    corev1: k8s.io/api/core/v1
+    networkingv1beta1: k8s.io/api/networking/v1beta1
+    extensionsv1beta1: k8s.io/api/extensions/v1beta1
+    metav1: k8s.io/apimachinery/pkg/apis/meta/v1
+    kubeerror: k8s.io/apimachinery/pkg/api/errors
+    composeapi: github.com/docker/compose/v2/pkg/api
+  revive:
+    rules:
+      - name: struct-tag
+  rules:
+    - name: blank-imports
+    - name: context-as-argument
+    - name: context-keys-type
+    - name: dot-imports
+    - name: error-return
+    - name: error-strings
+    - name: error-naming
+    - name: exported
+    - name: if-return
+    - name: increment-decrement
+    - name: var-naming
+    - name: var-declaration
+    - name: package-comments
+    - name: range
+    - name: receiver-naming
+    - name: time-naming
+    - name: unexported-return
+    - name: indent-error-flow
+    - name: errorf
+    - name: empty-block
+    - name: superfluous-else
+    - name: unused-parameter
+    - name: unreachable-code
+    - name: redefines-builtin-id
+  gomoddirectives:
+    replace-allow-list:
+      - github.com/abbot/go-http-auth
+      - github.com/go-check/check
+      - github.com/gorilla/mux
+      - github.com/mailgun/minheap
+      - github.com/mailgun/multibuf
+      - github.com/jaguilar/vt100
+
+linters:
+  enable-all: true
+  disable:
+    - deadcode # deprecated
+    - exhaustivestruct # deprecated
+    - golint # deprecated
+    - ifshort # deprecated
+    - interfacer # deprecated
+    - maligned # deprecated
+    - nosnakecase # deprecated
+    - scopelint # deprecated
+    - scopelint # deprecated
+    - structcheck # deprecated
+    - varcheck # deprecated
+    - sqlclosecheck # not relevant (SQL)
+    - rowserrcheck # not relevant (SQL)
+    - execinquery # not relevant (SQL)
+    - cyclop # duplicate of gocyclo
+    - lll # Not relevant
+    - gocyclo # FIXME must be fixed
+    - gocognit # Too strict
+    - nestif # Too many false-positive.
+    - prealloc # Too many false-positive.
+    - makezero # Not relevant
+    - dupl # Too strict
+    - gosec # Too strict
+    - gochecknoinits
+    - gochecknoglobals
+    - wsl # Too strict
+    - nlreturn # Not relevant
+    - gomnd # Too strict
+    - stylecheck # skip because report issues related to some generated files.
+    - testpackage # Too strict
+    - tparallel # Not relevant
+    - paralleltest # Not relevant
+    - exhaustive # Not relevant
+    - exhaustruct # Not relevant
+    - goerr113 # Too strict
+    - wrapcheck # Too strict
+    - noctx # Too strict
+    - bodyclose # too many false-positive
+    - forcetypeassert # Too strict
+    - tagliatelle # Too strict
+    - varnamelen # Not relevant
+    - nilnil # Not relevant
+    - ireturn # Not relevant
+    - contextcheck # too many false-positive
+    - containedctx # too many false-positive
+    - maintidx # kind of duplicate of gocyclo
+    - nonamedreturns # Too strict
+
+issues:
+  exclude-use-default: false
+  max-per-linter: 0
+  max-same-issues: 0
+  exclude:
+    - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
+    - "should have a package comment, unless it's in another file for this package"
+    - 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
+    - 'SA1019: cfg.SSLRedirect is deprecated'
+    - 'SA1019: cfg.SSLTemporaryRedirect is deprecated'
+    - 'SA1019: cfg.SSLHost is deprecated'
+    - 'SA1019: cfg.SSLForceHost is deprecated'
+    - 'SA1019: cfg.FeaturePolicy is deprecated'
+    - 'SA1019: c.Providers.ConsulCatalog.Namespace is deprecated'
+    - 'SA1019: c.Providers.Consul.Namespace is deprecated'
+  exclude-rules:
+    - path: '(.+)_test.go'
+      linters:
+        - goconst
+        - funlen
+        - godot
+    - path: '(.+)_test.go'
+      text: ' always receives '
+      linters:
+        - unparam
+    - path: '(.+)\.go'
+      text: 'struct-tag: unknown option ''inline'' in JSON tag'
+      linters:
+        - revive
+    - path: pkg/server/service/bufferpool.go
+      text: 'SA6002: argument should be pointer-like to avoid allocations'
+    - path: pkg/server/middleware/middlewares.go
+      text: "Function 'buildConstructor' has too many statements"
+      linters:
+        - funlen
+    - path: pkg/tracing/haystack/logger.go
+      linters:
+        - goprintffuncname
+    - path: pkg/tracing/tracing.go
+      text: "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
+      linters:
+        - goprintffuncname
+    - path: pkg/tls/tlsmanager_test.go
+      text: 'SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18'
+    - path: pkg/types/tls_test.go
+      text: 'SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18'
+    - path: pkg/provider/kubernetes/(crd|gateway)/client.go
+      linters:
+        - interfacebloat
+    - path: pkg/metrics/metrics.go
+      linters:
+        - interfacebloat
+    - path: integration/healthcheck_test.go
+      text: 'Duplicate words \(wsp2,\) found'
+      linters:
+        - dupword
+    - path: pkg/types/domain_test.go
+      text: 'Duplicate words \(sub\) found'
+      linters:
+        - dupword
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -12,7 +12,8 @@ builds:
      - CGO_ENABLED=0
    ldflags:
      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}
-
+    flags:
+      - -trimpath
    goos:
      - linux
      - darwin
@@ -25,6 +26,7 @@ builds:
      - arm
      - arm64
      - ppc64le
+      - s390x
    goarm:
      - 7
      - 6
@@ -38,6 +40,8 @@ builds:
        goarch: arm64
      - goos: freebsd
        goarch: arm64
+      - goos: windows
+        goarch: arm

 changelog:
  skip: true
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -0,0 +1,83 @@
+version: v1.0
+name: Traefik
+agent:
+  machine:
+    type: e1-standard-4
+    os_image: ubuntu1804
+
+fail_fast:
+  stop:
+    when: "branch != 'master'"
+
+auto_cancel:
+  queued:
+    when: "branch != 'master'"
+  running:
+    when: "branch != 'master'"
+
+global_job_config:
+  prologue:
+    commands:
+      - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
+      - sudo semgo go1.19
+      - export "GOPATH=$(go env GOPATH)"
+      - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
+      - export "PATH=${GOPATH}/bin:${PATH}"
+      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
+      - export GOPROXY=https://proxy.golang.org,direct
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.50.0
+      - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
+      - checkout
+      - cache restore traefik-$(checksum go.sum)
+
+blocks:
+  - name: Test Integration
+    dependencies: []
+    run:
+      when: "branch =~ '.*' OR pull_request =~'.*'"
+    task:
+      jobs:
+        - name: Test Integration
+          commands:
+            - make pull-images
+            - touch webui/static/index.html # Avoid generating webui
+            - IN_DOCKER="" make binary
+            - make test-integration
+            - df -h
+      epilogue:
+        always:
+          commands:
+            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
+
+  - name: Release
+    dependencies: []
+    run:
+      when: "tag =~ '.*'"
+    task:
+      agent:
+        machine:
+          type: e1-standard-8
+          os_image: ubuntu1804
+      secrets:
+        - name: traefik
+      env_vars:
+        - name: GH_VERSION
+          value: 1.12.1
+        - name: CODENAME
+          value: "banon"
+        - name: IN_DOCKER
+          value: ""
+      prologue:
+        commands:
+          - export VERSION=${SEMAPHORE_GIT_TAG_NAME}
+          - curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
+          - tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
+          - sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
+          - sudo rm -rf ~/.phpbrew ~/.kerl ~/.sbt ~/.nvm ~/.npm ~/.kiex /usr/lib/jvm /opt/az /opt/firefox # Remove unnecessary data.
+          - sudo service docker stop && sudo umount /var/lib/docker && sudo service docker start # Unmounts the docker disk and the whole system disk is usable.
+      jobs:
+        - name: Release
+          commands:
+            - make release-packages
+            - gh release create ${SEMAPHORE_GIT_TAG_NAME} ./dist/traefik*.* --repo traefik/traefik --title ${SEMAPHORE_GIT_TAG_NAME} --notes ${SEMAPHORE_GIT_TAG_NAME}
+            - ./script/deploy.sh
--- a/.semaphoreci/cleanup.sh
+++ b/.semaphoreci/cleanup.sh
@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-sudo rm -rf static
--- a/.semaphoreci/golang.sh
+++ b/.semaphoreci/golang.sh
@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-curl -O https://dl.google.com/go/go"${GO_VERSION}".linux-amd64.tar.gz
-
-tar -xvf go"${GO_VERSION}".linux-amd64.tar.gz
-rm -rf go"${GO_VERSION}".linux-amd64.tar.gz
-
-sudo mkdir -p /usr/local/golang/"${GO_VERSION}"/go
-sudo mv go /usr/local/golang/"${GO_VERSION}"/
-
-sudo rm /usr/local/bin/go
-sudo chmod +x /usr/local/golang/"${GO_VERSION}"/go/bin/go
-sudo ln -s /usr/local/golang/"${GO_VERSION}"/go/bin/go /usr/local/bin/go
-
-export GOROOT="/usr/local/golang/${GO_VERSION}/go"
-export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"
-
-go version
--- a/.semaphoreci/job1.sh
+++ b/.semaphoreci/job1.sh
@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make pull-images; fi
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-integration; fi
--- a/.semaphoreci/job2.sh
+++ b/.semaphoreci/job2.sh
@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-ci_retry make validate
-
-if [ -n "$SHOULD_TEST" ]; then ci_retry make test-unit; fi
-
-if [ -n "$SHOULD_TEST" ]; then make -j"${N_MAKE_JOBS}" crossbinary-default-parallel; fi
--- a/.semaphoreci/setup.sh
+++ b/.semaphoreci/setup.sh
@@ -1,35 +0,0 @@
-# For personnal CI
-# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/traefik/
-# cd /home/runner/workspace/src/github.com/traefik/traefik/
-for s in apache2 cassandra elasticsearch memcached mysql mongod postgresql sphinxsearch rethinkdb rabbitmq-server redis-server; do sudo service $s stop; done
-sudo swapoff -a
-sudo dd if=/dev/zero of=/swapfile bs=1M count=3072
-sudo mkswap /swapfile
-sudo swapon /swapfile
-sudo rm -rf /home/runner/.rbenv
-sudo rm -rf /usr/local/golang/{1.4.3,1.5.4,1.6.4,1.7.6,1.8.6,1.9.7,1.10.3,1.11}
-#export DOCKER_VERSION=18.06.3
-source .semaphoreci/vars
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/traefik/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
-echo ${SHOULD_TEST}
-if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
-echo ${TEMP_STORAGE}
-echo ${SHOULD_TEST}
-#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
-#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
-if [ -n "$SHOULD_TEST" ]; then docker version; fi
-export GO_VERSION=1.13
-if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
-#if [ "${GO_VERSION}" == '1.15' ]; then export GO_VERSION=1.15rc2; fi
-echo "Selected Go version: ${GO_VERSION}"
-
-if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi
-if [ -f "./.semaphoreci/golang.sh" ]; then export GOROOT="/usr/local/golang/${GO_VERSION}/go"; fi
-if [ -f "./.semaphoreci/golang.sh" ]; then export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"; fi
-go version
-
-if [ -f "./go.mod" ]; then export GO111MODULE=on; fi
-if [ -f "./go.mod" ]; then export GOPROXY=https://proxy.golang.org; fi
-if [ -f "./go.mod" ]; then go mod download; fi
-
-df
--- a/.semaphoreci/vars
+++ b/.semaphoreci/vars
@@ -1,36 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-export REPO='traefik/traefik'
-
-if VERSION=$(git describe --exact-match --abbrev=0 --tags);
-then
-  export VERSION
-else
-  export VERSION=''
-fi
-
-export CODENAME=livarot
-
-export N_MAKE_JOBS=2
-
-
-function ci_retry {
-
-    local NRETRY=3
-    local NSLEEP=5
-    local n=0
-
-    until [ $n -ge $NRETRY ]
-    do
-        "$@" && break
-        n=$((n+1))
-        echo "${*} failed, attempt ${n}/${NRETRY}"
-        sleep $NSLEEP
-    done
-
-    [ $n -lt $NRETRY ]
-
-}
-
-export -f ci_retry
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,49 +0,0 @@
-sudo: required
-dist: trusty
-
-git:
-  depth: false
-
-services:
-  - docker
-
-env:
-  global:
-    - REPO=$TRAVIS_REPO_SLUG
-    - VERSION=$TRAVIS_TAG
-    - CODENAME=livarot
-    - GO111MODULE=on
-
-script:
- echo "Skipping tests... (Tests are executed on SemaphoreCI)"
-
-before_deploy:
-  - >
-    if ! [ "$BEFORE_DEPLOY_RUN" ]; then
-      export BEFORE_DEPLOY_RUN=1;
-      sudo -E apt-get -yq update;
-      sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
-      docker version;
-      echo "${DOCKERHUB_PASSWORD}" | docker login -u "${DOCKERHUB_USERNAME}" --password-stdin;
-      make build-image;
-      if [ "$TRAVIS_TAG" ]; then
-        make release-packages;
-      fi;
-    fi
-
-deploy:
-  - provider: releases
-    api_key: ${GITHUB_TOKEN}
-    file: dist/traefik*
-    skip_cleanup: true
-    file_glob: true
-    on:
-      repo: traefik/traefik
-      tags: true
-  - provider: script
-    script: sh script/deploy.sh
-    skip_cleanup: true
-    on:
-      repo: traefik/traefik
-      tags: true
-
--- a/.travis/traefiker_rsa.enc
+++ b/.travis/traefiker_rsa.enc
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -2,7 +2,7 @@

 ## Our Pledge

-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience,nationality, personal appearance, race, religion, or sexual identity and orientation.
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.

 ## Our Standards

@@ -30,15 +30,19 @@ Project maintainers have the right and responsibility to remove, edit, or reject

 ## Scope

-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. 
-Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. 
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or our community.
+
+Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
 Representation of a project may be further defined and clarified by project maintainers.

 ## Enforcement

 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@traefik.io
-All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 
-The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 
+
+All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances.
+
+The project team is obligated to maintain confidentiality with regard to the reporter of an incident.
+
 Further details of specific enforcement policies may be posted separately.

 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,8 +2,10 @@

 Here are some guidelines that should help to start contributing to the project.

- [Submitting pull Requests](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md)
+- [Submitting pull Requests](https://doc.traefik.io/traefik/contributing/submitting-pull-requests/)
 - [Submitting issues](https://doc.traefik.io/traefik/contributing/submitting-issues/)
- [Submitting security issues](docs/content/contributing/submitting-security-issues.md)
+- [Submitting security issues](https://doc.traefik.io/traefik/contributing/submitting-security-issues/)
+- [Advocating for Traefik](https://doc.traefik.io/traefik/contributing/advocating/)
+- [Triage Process](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md)

 If you are willing to become a maintainer of the project, please take a look at the [maintainers guidelines](docs/content/contributing/maintainers-guidelines.md).
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS; 2020-2021 Traefik Labs
+Copyright (c) 2016-2020 Containous SAS; 2020-2022 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/161
+++ b/161
@@ -1,5 +1,3 @@
-.PHONY: all docs docs-serve
-
 SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/')

 TAG_NAME := $(shell git tag -l --contains HEAD)
@@ -7,17 +5,16 @@ SHA := $(shell git rev-parse HEAD)
 VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
 VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))

-BIND_DIR := "dist"
-
 GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))

 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
 TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")

-INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
+INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)",-v "/var/run/docker.sock:/var/run/docker.sock")
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)

+# only used when running in docker
 TRAEFIK_ENVS := \
 	-e OS_ARCH_ARG \
 	-e OS_PLATFORM_ARG \
@@ -27,131 +24,187 @@ TRAEFIK_ENVS := \
 	-e CODENAME \
 	-e TESTDIRS \
 	-e CI \
-	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.
+	-e IN_DOCKER=true		# Indicator for integration tests that we are running inside a container.

-TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/traefik/traefik/$(BIND_DIR)"
+TRAEFIK_MOUNT := -v "$(CURDIR)/dist:/go/src/github.com/traefik/traefik/dist"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
 DOCKER_NON_INTERACTIVE ?= false
-DOCKER_RUN_TRAEFIK := docker run --add-host=host.docker.internal:127.0.0.1 $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK_TEST := docker run --add-host=host.docker.internal:127.0.0.1 --rm --name=traefik --network traefik-test-network -v $(PWD):$(PWD) -w $(PWD) $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
 DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)

-PRE_TARGET ?= build-dev-image
-
-PLATFORM_URL := $(if $(PLATFORM_URL),$(PLATFORM_URL),"https://pilot.traefik.io")
+IN_DOCKER ?= true

+.PHONY: default
 default: binary

-## Build Dev Docker image
-build-dev-image: dist
-	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
-
-## Build Dev Docker image without cache
-build-dev-image-no-cache: dist
-	docker build --no-cache -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
-
 ## Create the "dist" directory
 dist:
-	mkdir dist
+	mkdir -p dist
+
+## Build Dev Docker image
+.PHONY: build-dev-image
+build-dev-image: dist
+ifneq ("$(IN_DOCKER)", "")
+	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" --build-arg HOST_PWD="$(PWD)" -f build.Dockerfile .
+endif
+
+## Build Dev Docker image without cache
+.PHONY: build-dev-image-no-cache
+build-dev-image-no-cache: dist
+ifneq ("$(IN_DOCKER)", "")
+	docker build $(DOCKER_BUILD_ARGS) --no-cache -t "$(TRAEFIK_DEV_IMAGE)" --build-arg HOST_PWD="$(PWD)" -f build.Dockerfile .
+endif

 ## Build WebUI Docker image
+.PHONY: build-webui-image
 build-webui-image:
-	docker build -t traefik-webui --build-arg ARG_PLATFORM_URL=$(PLATFORM_URL) -f webui/Dockerfile webui
+	docker build -t traefik-webui -f webui/Dockerfile webui
+
+## Clean WebUI static generated assets
+.PHONY: clean-webui
+clean-webui:
+	rm -r webui/static
+	mkdir -p webui/static
+	printf 'For more information see `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md

 ## Generate WebUI
-generate-webui: build-webui-image
-	if [ ! -d "static" ]; then \
-		mkdir -p static; \
-		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build:nc; \
-		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ../static; \
-		echo 'For more information show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
-	fi
+webui/static/index.html:
+	$(MAKE) build-webui-image
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui npm run build:nc
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static

-## Build the linux binary
-binary: generate-webui $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
+.PHONY: generate-webui
+generate-webui: webui/static/index.html
+
+## Build the binary
+.PHONY: binary
+binary: generate-webui build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
+
+## Build the linux binary locally
+.PHONY: binary-debug
+binary-debug: generate-webui
+	GOOS=linux ./script/make.sh binary

 ## Build the binary for the standard platforms (linux, darwin, windows)
+.PHONY: crossbinary-default
 crossbinary-default: generate-webui build-dev-image
 	$(DOCKER_RUN_TRAEFIK_NOTTY) ./script/make.sh generate crossbinary-default

 ## Build the binary for the standard platforms (linux, darwin, windows) in parallel
+.PHONY: crossbinary-default-parallel
 crossbinary-default-parallel:
 	$(MAKE) generate-webui
 	$(MAKE) build-dev-image crossbinary-default

 ## Run the unit and integration tests
+.PHONY: test
 test: build-dev-image
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-unit binary test-integration
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate test-unit binary test-integration

 ## Run the unit tests
-test-unit: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate test-unit
-
-## Pull all images for integration tests
-pull-images:
-	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
+.PHONY: test-unit
+test-unit: build-dev-image
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate test-unit

 ## Run the integration tests
-test-integration: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
-	TEST_HOST=1 ./script/make.sh test-integration
+.PHONY: test-integration
+test-integration: build-dev-image
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate binary test-integration
+
+## Pull all images for integration tests
+.PHONY: pull-images
+pull-images:
+	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml \
+		| awk '{print $$2}' \
+		| sort \
+		| uniq \
+		| xargs -P 6 -n 1 docker pull

 ## Validate code and docs
-validate-files: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
+.PHONY: validate-files
+validate-files: build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
 	bash $(CURDIR)/script/validate-shell-script.sh

 ## Validate code, docs, and vendor
-validate: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
+.PHONY: validate
+validate: build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
 	bash $(CURDIR)/script/validate-shell-script.sh

 ## Clean up static directory and build a Docker Traefik image
-build-image: binary
-	rm -rf static
+.PHONY: build-image
+build-image: clean-webui binary
 	docker build -t $(TRAEFIK_IMAGE) .

-## Build a Docker Traefik image
+## Build a Docker Traefik image without re-building the webui
+.PHONY: build-image-dirty
 build-image-dirty: binary
 	docker build -t $(TRAEFIK_IMAGE) .

+## Locally build traefik for linux, then shove it an alpine image, with basic tools.
+.PHONY: build-image-debug
+build-image-debug: binary-debug
+	docker build -t $(TRAEFIK_IMAGE) -f debug.Dockerfile .
+
 ## Start a shell inside the build env
+.PHONY: shell
 shell: build-dev-image
 	$(DOCKER_RUN_TRAEFIK) /bin/bash

 ## Build documentation site
+.PHONY: docs
 docs:
 	make -C ./docs docs

-## Serve the documentation site localy
+## Serve the documentation site locally
+.PHONY: docs-serve
 docs-serve:
 	make -C ./docs docs-serve

 ## Pull image for doc building
+.PHONY: docs-pull-images
 docs-pull-images:
 	make -C ./docs docs-pull-images

-## Generate CRD clientset
+## Generate CRD clientset and CRD manifests
+.PHONY: generate-crd
 generate-crd:
-	./script/update-generated-crd-code.sh
+	@$(CURDIR)/script/code-gen.sh
+
+## Generate code from dynamic configuration https://github.com/traefik/genconf
+.PHONY: generate-genconf
+generate-genconf:
+	go run ./cmd/internal/gen/

 ## Create packages for the release
+.PHONY: release-packages
 release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(DOCKER_RUN_TRAEFIK_NOTTY) goreleaser release --skip-publish --timeout="60m"
-	$(DOCKER_RUN_TRAEFIK_NOTTY) tar cfz dist/traefik-${VERSION}.src.tar.gz \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \
 		--exclude .travis \
 		--exclude .semaphoreci \
 		--exclude .github \
 		--exclude dist .
-	$(DOCKER_RUN_TRAEFIK_NOTTY) chown -R $(shell id -u):$(shell id -g) dist/
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/

 ## Format the Code
+.PHONY: fmt
 fmt:
 	gofmt -s -l -w $(SRCS)

+.PHONY: run-dev
 run-dev:
 	go generate
 	GO111MODULE=on go build ./cmd/traefik
--- a/README.md
+++ b/README.md
@@ -6,12 +6,10 @@
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
-[![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
 [![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)

-
 Traefik (pronounced _traffic_) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
 Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
 Pointing Traefik at your orchestrator should be the _only_ configuration step you need.
@@ -64,8 +62,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - Keeps access logs (JSON, CLF)
 - Fast
 - Exposes a Rest API
- Packaged as a single binary file (made with :heart: with go) and available as a [tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image
-
+- Packaged as a single binary file (made with :heart: with go) and available as an [official](https://hub.docker.com/r/_/traefik/) docker image

 ## Supported Backends

@@ -89,13 +86,12 @@ You can access the simple HTML frontend of Traefik.

 You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).

-If you are using Traefik v1, you can find the complete documentation at [https://doc.traefik.io/traefik/v1.7/](https://doc.traefik.io/traefik/v1.7/).
-
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).

 ## Support

 To get community support, you can:
+
 - join the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)

 If you need commercial support, please contact [Traefik.io](https://traefik.io) by mail: <mailto:support@traefik.io>.
@@ -130,7 +126,6 @@ We are strongly promoting a philosophy of openness and sharing, and firmly stand
 This [document](docs/content/contributing/maintainers-guidelines.md) describes how to be part of the core team as well as various responsibilities and guidelines for Traefik maintainers.
 You can also find more information on our process to review pull requests and manage issues [in this document](docs/content/contributing/maintainers.md).

-
 ## Contributing

 If you'd like to contribute to the project, refer to the [contributing documentation](CONTRIBUTING.md).
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,7 +1,6 @@
 # Security Policy

-We strongly advise you to register your Traefik instances to [Pilot](http://pilot.traefik.io) to be notified of security advisories that apply to your Traefik version.
-You can also join our security mailing list to be aware of the latest announcements from our security team.
+You can join our security mailing list to be aware of the latest announcements from our security team.
 You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).

 Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,7 +1,6 @@
-FROM golang:1.16-alpine
+FROM golang:1.19-alpine

-RUN apk --update upgrade \
-    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
+RUN apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
    && update-ca-certificates \
    && rm -rf /var/cache/apk/*

@@ -13,22 +12,23 @@ RUN mkdir -p /usr/local/bin \
    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
    | tar -xzC /usr/local/bin --transform 's#^.+/##x'

-# Download go-bindata binary to bin folder in $GOPATH
-RUN mkdir -p /usr/local/bin \
-    && curl -fsSL -o /usr/local/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata \
-    && chmod +x /usr/local/bin/go-bindata
-
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.39.0
+RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $GOPATH/bin v1.50.0

 # Download misspell binary to bin folder in $GOPATH
-RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
+RUN curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.4.0

 # Download goreleaser binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh
+RUN curl -sfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | sh

 WORKDIR /go/src/github.com/traefik/traefik

+# Because of CVE-2022-24765 (https://github.blog/2022-04-12-git-security-vulnerability-announced/),
+# we configure git to allow the Traefik codebase path on the Host for docker in docker usages.
+ARG HOST_PWD=""
+
+RUN git config --global --add safe.directory "${HOST_PWD}"
+
 # Download go modules
 COPY go.mod .
 COPY go.sum .
--- a/cmd/healthcheck/healthcheck.go
+++ b/cmd/healthcheck/healthcheck.go
@@ -64,7 +64,7 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 	client := &http.Client{Timeout: 5 * time.Second}
 	protocol := "http"

-	// FIXME Handle TLS on ping etc...
+	// TODO Handle TLS on ping etc...
 	// if pingEntryPoint.TLS != nil {
 	// 	protocol = "https"
 	// 	tr := &http.Transport{
--- a/cmd/internal/gen/centrifuge.go
+++ b/cmd/internal/gen/centrifuge.go
@@ -0,0 +1,341 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"go/format"
+	"go/importer"
+	"go/token"
+	"go/types"
+	"io"
+	"log"
+	"os"
+	"path"
+	"path/filepath"
+	"reflect"
+	"sort"
+	"strings"
+
+	"golang.org/x/tools/imports"
+)
+
+// File a kind of AST element that represents a file.
+type File struct {
+	Package  string
+	Imports  []string
+	Elements []Element
+}
+
+// Element is a simplified version of a symbol.
+type Element struct {
+	Name  string
+	Value string
+}
+
+// Centrifuge a centrifuge.
+// Generate Go Structures from Go structures.
+type Centrifuge struct {
+	IncludedImports []string
+	ExcludedTypes   []string
+	ExcludedFiles   []string
+
+	TypeCleaner    func(types.Type, string) string
+	PackageCleaner func(string) string
+
+	rootPkg string
+	fileSet *token.FileSet
+	pkg     *types.Package
+}
+
+// NewCentrifuge creates a new Centrifuge.
+func NewCentrifuge(rootPkg string) (*Centrifuge, error) {
+	fileSet := token.NewFileSet()
+
+	pkg, err := importer.ForCompiler(fileSet, "source", nil).Import(rootPkg)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Centrifuge{
+		fileSet: fileSet,
+		pkg:     pkg,
+		rootPkg: rootPkg,
+
+		TypeCleaner: func(typ types.Type, _ string) string {
+			return typ.String()
+		},
+		PackageCleaner: func(s string) string {
+			return s
+		},
+	}, nil
+}
+
+// Run runs the code extraction and the code generation.
+func (c Centrifuge) Run(dest string, pkgName string) error {
+	files := c.run(c.pkg.Scope(), c.rootPkg, pkgName)
+
+	err := fileWriter{baseDir: dest}.Write(files)
+	if err != nil {
+		return err
+	}
+
+	for _, p := range c.pkg.Imports() {
+		if contains(c.IncludedImports, p.Path()) {
+			fls := c.run(p.Scope(), p.Path(), p.Name())
+
+			err = fileWriter{baseDir: filepath.Join(dest, p.Name())}.Write(fls)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return err
+}
+
+func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) map[string]*File {
+	files := map[string]*File{}
+
+	for _, name := range sc.Names() {
+		if contains(c.ExcludedTypes, name) {
+			continue
+		}
+
+		o := sc.Lookup(name)
+		if !o.Exported() {
+			continue
+		}
+
+		filename := filepath.Base(c.fileSet.File(o.Pos()).Name())
+		if contains(c.ExcludedFiles, path.Join(rootPkg, filename)) {
+			continue
+		}
+
+		fl, ok := files[filename]
+		if !ok {
+			files[filename] = &File{Package: pkgName}
+			fl = files[filename]
+		}
+
+		elt := Element{
+			Name: name,
+		}
+
+		switch ob := o.(type) {
+		case *types.TypeName:
+
+			switch obj := ob.Type().(*types.Named).Underlying().(type) {
+			case *types.Struct:
+				elt.Value = c.writeStruct(name, obj, rootPkg, fl)
+
+			case *types.Map:
+				elt.Value = fmt.Sprintf("type %s map[%s]%s\n", name, obj.Key().String(), c.TypeCleaner(obj.Elem(), rootPkg))
+
+			case *types.Slice:
+				elt.Value = fmt.Sprintf("type %s []%v\n", name, c.TypeCleaner(obj.Elem(), rootPkg))
+
+			case *types.Basic:
+				elt.Value = fmt.Sprintf("type %s %v\n", name, obj.Name())
+
+			default:
+				log.Printf("OTHER TYPE::: %s %T\n", name, o.Type().(*types.Named).Underlying())
+				continue
+			}
+
+		default:
+			log.Printf("OTHER::: %s %T\n", name, o)
+			continue
+		}
+
+		if len(elt.Value) > 0 {
+			fl.Elements = append(fl.Elements, elt)
+		}
+	}
+
+	return files
+}
+
+func (c Centrifuge) writeStruct(name string, obj *types.Struct, rootPkg string, elt *File) string {
+	b := strings.Builder{}
+	b.WriteString(fmt.Sprintf("type %s struct {\n", name))
+
+	for i := 0; i < obj.NumFields(); i++ {
+		field := obj.Field(i)
+
+		if !field.Exported() {
+			continue
+		}
+
+		fPkg := c.PackageCleaner(extractPackage(field.Type()))
+		if fPkg != "" && fPkg != rootPkg {
+			elt.Imports = append(elt.Imports, fPkg)
+		}
+
+		fType := c.TypeCleaner(field.Type(), rootPkg)
+
+		if field.Embedded() {
+			b.WriteString(fmt.Sprintf("\t%s\n", fType))
+			continue
+		}
+
+		values, ok := lookupTagValue(obj.Tag(i), "json")
+		if len(values) > 0 && values[0] == "-" {
+			continue
+		}
+
+		b.WriteString(fmt.Sprintf("\t%s %s", field.Name(), fType))
+
+		if ok {
+			b.WriteString(fmt.Sprintf(" `json:\"%s\"`", strings.Join(values, ",")))
+		}
+
+		b.WriteString("\n")
+	}
+
+	b.WriteString("}\n")
+
+	return b.String()
+}
+
+func lookupTagValue(raw, key string) ([]string, bool) {
+	value, ok := reflect.StructTag(raw).Lookup(key)
+	if !ok {
+		return nil, ok
+	}
+
+	values := strings.Split(value, ",")
+
+	if len(values) < 1 {
+		return nil, true
+	}
+
+	return values, true
+}
+
+func extractPackage(t types.Type) string {
+	switch tu := t.(type) {
+	case *types.Named:
+		return tu.Obj().Pkg().Path()
+
+	case *types.Slice:
+		if v, ok := tu.Elem().(*types.Named); ok {
+			return v.Obj().Pkg().Path()
+		}
+		return ""
+
+	case *types.Map:
+		if v, ok := tu.Elem().(*types.Named); ok {
+			return v.Obj().Pkg().Path()
+		}
+		return ""
+
+	case *types.Pointer:
+		return extractPackage(tu.Elem())
+
+	default:
+		return ""
+	}
+}
+
+func contains(values []string, value string) bool {
+	for _, val := range values {
+		if val == value {
+			return true
+		}
+	}
+
+	return false
+}
+
+type fileWriter struct {
+	baseDir string
+}
+
+func (f fileWriter) Write(files map[string]*File) error {
+	err := os.MkdirAll(f.baseDir, 0o755)
+	if err != nil {
+		return err
+	}
+
+	for name, file := range files {
+		err = f.writeFile(name, file)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (f fileWriter) writeFile(name string, desc *File) error {
+	if len(desc.Elements) == 0 {
+		return nil
+	}
+
+	filename := filepath.Join(f.baseDir, name)
+
+	file, err := os.Create(filename)
+	if err != nil {
+		return fmt.Errorf("failed to create file: %w", err)
+	}
+
+	defer func() { _ = file.Close() }()
+
+	b := bytes.NewBufferString("package ")
+	b.WriteString(desc.Package)
+	b.WriteString("\n")
+	b.WriteString("// Code generated by centrifuge. DO NOT EDIT.\n")
+
+	b.WriteString("\n")
+	f.writeImports(b, desc.Imports)
+	b.WriteString("\n")
+
+	for _, elt := range desc.Elements {
+		b.WriteString(elt.Value)
+		b.WriteString("\n")
+	}
+
+	// gofmt
+	source, err := format.Source(b.Bytes())
+	if err != nil {
+		log.Println(b.String())
+		return fmt.Errorf("failed to format sources: %w", err)
+	}
+
+	// goimports
+	process, err := imports.Process(filename, source, nil)
+	if err != nil {
+		log.Println(string(source))
+		return fmt.Errorf("failed to format imports: %w", err)
+	}
+
+	_, err = file.Write(process)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (f fileWriter) writeImports(b io.StringWriter, imports []string) {
+	if len(imports) == 0 {
+		return
+	}
+
+	uniq := map[string]struct{}{}
+
+	sort.Strings(imports)
+
+	_, _ = b.WriteString("import (\n")
+	for _, s := range imports {
+		if _, exist := uniq[s]; exist {
+			continue
+		}
+
+		uniq[s] = struct{}{}
+
+		_, _ = b.WriteString(fmt.Sprintf(`	"%s"`+"\n", s))
+	}
+
+	_, _ = b.WriteString(")\n")
+}
--- a/cmd/internal/gen/main.go
+++ b/cmd/internal/gen/main.go
@@ -0,0 +1,124 @@
+package main
+
+import (
+	"fmt"
+	"go/build"
+	"go/types"
+	"log"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+)
+
+const rootPkg = "github.com/traefik/traefik/v2/pkg/config/dynamic"
+
+const (
+	destModuleName = "github.com/traefik/genconf"
+	destPkg        = "dynamic"
+)
+
+const marsh = `package %s
+
+import "encoding/json"
+
+type JSONPayload struct {
+	*Configuration
+}
+
+func (c JSONPayload) MarshalJSON() ([]byte, error) {
+	if c.Configuration == nil {
+		return nil, nil
+	}
+
+	return json.Marshal(c.Configuration)
+}
+`
+
+// main generate Go Structures from Go structures.
+// Allows to create an external module (destModuleName) used by the plugin's providers
+// that contains Go structs of the dynamic configuration and nothing else.
+// These Go structs do not have any non-exported fields and do not rely on any external dependencies.
+func main() {
+	dest := filepath.Join(path.Join(build.Default.GOPATH, "src"), destModuleName, destPkg)
+
+	log.Println("Output:", dest)
+
+	err := run(dest)
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+func run(dest string) error {
+	centrifuge, err := NewCentrifuge(rootPkg)
+	if err != nil {
+		return err
+	}
+
+	centrifuge.IncludedImports = []string{
+		"github.com/traefik/traefik/v2/pkg/tls",
+		"github.com/traefik/traefik/v2/pkg/types",
+	}
+
+	centrifuge.ExcludedTypes = []string{
+		// tls
+		"CertificateStore", "Manager",
+		// dynamic
+		"Message", "Configurations",
+		// types
+		"HTTPCodeRanges", "HostResolverConfig",
+	}
+
+	centrifuge.ExcludedFiles = []string{
+		"github.com/traefik/traefik/v2/pkg/types/logs.go",
+		"github.com/traefik/traefik/v2/pkg/types/metrics.go",
+	}
+
+	centrifuge.TypeCleaner = cleanType
+	centrifuge.PackageCleaner = cleanPackage
+
+	err = centrifuge.Run(dest, destPkg)
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(filepath.Join(dest, "marshaler.go"), []byte(fmt.Sprintf(marsh, destPkg)), 0o666)
+}
+
+func cleanType(typ types.Type, base string) string {
+	if typ.String() == "github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
+		return "string"
+	}
+
+	if typ.String() == "[]github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
+		return "[]string"
+	}
+
+	if typ.String() == "github.com/traefik/paerser/types.Duration" {
+		return "string"
+	}
+
+	if strings.Contains(typ.String(), base) {
+		return strings.ReplaceAll(typ.String(), base+".", "")
+	}
+
+	if strings.Contains(typ.String(), "github.com/traefik/traefik/v2/pkg/") {
+		return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v2/pkg/", "")
+	}
+
+	return typ.String()
+}
+
+func cleanPackage(src string) string {
+	switch src {
+	case "github.com/traefik/paerser/types":
+		return ""
+	case "github.com/traefik/traefik/v2/pkg/tls":
+		return path.Join(destModuleName, destPkg, "tls")
+	case "github.com/traefik/traefik/v2/pkg/types":
+		return path.Join(destModuleName, destPkg, "types")
+	default:
+		return src
+	}
+}
--- a/cmd/traefik/plugins.go
+++ b/cmd/traefik/plugins.go
@@ -1,6 +1,8 @@
 package main

 import (
+	"fmt"
+
 	"github.com/traefik/traefik/v2/pkg/config/static"
 	"github.com/traefik/traefik/v2/pkg/plugins"
 )
@@ -8,42 +10,74 @@ import (
 const outputDir = "./plugins-storage/"

 func createPluginBuilder(staticConfiguration *static.Configuration) (*plugins.Builder, error) {
-	client, plgs, devPlugin, err := initPlugins(staticConfiguration)
+	client, plgs, localPlgs, err := initPlugins(staticConfiguration)
 	if err != nil {
 		return nil, err
 	}

-	return plugins.NewBuilder(client, plgs, devPlugin)
+	return plugins.NewBuilder(client, plgs, localPlgs)
 }

-func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, *plugins.DevPlugin, error) {
-	if !isPilotEnabled(staticCfg) || !hasPlugins(staticCfg) {
-		return nil, map[string]plugins.Descriptor{}, nil, nil
-	}
-
-	opts := plugins.ClientOptions{
-		Output: outputDir,
-		Token:  staticCfg.Pilot.Token,
-	}
-
-	client, err := plugins.NewClient(opts)
+func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, map[string]plugins.LocalDescriptor, error) {
+	err := checkUniquePluginNames(staticCfg.Experimental)
 	if err != nil {
 		return nil, nil, nil, err
 	}

-	err = plugins.Setup(client, staticCfg.Experimental.Plugins, staticCfg.Experimental.DevPlugin)
-	if err != nil {
-		return nil, nil, nil, err
+	var client *plugins.Client
+	plgs := map[string]plugins.Descriptor{}
+
+	if hasPlugins(staticCfg) {
+		opts := plugins.ClientOptions{
+			Output: outputDir,
+		}
+
+		var err error
+		client, err = plugins.NewClient(opts)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		err = plugins.SetupRemotePlugins(client, staticCfg.Experimental.Plugins)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		plgs = staticCfg.Experimental.Plugins
 	}

-	return client, staticCfg.Experimental.Plugins, staticCfg.Experimental.DevPlugin, nil
+	localPlgs := map[string]plugins.LocalDescriptor{}
+
+	if hasLocalPlugins(staticCfg) {
+		err := plugins.SetupLocalPlugins(staticCfg.Experimental.LocalPlugins)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		localPlgs = staticCfg.Experimental.LocalPlugins
+	}
+
+	return client, plgs, localPlgs, nil
 }

-func isPilotEnabled(staticCfg *static.Configuration) bool {
-	return staticCfg.Pilot != nil && staticCfg.Pilot.Token != ""
+func checkUniquePluginNames(e *static.Experimental) error {
+	if e == nil {
+		return nil
+	}
+
+	for s := range e.LocalPlugins {
+		if _, ok := e.Plugins[s]; ok {
+			return fmt.Errorf("the plugin's name %q must be unique", s)
+		}
+	}
+
+	return nil
 }

 func hasPlugins(staticCfg *static.Configuration) bool {
-	return staticCfg.Experimental != nil &&
-		(len(staticCfg.Experimental.Plugins) > 0 || staticCfg.Experimental.DevPlugin != nil)
+	return staticCfg.Experimental != nil && len(staticCfg.Experimental.Plugins) > 0
+}
+
+func hasLocalPlugins(staticCfg *static.Configuration) bool {
+	return staticCfg.Experimental != nil && len(staticCfg.Experimental.LocalPlugins) > 0
 }
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -2,7 +2,9 @@ package main

 import (
 	"context"
+	"crypto/x509"
 	"encoding/json"
+	"fmt"
 	stdlog "log"
 	"net/http"
 	"os"
@@ -14,11 +16,10 @@ import (
 	"time"

 	"github.com/coreos/go-systemd/daemon"
-	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/go-acme/lego/v4/challenge"
+	gokitmetrics "github.com/go-kit/kit/metrics"
 	"github.com/sirupsen/logrus"
 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v2/autogen/genstatic"
 	"github.com/traefik/traefik/v2/cmd"
 	"github.com/traefik/traefik/v2/cmd/healthcheck"
 	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
@@ -30,15 +31,17 @@ import (
 	"github.com/traefik/traefik/v2/pkg/log"
 	"github.com/traefik/traefik/v2/pkg/metrics"
 	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
-	"github.com/traefik/traefik/v2/pkg/pilot"
 	"github.com/traefik/traefik/v2/pkg/provider/acme"
 	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
+	"github.com/traefik/traefik/v2/pkg/provider/hub"
 	"github.com/traefik/traefik/v2/pkg/provider/traefik"
 	"github.com/traefik/traefik/v2/pkg/safe"
 	"github.com/traefik/traefik/v2/pkg/server"
 	"github.com/traefik/traefik/v2/pkg/server/middleware"
 	"github.com/traefik/traefik/v2/pkg/server/service"
 	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/tracing"
+	"github.com/traefik/traefik/v2/pkg/tracing/jaeger"
 	"github.com/traefik/traefik/v2/pkg/types"
 	"github.com/traefik/traefik/v2/pkg/version"
 	"github.com/vulcand/oxy/roundrobin"
@@ -106,10 +109,6 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf))
 	}

-	if staticConfiguration.API != nil && staticConfiguration.API.Dashboard {
-		staticConfiguration.API.DashboardAssets = &assetfs.AssetFS{Asset: genstatic.Asset, AssetInfo: genstatic.AssetInfo, AssetDir: genstatic.AssetDir, Prefix: "static"}
-	}
-
 	if staticConfiguration.Global.CheckNewVersion {
 		checkNewVersion()
 	}
@@ -123,12 +122,6 @@ func runCmd(staticConfiguration *static.Configuration) error {

 	ctx, _ := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)

-	if staticConfiguration.Experimental != nil && staticConfiguration.Experimental.DevPlugin != nil {
-		var cancel context.CancelFunc
-		ctx, cancel = context.WithTimeout(ctx, 30*time.Minute)
-		defer cancel()
-	}
-
 	if staticConfiguration.Ping != nil {
 		staticConfiguration.Ping.WithContext(ctx)
 	}
@@ -189,8 +182,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	tlsManager := traefiktls.NewManager()
 	httpChallengeProvider := acme.NewChallengeHTTP()

-	// we need to wait at least 2 times the ProvidersThrottleDuration to be sure to handle the challenge.
-	tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration) * 2)
+	tlsChallengeProvider := acme.NewChallengeTLSALPN()
 	err = providerAggregator.AddProvider(tlsChallengeProvider)
 	if err != nil {
 		return nil, err
@@ -200,7 +192,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	// Entrypoints

-	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
 	if err != nil {
 		return nil, err
 	}
@@ -210,37 +202,51 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}

-	// Pilot
-
-	var aviator *pilot.Pilot
-	var pilotRegistry *metrics.PilotRegistry
-	if isPilotEnabled(staticConfiguration) {
-		pilotRegistry = metrics.RegisterPilot()
-
-		aviator = pilot.New(staticConfiguration.Pilot.Token, pilotRegistry, routinesPool)
-
-		routinesPool.GoCtx(func(ctx context.Context) {
-			aviator.Tick(ctx)
-		})
-	}
-
 	if staticConfiguration.Pilot != nil {
-		version.PilotEnabled = staticConfiguration.Pilot.Dashboard
+		log.WithoutContext().Warn("Traefik Pilot has been removed.")
 	}

 	// Plugins

 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
 	if err != nil {
-		return nil, err
+		log.WithoutContext().WithError(err).Error("Plugins are disabled because an error has occurred.")
+	}
+
+	// Providers plugins
+
+	for name, conf := range staticConfiguration.Providers.Plugin {
+		if pluginBuilder == nil {
+			break
+		}
+
+		p, err := pluginBuilder.BuildProvider(name, conf)
+		if err != nil {
+			return nil, fmt.Errorf("plugin: failed to build provider: %w", err)
+		}
+
+		err = providerAggregator.AddProvider(p)
+		if err != nil {
+			return nil, fmt.Errorf("plugin: failed to add provider: %w", err)
+		}
+	}
+
+	// Traefik Hub
+
+	if staticConfiguration.Hub != nil {
+		if err = providerAggregator.AddProvider(staticConfiguration.Hub); err != nil {
+			return nil, fmt.Errorf("adding Traefik Hub provider: %w", err)
+		}
+
+		// API is mandatory for Traefik Hub to access the dynamic configuration.
+		if staticConfiguration.API == nil {
+			staticConfiguration.API = &static.API{}
+		}
 	}

 	// Metrics

 	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
-	if pilotRegistry != nil {
-		metricRegistries = append(metricRegistries, pilotRegistry)
-	}
 	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)

 	// Service manager factory
@@ -252,15 +258,16 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// Router factory

 	accessLog := setupAccessLog(staticConfiguration.AccessLog)
-	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
-	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder)
+	tracer := setupTracing(staticConfiguration.Tracing)
+
+	chainBuilder := middleware.NewChainBuilder(metricsRegistry, accessLog, tracer)
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry)

 	// Watcher

 	watcher := server.NewConfigurationWatcher(
 		routinesPool,
 		providerAggregator,
-		time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration),
 		getDefaultsEntrypoints(staticConfiguration),
 		"internal",
 	)
@@ -269,6 +276,11 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	watcher.AddListener(func(conf dynamic.Configuration) {
 		ctx := context.Background()
 		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
+
+		gauge := metricsRegistry.TLSCertsNotAfterTimestampGauge()
+		for _, certificate := range tlsManager.GetCertificates() {
+			appendCertMetric(gauge, certificate)
+		}
 	})

 	// Metrics
@@ -283,7 +295,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	})

 	// Switch router
-	watcher.AddListener(switchRouter(routerFactory, serverEntryPointsTCP, serverEntryPointsUDP, aviator))
+	watcher.AddListener(switchRouter(routerFactory, serverEntryPointsTCP, serverEntryPointsUDP))

 	// Metrics
 	if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
@@ -313,7 +325,10 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 				continue
 			}

-			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
+			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok &&
+				// "traefik-hub" is an allowed certificate resolver name in a Traefik Hub Experimental feature context.
+				// It is used to activate its own certificate resolution, even though it is not a "classical" traefik certificate resolver.
+				(staticConfiguration.Hub == nil || rt.TLS.CertResolver != "traefik-hub") {
 				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
 			}
 		}
@@ -336,6 +351,11 @@ func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvid
 func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
 	var defaultEntryPoints []string
 	for name, cfg := range staticConfiguration.EntryPoints {
+		// Traefik Hub entryPoint should not be part of the set of default entryPoints.
+		if hub.APIEntrypoint == name || hub.TunnelEntrypoint == name {
+			continue
+		}
+
 		protocol, err := cfg.GetProtocol()
 		if err != nil {
 			// Should never happen because Traefik should not start if protocol is invalid.
@@ -351,16 +371,12 @@ func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string
 	return defaultEntryPoints
 }

-func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints, aviator *pilot.Pilot) func(conf dynamic.Configuration) {
+func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints) func(conf dynamic.Configuration) {
 	return func(conf dynamic.Configuration) {
 		rtConf := runtime.NewConfig(conf)

 		routers, udpRouters := routerFactory.CreateRouters(rtConf)

-		if aviator != nil {
-			aviator.SetDynamicConfiguration(conf)
-		}
-
 		serverEntryPointsTCP.Switch(routers)
 		serverEntryPointsUDP.Switch(udpRouters)
 	}
@@ -440,9 +456,33 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
 	}

+	if metricsConfig.InfluxDB2 != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb2"))
+		influxDB2Register := metrics.RegisterInfluxDB2(ctx, metricsConfig.InfluxDB2)
+		if influxDB2Register != nil {
+			registries = append(registries, influxDB2Register)
+			log.FromContext(ctx).Debugf("Configured InfluxDB v2 metrics: pushing to %s (%s org/%s bucket) once every %s",
+				metricsConfig.InfluxDB2.Address, metricsConfig.InfluxDB2.Org, metricsConfig.InfluxDB2.Bucket, metricsConfig.InfluxDB2.PushInterval)
+		}
+	}
+
 	return registries
 }

+func appendCertMetric(gauge gokitmetrics.Gauge, certificate *x509.Certificate) {
+	sort.Strings(certificate.DNSNames)
+
+	labels := []string{
+		"cn", certificate.Subject.CommonName,
+		"serial", certificate.SerialNumber.String(),
+		"sans", strings.Join(certificate.DNSNames, ","),
+	}
+
+	notAfter := float64(certificate.NotAfter.Unix())
+
+	gauge.With(labels...).Set(notAfter)
+}
+
 func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
 	if conf == nil {
 		return nil
@@ -450,13 +490,79 @@ func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {

 	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
 	if err != nil {
-		log.WithoutContext().Warnf("Unable to create access logger : %v", err)
+		log.WithoutContext().Warnf("Unable to create access logger: %v", err)
 		return nil
 	}

 	return accessLoggerMiddleware
 }

+func setupTracing(conf *static.Tracing) *tracing.Tracing {
+	if conf == nil {
+		return nil
+	}
+
+	var backend tracing.Backend
+
+	if conf.Jaeger != nil {
+		backend = conf.Jaeger
+	}
+
+	if conf.Zipkin != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Zipkin backend.")
+		} else {
+			backend = conf.Zipkin
+		}
+	}
+
+	if conf.Datadog != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Datadog backend.")
+		} else {
+			backend = conf.Datadog
+		}
+	}
+
+	if conf.Instana != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Instana backend.")
+		} else {
+			backend = conf.Instana
+		}
+	}
+
+	if conf.Haystack != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Haystack backend.")
+		} else {
+			backend = conf.Haystack
+		}
+	}
+
+	if conf.Elastic != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Elastic backend.")
+		} else {
+			backend = conf.Elastic
+		}
+	}
+
+	if backend == nil {
+		log.WithoutContext().Debug("Could not initialize tracing, using Jaeger by default")
+		defaultBackend := &jaeger.Config{}
+		defaultBackend.SetDefaults()
+		backend = defaultBackend
+	}
+
+	tracer, err := tracing.NewTracing(conf.ServiceName, conf.SpanNameLimit, backend)
+	if err != nil {
+		log.WithoutContext().Warnf("Unable to create tracer: %v", err)
+		return nil
+	}
+	return tracer
+}
+
 func configureLogging(staticConfiguration *static.Configuration) {
 	// configure default log flags
 	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
--- a/cmd/traefik/traefik_test.go
+++ b/cmd/traefik/traefik_test.go
@@ -0,0 +1,116 @@
+package main
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"strings"
+	"testing"
+
+	"github.com/go-kit/kit/metrics"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// FooCert is a PEM-encoded TLS cert.
+// generated from src/crypto/tls:
+// go run generate_cert.go  --rsa-bits 1024 --host foo.org,foo.com  --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
+const fooCert = `-----BEGIN CERTIFICATE-----
+MIICHzCCAYigAwIBAgIQXQFLeYRwc5X21t457t2xADANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQDCjn67GSs/khuGC4GNN+tVo1S+/eSHwr/hWzhfMqO7nYiXkFzmxi+u14CU
+Pda6WOeps7T2/oQEFMxKKg7zYOqkLSbjbE0ZfosopaTvEsZm/AZHAAvoOrAsIJOn
+SEiwy8h0tLA4z1SNR6rmIVQWyqBZEPAhBTQM1z7tFp48FakCFwIDAQABo3QwcjAO
+BgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUw
+AwEB/zAdBgNVHQ4EFgQUDHG3ASzeUezElup9zbPpBn/vjogwGwYDVR0RBBQwEoIH
+Zm9vLm9yZ4IHZm9vLmNvbTANBgkqhkiG9w0BAQsFAAOBgQBT+VLMbB9u27tBX8Aw
+ZrGY3rbNdBGhXVTksrjiF+6ZtDpD3iI56GH9zLxnqvXkgn3u0+Ard5TqF/xmdwVw
+NY0V/aWYfcL2G2auBCQrPvM03ozRnVUwVfP23eUzX2ORNHCYhd2ObQx4krrhs7cJ
+SWxtKwFlstoXY3K2g9oRD9UxdQ==
+-----END CERTIFICATE-----`
+
+// BarCert is a PEM-encoded TLS cert.
+// generated from src/crypto/tls:
+// go run generate_cert.go  --rsa-bits 1024 --host bar.org,bar.com  --ca --start-date "Jan 1 00:00:00 1970" --duration=10000h
+const barCert = `-----BEGIN CERTIFICATE-----
+MIICHTCCAYagAwIBAgIQcuIcNEXzBHPoxna5S6wG4jANBgkqhkiG9w0BAQsFADAS
+MRAwDgYDVQQKEwdBY21lIENvMB4XDTcwMDEwMTAwMDAwMFoXDTcxMDIyMTE2MDAw
+MFowEjEQMA4GA1UEChMHQWNtZSBDbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAqtcrP+KA7D6NjyztGNIPMup9KiBMJ8QL+preog/YHR7SQLO3kGFhpS3WKMab
+SzMypC3ZX1PZjBP5ZzwaV3PFbuwlCkPlyxR2lOWmullgI7mjY0TBeYLDIclIzGRp
+mpSDDSpkW1ay2iJDSpXjlhmwZr84hrCU7BRTQJo91fdsRTsCAwEAAaN0MHIwDgYD
+VR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFK8jnzFQvBAgWtfzOyXY4VSkwrTXMBsGA1UdEQQUMBKCB2Jh
+ci5vcmeCB2Jhci5jb20wDQYJKoZIhvcNAQELBQADgYEAJz0ifAExisC/ZSRhWuHz
+7qs1i6Nd4+YgEVR8dR71MChP+AMxucY1/ajVjb9xlLys3GPE90TWSdVppabEVjZY
+Oq11nPKc50ItTt8dMku6t0JHBmzoGdkN0V4zJCBqdQJxhop8JpYJ0S9CW0eT93h3
+ipYQSsmIINGtMXJ8VkP/MlM=
+-----END CERTIFICATE-----`
+
+type gaugeMock struct {
+	metrics map[string]float64
+	labels  string
+}
+
+func (g gaugeMock) With(labelValues ...string) metrics.Gauge {
+	g.labels = strings.Join(labelValues, ",")
+	return g
+}
+
+func (g gaugeMock) Set(value float64) {
+	g.metrics[g.labels] = value
+}
+
+func (g gaugeMock) Add(delta float64) {
+	panic("implement me")
+}
+
+func TestAppendCertMetric(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		certs    []string
+		expected map[string]float64
+	}{
+		{
+			desc:     "No certs",
+			certs:    []string{},
+			expected: map[string]float64{},
+		},
+		{
+			desc:  "One cert",
+			certs: []string{fooCert},
+			expected: map[string]float64{
+				"cn,,serial,123624926713171615935660664614975025408,sans,foo.com,foo.org": 3.6e+09,
+			},
+		},
+		{
+			desc:  "Two certs",
+			certs: []string{fooCert, barCert},
+			expected: map[string]float64{
+				"cn,,serial,123624926713171615935660664614975025408,sans,foo.com,foo.org": 3.6e+09,
+				"cn,,serial,152706022658490889223053211416725817058,sans,bar.com,bar.org": 3.6e+07,
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			gauge := &gaugeMock{
+				metrics: map[string]float64{},
+			}
+
+			for _, cert := range test.certs {
+				block, _ := pem.Decode([]byte(cert))
+				parsedCert, err := x509.ParseCertificate(block.Bytes)
+				require.NoError(t, err)
+
+				appendCertMetric(gauge, parsedCert)
+			}
+
+			assert.Equal(t, test.expected, gauge.metrics)
+		})
+	}
+}
--- a/debug.Dockerfile
+++ b/debug.Dockerfile
@@ -0,0 +1,10 @@
+FROM alpine:3.14
+# Feel free to add below any helpful dependency for debugging.
+# iproute2 is for ss.
+RUN apk --no-cache --no-progress add bash curl ca-certificates tzdata lsof iproute2 \
+    && update-ca-certificates \
+    && rm -rf /var/cache/apk/*
+COPY dist/traefik /
+EXPOSE 80
+VOLUME ["/tmp"]
+ENTRYPOINT ["/traefik"]
--- a/docs/.markdownlint.json
+++ b/docs/.markdownlint.json
@@ -4,6 +4,7 @@
    "MD009": false,
    "MD013": false,
    "MD024": false,
+    "MD025": false,
    "MD026": false,
    "MD033": false,
    "MD034": false,
--- a/docs/Makefile
+++ b/docs/Makefile
@@ -1,4 +1,3 @@
-
 #######
 # This Makefile contains all targets related to the documentation
 #######
@@ -16,41 +15,51 @@ DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs
 DOCKER_RUN_DOC_OPTS := --rm $(DOCKER_RUN_DOC_MOUNTS) -p $(DOCKER_RUN_DOC_PORT):8000

 # Default: generates the documentation into $(SITE_DIR)
+.PHONY: docs
 docs: docs-clean docs-image docs-lint docs-build docs-verify

 # Writer Mode: build and serve docs on http://localhost:8000 with livereload
+.PHONY: docs-serve
 docs-serve: docs-image
 	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) mkdocs serve

 ## Pull image for doc building
+.PHONY: docs-pull-images
 docs-pull-images:
-	grep --no-filename -E '^FROM' ./*.Dockerfile | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
+	grep --no-filename -E '^FROM' ./*.Dockerfile \
+		| awk '{print $$2}' \
+		| sort \
+		| uniq \
+		| xargs -P 6 -n 1 docker pull

 # Utilities Targets for each step
+.PHONY: docs-image
 docs-image:
 	docker build -t $(TRAEFIK_DOCS_BUILD_IMAGE) -f docs.Dockerfile ./

+.PHONY: docs-build
 docs-build: docs-image
 	docker run $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) sh -c "mkdocs build \
 		&& chown -R $(shell id -u):$(shell id -g) ./site"

+.PHONY: docs-verify
 docs-verify: docs-build
-	@if [ "$(DOCS_VERIFY_SKIP)" != "true" ]; then \
-		docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./; \
-		docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /verify.sh; \
-	else \
-		echo "DOCS_VERIFY_SKIP is true: no verification done."; \
-	fi
+ifneq ("$(DOCS_VERIFY_SKIP)", "true")
+	docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./
+	docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /verify.sh
+else
+	echo "DOCS_VERIFY_SKIP is true: no verification done."
+endif

+.PHONY: docs-lint
 docs-lint:
-	@if [ "$(DOCS_LINT_SKIP)" != "true" ]; then \
-		docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./ && \
-		docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /lint.sh; \
-	else \
-		echo "DOCS_LINT_SKIP is true: no linting done."; \
-	fi
+ifneq ("$(DOCS_LINT_SKIP)", "true")
+	docker build -t $(TRAEFIK_DOCS_CHECK_IMAGE) -f check.Dockerfile ./
+	docker run --rm -v $(CURDIR):/app $(TRAEFIK_DOCS_CHECK_IMAGE) /lint.sh
+else
+	echo "DOCS_LINT_SKIP is true: no linting done."
+endif

+.PHONY: docs-clean
 docs-clean:
 	rm -rf $(SITE_DIR)
-
-.PHONY: all docs-verify docs docs-clean docs-build docs-lint
--- a/docs/check.Dockerfile
+++ b/docs/check.Dockerfile
@@ -1,18 +1,20 @@
-
-FROM alpine:3.13 as alpine
+FROM alpine:3.14 as alpine

 RUN apk --no-cache --no-progress add \
+    build-base \
    libcurl \
+    libxml2-dev \
+    libxslt-dev \
    ruby \
    ruby-bigdecimal \
+    ruby-dev \
    ruby-etc \
    ruby-ffi \
    ruby-json \
-    ruby-nokogiri \
-    ruby-dev \
-    build-base
+    zlib-dev

-RUN gem install html-proofer --version 3.19.0 --no-document -- --use-system-libraries
+RUN gem install nokogiri --version 1.13.3 --no-document -- --use-system-libraries
+RUN gem install html-proofer --version 3.19.3 --no-document -- --use-system-libraries

 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \
--- a/docs/content/assets/img/providers/nomad.png
+++ b/docs/content/assets/img/providers/nomad.png
--- a/docs/content/contributing/advocating.md
+++ b/docs/content/contributing/advocating.md
@@ -1,10 +1,31 @@
+---
+title: "Traefik Advocation Documentation"
+description: "There are many ways to contribute to Traefik Proxy. If you're talking about Traefik, let us know and we'll promote your enthusiasm!"
+---
+
 # Advocating

 Spread the Love & Tell Us about It
 {: .subtitle }

-There are many ways to contribute to the project, and there is one that always spark joy: when we see/read about users talking about how Traefik helps them solve their problems.
+Traefik Proxy was started by the community for the community.
+You can contribute to the Traefik community in three main ways: 

-If you're talking about Traefik, [let us know](https://blog.traefik.io/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
+**Spread the word!** Guides, videos, blog posts, how-to articles, and showing off your network design all help spread the word about Traefik Proxy
+and teach others in the community how to best implement it.
+It always sparks joy when users share how Traefik Proxy helps them solve their problems.
+If you are talking about Traefik Proxy, [let us know](https://traefik.io/submit-my-contribution/) and we will promote your work and reward your enthusiasm!
+If you are giving a talk that includes or is about Traefik Proxy, [let us know](https://traefik.io/submit-my-contribution/) and we will send you swag and stickers for your time at the conference.
+If you have written about Traefik or shared useful information you would like to promote, feel free to add links to the [dedicated wiki page on GitHub](https://github.com/traefik/traefik/wiki/Awesome-Traefik).

-Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/traefik/traefik/wiki/Awesome-Traefik).
+**Help community members!** Everyone needs a place to share their cool innovations or get help with that pesky bug that only a different pair of eyes seems to be able to see.
+Join our [Community Forum](https://community.traefik.io/) where you can ask questions, help out other users, and share your neat configuration examples or snippets.
+Top contributors will be asked to join the Ambassador program and get unique swag to celebrate!
+
+**Build cool solutions!** Traefik Proxy would be so much better if only it had…
+We love all the wonderful ideas that our users come up with, but we can only build so much.
+Luckily, as an open source community, our users can help by [building awesome features](https://github.com/orgs/traefik/projects/9/views/7), enhancements, or bug fixes.
+We are a big community, so we do need to prioritize a bit.
+That is why we use the tag `contributor/wanted` to let you know which pull requests will make it to the front of the queue for design support and review.
+Feel free to grab one of these and run with it.
+Top contributors get unique swag to celebrate. 
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Building & Testing Documentation"
+description: "Compile and test your own Traefik Proxy! Learn how to build your own Traefik binary from the sources, and read the technical documentation."
+---
+
 # Building and Testing

 Compile and Test Your Own Traefik!
@@ -45,7 +50,7 @@ $ ls dist/
 traefik*
 ```

-The following targets can be executed outside Docker by setting the variable `PRE_TARGET` to an empty string (we don't recommend that):
+The following targets can be executed outside Docker by setting the variable `IN_DOCKER` to an empty string (although be aware that some of the tests might fail in that context):

 - `test-unit`
 - `test-integration`
@@ -55,7 +60,7 @@ The following targets can be executed outside Docker by setting the variable `PR
 ex:

 ```bash
-PRE_TARGET= make test-unit
+IN_DOCKER= make test-unit
 ```

 ### Method 2: Using `go`
@@ -64,7 +69,6 @@ Requirements:

 - `go` v1.16+
 - environment variable `GO111MODULE=on`
- [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`

 !!! tip "Source Directory"

@@ -101,18 +105,9 @@ Requirements:

 Once you've set up your go environment and cloned the source repository, you can build Traefik.

-Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).
-
-```bash
-cd ~/go/src/github.com/traefik/traefik
-
-# Get go-bindata. (Important: the ellipses are required.)
-GO111MODULE=off go get github.com/containous/go-bindata/...
-```
-
 ```bash
 # Generate UI static files
-rm -rf static/ autogen/; make generate-webui
+make clean-webui generate-webui

 # required to merge non-code components into the final binary,
 # such as the web dashboard/UI
--- a/docs/content/contributing/data-collection.md
+++ b/docs/content/contributing/data-collection.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Data Collection Documentation"
+description: "To learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances. Read the technical documentation."
+---
+
 # Data Collection

 Understanding How Traefik is Being Used
--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Contribution Documentation"
+description: "Found something unclear in the Traefik Proxy documentation and want to give a try at explaining it better? Read the guide to building documentation."
+---
+
 # Documentation

 Features Are Better When You Know How to Use Them
@@ -29,7 +34,7 @@ docker run  --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 tr

 !!! tip "Default URL"

-    Your local documentation server will run by default on [http://127.0.0.1:8000](http://127.0.0.1:8000).
+    Your local documentation server will run by default on <http://127.0.0.1:8000>.

 If you only want to build the documentation without serving it locally, you can use the following command:

--- a/docs/content/contributing/maintainers-guidelines.md
+++ b/docs/content/contributing/maintainers-guidelines.md
@@ -1,6 +1,11 @@
-# The Maintainers Guidelines
+---
+title: "Traefik Maintainer's Guidelines Documentation"
+description: "Interested in contributing more to the community and becoming a Traefik Proxy maintainer? Read the guide to becoming a part of the core team."
+---

-![Maintainers Guidelines](../assets/img/maintainers-guidelines.png)
+# Maintainer's Guidelines
+
+![Maintainer's Guidelines](../assets/img/maintainers-guidelines.png)

 Note: the document is a work in progress.

@@ -13,19 +18,19 @@ and firmly standing against the elitist closed approach.
 Being part of the core team should be accessible to anyone motivated
 and wants to be part of that journey!

-## Onboarding process
+## Onboarding Process

 If you consider joining our community please drop us a line using Twitter or leave a note in the issue.
 We will schedule a quick call to meet you and learn more about your motivation.
 During the call, the team will discuss the process of becoming a maintainer.
 We will be happy to answer any questions and explain all your doubts.

-## Maintainers requirements
+## Maintainer's Requirements

 Note: you do not have to meet all the listed requirements,
 but must have achieved several.

- Enabled [2FA](https://docs.github.com/en/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) on your Github account
+- Enabled [2FA](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) on your GitHub account
 - The contributor has opened and successfully run medium to large PR’s in the past 6 months.
 - The contributor has participated in multiple code reviews of other PR’s,
  including those of other maintainers and contributors.
@@ -34,7 +39,7 @@ but must have achieved several.
  or other technical forums/boards such as K8S slack, Reddit, StackOverflow, hacker news.
 - Have read and accepted the contributor guidelines.

-## Maintainers responsibilities and privileges
+## Maintainer's Responsibilities and Privileges

 There are lots of areas where you can contribute to the project,
 but we can suggest you start with activities such as:
@@ -55,7 +60,7 @@ but we can suggest you start with activities such as:
      The ability to set up a testing environment in a few minutes,
      using the official documentation,
      is a game changer.
- You will be listed on our Maintainers Github page
+- You will be listed on our Maintainers GitHub page
  as well as on our website in the section [maintainers](maintainers.md).
 - We will be promoting you on social channels (mostly on Twitter).

@@ -103,7 +108,7 @@ maintainers' activity and involvement will be reviewed on a regular basis.
  non-threatening,
  and friendly behavior towards other people on the maintainer team and with our community?

-## Additional comments for (not only) maintainers
+## Additional Comments for (not only) Maintainers

 - Be able to put yourself in users’ shoes.
 - Be open-minded and respectful with other maintainers and other community members.
--- a/docs/content/contributing/maintainers.md
+++ b/docs/content/contributing/maintainers.md
@@ -1,6 +1,11 @@
+---
+title: "Traefik Maintainers Documentation"
+description: "Traefik Proxy is an open source software with a thriving community of contributors and maintainers. Read the list of maintainers on this page."
+---
+
 # Maintainers

-## The team
+## The Team

 * Emile Vauge [@emilevauge](https://github.com/emilevauge)
 * Vincent Demeester [@vdemeester](https://github.com/vdemeester)
@@ -19,16 +24,17 @@
 * Romain Tribotté [@rtribotte](https://github.com/rtribotte)
 * Kevin Pollet [@kevinpollet](https://github.com/kevinpollet)
 * Harold Ozouf [@jspdown](https://github.com/jspdown)
+* Tom Moulard [@tommoulard](https://github.com/tommoulard)

-## Maintainers guidelines
+## Maintainer's Guidelines

-Please read the [maintainers guidelines](maintainers-guidelines.md)
+Please read the [maintainer's guidelines](maintainers-guidelines.md)

 ## Issue Triage

 Issues and PRs are triaged daily and the process for triaging may be found under [triaging issues](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in our [contributors guide repository](https://github.com/traefik/contributors-guide).

-## PR review process:
+## PR Review Process

 The process for reviewing PRs may be found under [review guidelines](https://github.com/traefik/contributors-guide/blob/master/review_guidelines.md) in our contributors guide repository.

@@ -118,7 +124,7 @@ The `status/*` labels represent the desired state in the workflow.
 * `priority/P2`: need to be fixed in the future.
 * `priority/P3`: maybe.

-### PR size
+### PR Size

 Automatically set by a bot.

--- a/docs/content/contributing/submitting-issues.md
+++ b/docs/content/contributing/submitting-issues.md
@@ -1,43 +1,61 @@
+---
+title: "Traefik Submitting Issues Documentation"
+description: "Help us help you! Learn how to submit an issue, following the guidelines, so the Traefik Proxy team can help. Read the technical documentation."
+---
+
 # Submitting Issues

 Help Us Help You!
 {: .subtitle }

+Issues are perfect for requesting a feature/enhancement or reporting a suspected bug.
 We use the [GitHub issue tracker](https://github.com/traefik/traefik/issues) to keep track of issues in Traefik. 

 The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting).
-To save us some time and get quicker feedback, be sure to follow the guide lines below.
+To help us (and other community members) quickly and easily understand what you need,
+be sure to follow the guidelines below.

 !!! important "Getting Help Vs Reporting an Issue"

    The issue tracker is not a general support forum, but a place to report bugs and asks for new features.

-    For end-user related support questions, try using first:
-
-    - the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
+    For end-user related support questions, try using the [Traefik Community Forum](https://community.traefik.io/)
+   [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Traefik%20Community%20Forum)](https://community.traefik.io/)

 ## Issue Title

 The title must be short and descriptive. (~60 characters)

-## Description
+Examples:

-Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE.md) as much as possible.
-
-Explain us in which conditions you encountered the issue, what is your context.
-
-Remain as clear and concise as possible
-
-Take time to polish the format of your message so we'll enjoy reading it and working on it. 
-Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
+* Bug: Duplicate requests in access logs
+* Feature: Support TCP

 ## Feature Request

-Traefik is an open-source project and aims to be the best edge router possible.
+Traefik is an open source project and aims to be the best edge router possible. 

 Remember when asking for new features that these must be useful to the majority (and not only useful in edge case scenarios, or hack-like setups).
+Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE/feature-request.yml) as much as possible.

-Do you best to explain what you're looking for, and why it would improve Traefik for everyone. 
+Do your best to explain what you're looking for, and why it would improve Traefik for everyone.
+Be detailed and share the use-case(s) to allow us to see the value of your feature request as quickly as possible.
+Features with a lot of positive interaction (claps, +1s, conversation about how this would impact them) indicate higher community interest and help us to prioritize.  
+
+If you are interested in creating a PR for your feature request, let us know in the the issue so we can work with you.  
+It can take a lot of work to make sure a PR can integrate with our existing code and planning with the team ahead of time can make sure that your PR can be accepted and merged quickly.
+
+## Issues or Possible Bug Reports
+
+Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE/bug_report.yml) as much as possible.
+
+Explain the conditions in which you encountered the issue; what is your context?
+Share any logs you may have and make sure to share the steps it takes to reproduce your issue or bug. 
+
+Remain as clear and concise as possible.
+
+Take time to polish the format of your message so we'll enjoy reading it and working on it. 
+Help your readers focus on what matters and help them understand the structure of your message (see the [GitHub Markdown Syntax](https://docs.github.com/en/get-started/writing-on-github)).

 ## International English

--- a/docs/content/contributing/submitting-pull-requests.md
+++ b/docs/content/contributing/submitting-pull-requests.md
@@ -1,9 +1,230 @@
-# Submitting Pull Requests
+---
+title: "Traefik Pull Requests Documentation"
+description: "Looking to contribute to Traefik Proxy? This guide will show you the guidelines for submitting a PR in our contributors guide repository."
+---

-A Quick Guide for Efficient Contributions
-{: .subtitle }
+# Before You Submit a Pull Request

-So you've decided to improve Traefik? 
-Thank You! 
+This guide is for contributors who already have a pull request to submit. 
+If you are looking for information on setting up your developer environment 
+and creating code to contribute to Traefik Proxy or related projects, 
+see the [development guide](https://docs.traefik.io/contributing/building-testing/).

-Please review the [guidelines on creating PRs](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md) for Traefik in our [contributors guide repository](https://github.com/traefik/contributors-guide).
+Looking for a way to contribute to Traefik Proxy? 
+Check out this list of [Priority Issues](https://github.com/traefik/traefik/labels/contributor%2Fwanted), 
+the [Good First Issue](https://github.com/traefik/traefik/labels/contributor%2Fgood-first-issue) list, 
+or the list of [confirmed bugs](https://github.com/traefik/traefik/labels/kind%2Fbug%2Fconfirmed) waiting to be remedied.
+
+## How We Prioritize
+
+We wish we could review every pull request right away. 
+Unfortunately, our team has to prioritize pull requests (PRs) for review 
+(but we are welcoming new [maintainers](https://github.com/traefik/traefik/blob/master/docs/content/contributing/maintainers-guidelines.md) to speed this up, 
+so if you are interested, check it out and apply). 
+
+The PRs we are able to handle fastest are:
+
+* Documentation updates.
+* Bug fixes.
+* Enhancements and Features with a `contributor/wanted` tag.
+
+PRs that take more time to address include:
+
+* Enhancements or Features without the `contributor/wanted` tag.  
+  
+If you have an idea for an enhancement or feature that you would like to build, 
+[create an issue](https://github.com/traefik/traefik/issues/new/choose) for it first 
+and tell us you are interested in writing the PR. 
+If an issue already exists, definitely comment on it to tell us you are interested in creating a PR. 
+
+This will allow us to communicate directly and let you know if it is something we would accept. 
+It also allows us to make sure you have all the information you need during the design phase 
+so that it can be reviewed and merged quickly. 
+  
+If you have questions about the Triage process,
+[read more here](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md).  
+  
+## The Pull Request Submit Process
+
+Merging a PR requires the following steps to be completed before it is merged automatically.
+
+* Make sure your pull request adheres to our best practices. These include:
+    * [Following project conventions](https://github.com/traefik/traefik/blob/master/docs/content/contributing/maintainers-guidelines.md); including using the PR Template.
+    * Make small pull requests.
+    * Solve only one problem at a time.
+    * Comment thoroughly.
+    * Do not open the PR from an organization repository.
+    * Keep "allows edit from maintainer" checked.
+    * Use semantic line breaks for documentation.
+* Pass the validation check.
+* Pass all tests.
+* Receive 3 approving reviews maintainers.
+
+## Pull Request Review Cycle
+
+You can read about our Triage Process [here](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md), 
+but in short, it looks like this:
+
+* We triage every new PR or comment before entering it into the review process.
+    * We ensure that all prerequisites for review have been met.
+    * We check to make sure the use case meets our needs.
+    * We assign reviewers.
+* Design Review.
+    * This takes longer than other parts of the process.
+    * We review that there are no obvious conflicts with our codebase.
+* Code Review.
+    * We review the code in-depth and run tests.
+    * We may ask for changes here.
+    * During code review, we ask that you be reasonably responsive, 
+      if a PR languishes in code review it is at risk of rejection, 
+      or we may take ownership of the PR and the contributor will become a co-author.
+* Merge. 
+    * Success!
+
+!!! note
+
+    Occasionally, we may freeze our codebase when working towards a specific feature or goal that could impact other development. 
+    During this time, your pull request could remain unmerged while the release work is completed.
+
+## Run Local Verifications
+
+You must run these local verifications before you submit your pull request to predict the pass or failure of continuous integration. 
+Your PR will not be reviewed until these are green on the CI.
+
+* `make validate`
+* `make pull-images`
+* `make test`
+
+## The Testing and Merge Workflow
+
+Pull Requests are managed by the bot [Myrmica Lobicornis](https://github.com/traefik/lobicornis). 
+This bot is responsible for verifying GitHub Checks (CI, Tests, etc), mergability, and minimum reviews. 
+In addition, it rebases or merges with the base PR branch if needed. 
+It performs several other housekeeping items 
+and you can read more about those on the [README](https://github.com/traefik/lobicornis) for Lobicornis.
+
+The maintainer giving the final LGTM must add the `status/3-needs-merge` label to trigger the merge bot.
+
+By default, a squash-rebase merge will be carried out.
+
+The status `status/4-merge-in-progress` is only used by the bot.
+
+If the bot is not able to perform the merge, the label `bot/need-human-merge` is added. 
+In such a situation, solve the conflicts/CI/... and then remove the label `bot/need-human-merge`.
+
+To prevent the bot from automatically merging a PR, add the label `bot/no-merge`.
+
+The label `bot/light-review` decreases the number of required LGTM from 3 to 1.
+
+This label can be used when:
+
+* Updating a dependency.
+* Merging branches back into the next version branch.
+* Submitting minor documentation changes.
+* Submitting changelog PRs.
+
+## Why Was My Pull Request Closed?
+
+Traefik Proxy is made by the community for the community, 
+as such the goal is to engage the community to make Traefik the best reverse proxy available. 
+Part of this goal is maintaining a lean codebase and ensuring code velocity. 
+unfortunately, this means that sometimes we will not be able to merge a pull request.
+
+Because we respect the work you did, you will always be told why we are closing your pull request. 
+If you do not agree with our decision, do not worry; closed pull requests are easy to recreate, 
+and little work is lost by closing a pull request that subsequently needs to be reopened.
+
+Your pull request might be closed if:
+
+* Your PR's design conflicts with our existing codebase in such a way that Merging is not an option 
+  and the work needed to make your pull request usable is too high.
+    * To prevent this, make sure you created an issue first
+      and think about including Traefik Proxy maintainers in your design phase to minimize conflicts.
+* Your PR is for an enhancement or feature that we will not use.
+    * Please remember to create an issue for any pull request **before** you create a PR 
+      to ensure that your goal is something we can merge and that you have any design insight you might need from the team.
+* Your PR has been waiting for feedback from the contributor for over 90 days.
+
+## Why is My Pull Request Not Getting Reviewed
+
+A few factors affect how long your pull request might wait for review.
+
+We must prioritize which PRs we focus on. 
+Our first priority is PRs we have identified as having high community engagement and broad applicability. 
+We put our top priorities on our roadmap and you can identify them by the `contributor/wanted` tag. 
+These PRs will enter our review process the fastest. 
+
+Our second priority is bug fixes. 
+Especially for bugs that have already been tagged with `bug/confirmed`. 
+These reviews enter the process quickly.
+
+If your PR does not meet the criteria above, 
+it will take longer for us to review as any PRs that do meet the criteria above will be prioritized. 
+
+Additionally, during the last few weeks of a milestone, we stop reviewing PRs to reduce churn and stabilize. 
+We will resume after the release. 
+
+The second major reason that we deprioritize your PR is that you are not following best practices. 
+
+The most common failures to follow best practices are:
+
+* You did not create an issue for the PR you wish to make. 
+  If you do not create an issue before submitting your PR, 
+  we will not be able to answer any design questions and let you know how likely your PR is to be merged. 
+* You created pull requests that are too large to review.
+    * Break your pull requests up.
+      If you can extract whole ideas from your pull request and send those as pull requests of their own, 
+      you should do that instead. 
+      It is better to have many pull requests addressing one thing than one pull request addressing many things. 
+    * Traefik Proxy is a fast-moving codebase — lock in your changes ASAP with your small pull request, 
+      and make merges be someone else's problem.
+      We want every pull request to be useful on its own, 
+      so use your best judgment on what should be a pull request vs. a commit.
+* You did not comment well.
+    * Comment everything.
+
+Please remember that we are working internationally, cross-culturally, and with different use-cases. 
+Your reviewer will not intuitively understand the problem the same way you do or solve it the same way you would.
+This is why every change you make must be explained and your strategy for coding must also be explained.   
+
+* Your tests were inadequate or absent.
+    * If you do not know how to test your PR, please ask! 
+      We will be happy to help you or suggest appropriate test cases.
+
+If you have already followed the best practices and your PR still has not received a response, 
+here are some things you can do to move the process along:
+
+* If you have fixed all the issues from a review, 
+  remember to re-request a review (using the designated button) to let your reviewer know that you are ready. 
+  You can choose to comment with the changes you made. 
+* Ping `@tfny` if you have not been assigned to a reviewer.
+
+For more information on best practices, try these links:
+
+* [How to Write a Git Commit Message - Chris Beams](https://chris.beams.io/posts/git-commit/)
+* [Distributed Git - Contributing to a Project (Commit Guidelines)](https://git-scm.com/book/en/v2/Distributed-Git-Contributing-to-a-Project)
+* [What’s with the 50/72 rule? - Preslav Rachev](https://preslav.me/2015/02/21/what-s-with-the-50-72-rule/)
+* [A Note About Git Commit Messages - Tim Pope](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)
+
+## It's OK to Push Back
+
+Sometimes reviewers make mistakes. 
+It is OK to push back on changes your reviewer requested. 
+If you have a good reason for doing something a certain way, you are absolutely allowed to debate the merits of a requested change.
+Both the reviewer and reviewee should strive to discuss these issues in a polite and respectful manner.
+
+You might be overruled, but you might also prevail. 
+We are pretty reasonable people.
+
+Another phenomenon of open-source projects (where anyone can comment on any issue) is the dog-pile -
+your pull request gets so many comments from so many people it becomes hard to follow. 
+In this situation, you can ask the primary reviewer (assignee) whether they want you to fork a new pull request 
+to clear out all the comments. 
+You do not have to fix every issue raised by every person who feels like commenting, 
+but you should answer reasonable comments with an explanation.
+
+## Common Sense and Courtesy
+
+No document can take the place of common sense and good taste. 
+Use your best judgment, while you put a bit of thought into how your work can be made easier to review. 
+If you do these things your pull requests will get merged with less friction.
--- a/docs/content/contributing/submitting-security-issues.md
+++ b/docs/content/contributing/submitting-security-issues.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Security Documentation"
+description: "Security is a key part of Traefik Proxy. Read the technical documentation to learn about security advisories, CVE, and how to report a vulnerability."
+---
+
 # Security

 ## Security Advisories
--- a/docs/content/contributing/thank-you.md
+++ b/docs/content/contributing/thank-you.md
@@ -1,13 +1,18 @@
+---
+title: "Traefik Contribution Documentation"
+description: "Thank you to all those who have contributed! Traefik Proxy is an open-source project that thrives with the support of our passionate community."
+---
+
 # Thank You!

 _You_ Made It
 {: .subtitle}

-Traefik truly is an [open-source project](https://github.com/traefik/traefik/),
+Traefik Proxy truly is an [open-source project](https://github.com/traefik/traefik/),
 and wouldn't have become what it is today without the help of our [many contributors](https://github.com/traefik/traefik/graphs/contributors) (at the time of writing this),
-not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.
+not accounting for people having helped with issues, tests, comments, articles, ... or just enjoy using Traefik Proxy and share with others.

-So once again, thank you for your invaluable help on making Traefik such a good product.
+So once again, thank you for your invaluable help in making Traefik such a good product!

 !!! question "Where to Go Next?"
    If you want to:
--- a/docs/content/deprecation/features.md
+++ b/docs/content/deprecation/features.md
@@ -0,0 +1,28 @@
+# Feature Deprecation Notices
+
+This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.
+
+| Feature                                                     | Deprecated | End of Support | Removal |
+|-------------------------------------------------------------|------------|----------------|---------|
+| [Pilot](#pilot)                                             | 2.7        | 2.8            | 2.9     |
+| [Consul Enterprise Namespace](#consul-enterprise-namespace) | 2.8        | N/A            | 3.0     |
+| [TLS 1.0 and 1.1 Support](#tls-10-and-11)                   | N/A        | 2.8            | N/A     |
+
+## Impact
+
+### Pilot
+
+Metrics will continue to function normally up to 2.8, when they will be disabled.  
+In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
+
+Starting on 2.7 the pilot token will not be a requirement anymore for plugins.  
+Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from Pilot.
+
+### Consul Enterprise Namespace
+
+Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
+please use the `namespaces` options instead.  
+
+### TLS 1.0 and 1.1
+
+Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.  
--- a/docs/content/deprecation/releases.md
+++ b/docs/content/deprecation/releases.md
@@ -0,0 +1,40 @@
+# Releases
+
+## Versions
+
+Below is a non-exhaustive list of versions and their maintenance status:
+
+| Version | Release Date | Active Support     | Security Support | 
+|---------|--------------|--------------------|------------------|
+| 2.9     | Oct 03, 2022 | Yes                | Yes              |
+| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No               |
+| 2.7     | May 24, 2022 | Ended Jun 29, 2022 | No               |
+| 2.6     | Jan 24, 2022 | Ended May 24, 2022 | No               |
+| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 | No               |
+| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 | No               |
+| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 | No               |
+| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 | No               |
+| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 | No               |
+| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 | No               |
+| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 | Contact Support  |
+
+??? example "Active Support / Security Support"
+
+    **Active support**: receives any bug fixes.
+    **Security support**: receives only critical bug and security fixes.
+
+This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.
+
+Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v1 to v2 migration guide](../migration/v1-to-v2.md).
+
+!!! important "All target dates for end of support or feature removal announcements may be subject to change."
+
+## Versioning Scheme
+
+The Traefik Proxy project follows the [semantic versioning](https://semver.org/) scheme and maintains a separate branch for each minor version. The main branch always represents the next upcoming minor or major version.
+
+And these are our guiding rules for version support:
+
+- **Only the latest `minor`** will be on active support at any given time
+- **The last `minor` after releasing a new `major`** will be supported for 1 year following the `major` release
+- **Previous rules are subject to change** and in such cases an announcement will be made publicly, [here](https://traefik.io/blog/traefik-2-1-in-the-wild/) is an example extending v1.x branch support.
--- a/docs/content/getting-started/concepts.md
+++ b/docs/content/getting-started/concepts.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Concepts Documentation"
+description: "Get started with Traefik Proxy. Read the technical documentation for an introduction into the key concepts behind our open source edge router."
+---
+
 # Concepts

 Everything You Need to Know
@@ -19,7 +24,7 @@ Deploying your services, you attach information that tells Traefik the character
 ![Decentralized Configuration](../assets/img/traefik-concepts-2.png)

 It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
-The opposite is true: when you remove a service from your infrastructure, the route will disappear accordingly.
+Similarly, when a service is removed from the infrastructure, the corresponding route is deleted accordingly.

 You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.

@@ -34,3 +39,5 @@ You no longer need to create and synchronize configuration files cluttered with
 !!! question "How does Traefik discover the services?"

    Traefik is able to use your cluster API to discover the services and read the attached information. In Traefik, these connectors are called [providers](../providers/overview.md) because they _provide_ the configuration to Traefik. To learn more about them, read the [provider overview](../providers/overview.md) section.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Configuration Documentation"
+description: "Get started with Traefik Proxy. This page will introduce you to the dynamic routing and startup configurations. Read the technical documentation."
+---
+
 # Configuration Introduction

 How the Magic Happens
@@ -51,7 +56,7 @@ Once positioned, this option sets (and resets) all the default values of the sub

 ### Configuration File

-At startup, Traefik searches for a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:
+At startup, Traefik searches for static configuration in a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:

 - `/etc/traefik/`
 - `$XDG_CONFIG_HOME/`
@@ -74,7 +79,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:2.1 --help
+# ex: docker run traefik:v2.9 --help
 ```

 All available arguments can also be found [here](../reference/static-configuration/cli.md).
@@ -88,3 +93,5 @@ All available environment variables can be found [here](../reference/static-conf
 All the configuration options are documented in their related section.

 You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Getting Started FAQ"
+description: "Check out our FAQ page for answers to commonly asked questions on getting started with Traefik Proxy. Read the technical documentation."
+---
+
 # FAQ

 ## Why is Traefik Answering `XXX` HTTP Response Status Code?
@@ -124,3 +129,55 @@ http:
    If there is a need for a response code other than a `503` and/or a custom message,
    the principle of the above example above (a catchall router) still stands,
    but the `unavailable` service should be adapted to fit such a need.
+
+## Why Is My TLS Certificate Not Reloaded When Its Contents Change? 
+
+With the file provider,
+a configuration update is only triggered when one of the [watched](../providers/file.md#provider-configuration) configuration files is modified.
+
+Which is why, when a certificate is defined by path,
+and the actual contents of this certificate change,
+a configuration update is _not_ triggered.
+
+To take into account the new certificate contents, the update of the dynamic configuration must be forced.
+One way to achieve that, is to trigger a file notification,
+for example, by using the `touch` command on the configuration file.
+
+## What Are the Forwarded Headers When Proxying HTTP Requests?
+
+By default, the following headers are automatically added when proxying requests:
+
+| Property                  | HTTP Header                |
+|---------------------------|----------------------------|
+| Client's IP               | X-Forwarded-For, X-Real-Ip |
+| Host                      | X-Forwarded-Host           |
+| Port                      | X-Forwarded-Port           |
+| Protocol                  | X-Forwarded-Proto          |
+| Proxy Server's Hostname   | X-Forwarded-Server         |
+
+For more details,
+please check out the [forwarded header](../routing/entrypoints.md#forwarded-headers) documentation.
+
+## What does the "field not found" error mean?
+
+```shell
+error: field not found, node: -badField-
+```
+
+The "field not found" error occurs, when an unknown property is encountered in the dynamic or static configuration.
+
+One easy way to check whether a configuration file is well-formed, is to validate it with:
+
+- [JSON Schema of the static configuration](https://json.schemastore.org/traefik-v2.json)
+- [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json)
+
+## Why are some resources (routers, middlewares, services...) not created/applied?
+
+As a common tip, if a resource is dropped/not created by Traefik after the dynamic configuration was evaluated,
+one should look for an error in the logs.
+
+If found, the error obviously confirms that something went wrong while creating the resource,
+and the message should help in figuring out the mistake(s) in the configuration, and how to fix it.
+
+When using the file provider,
+one easy way to check if the dynamic configuration is well-formed is to validate it with the [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json).
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Installation Documentation"
+description: "There are several flavors to choose from when installing Traefik Proxy. Get started with Traefik Proxy, and read the technical documentation."
+---
+
 # Install Traefik

 You can install Traefik with the following flavors:
@@ -11,12 +16,12 @@ You can install Traefik with the following flavors:

 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:

-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.4/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.4/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.9/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.9/traefik.sample.toml)

 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.4
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.9
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -24,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.1.4`
+    ex: `traefik:v2.9`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

@@ -101,13 +106,13 @@ helm install traefik traefik/traefik

 This HelmChart does not expose the Traefik dashboard by default, for security concerns.
 Thus, there are multiple ways to expose the dashboard.
-For instance, the dashboard access could be achieved through a port-forward :
+For instance, the dashboard access could be achieved through a port-forward:

 ```shell
 kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
 ```

-Accessible with the url: http://127.0.0.1:9000/dashboard/
+It can then be reached at: `http://127.0.0.1:9000/dashboard/`

 Another way would be to apply your own configuration, for instance,
 by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):
@@ -173,3 +178,5 @@ And run it:
 ## Compile your Binary from the Sources

 All the details are available in the [Contributing Guide](../contributing/building-testing.md)
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/quick-start-with-kubernetes.md
+++ b/docs/content/getting-started/quick-start-with-kubernetes.md
@@ -0,0 +1,318 @@
+---
+title: "Traefik Getting Started With Kubernetes"
+description: "Looking to get started with Traefik Proxy? Read the technical documentation to learn a simple use case that leverages Kubernetes."
+---
+
+# Quick Start
+
+A Simple Use Case of Traefik Proxy and Kubernetes
+{: .subtitle }
+
+This guide is an introduction to using Traefik Proxy in a Kubernetes environment.
+The objective is to learn how to run an application behind a Traefik reverse proxy in Kubernetes.
+It presents and explains the basic blocks required to start with Traefik such as Ingress Controller, Ingresses, Deployments, static, and dynamic configuration.
+
+## Permissions and Accesses
+
+Traefik uses the Kubernetes API to discover running services.
+
+In order to use the Kubernetes API, Traefik needs some permissions.
+This [permission mechanism](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) is based on roles defined by the cluster administrator.
+The role is then bound to an account used by an application, in this case, Traefik Proxy.
+
+The first step is to create the role.
+The [`ClusterRole`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole) resource enumerates the resources and actions available for the role.
+In a file called `00-role.yml`, put the following `ClusterRole`:
+
+```yaml tab="00-role.yml"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-role
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+```
+
+!!! info "You can find the reference for this file [there](../../reference/dynamic-configuration/kubernetes-crd/#rbac)."
+
+The next step is to create a dedicated service account for Traefik.
+In a file called `00-account.yml`, put the following [`ServiceAccount`](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/service-account-v1/#ServiceAccount) resource:
+
+```yaml tab="00-account.yml"
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik-account
+```
+
+And then, bind the role on the account to apply the permissions and rules on the latter. In a file called `01-role-binding.yml`, put the
+following [`ClusterRoleBinding`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/#ClusterRoleBinding) resource:
+
+```yaml tab="01-role-binding.yml"
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-role-binding
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-role
+subjects:
+  - kind: ServiceAccount
+    name: traefik-account
+    namespace: default # Using "default" because we did not specify a namespace when creating the ClusterAccount.
+```
+
+!!! info "`roleRef` is the Kubernetes reference to the role created in `00-role.yml`."
+
+!!! info "`subjects` is the list of accounts reference."
+
+    In this guide, it only contains the account created in `00-account.yml`
+
+## Deployment and Exposition
+
+!!! info "This section can be managed with the help of the [Traefik Helm chart](../install-traefik/#use-the-helm-chart)."
+
+The [ingress controller](https://traefik.io/glossary/kubernetes-ingress-and-ingress-controller-101/#what-is-a-kubernetes-ingress-controller)
+is a software that runs in the same way as any other application on a cluster.
+To start Traefik on the Kubernetes cluster,
+a [`Deployment`](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/) resource must exist to describe how to configure
+and scale containers horizontally to support larger workloads.
+
+Start by creating a file called `02-traefik.yml` and paste the following `Deployment` resource:
+
+```yaml tab="02-traefik.yml"
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: traefik-deployment
+  labels:
+    app: traefik
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik
+  template:
+    metadata:
+      labels:
+        app: traefik
+    spec:
+      serviceAccountName: traefik-account
+      containers:
+        - name: traefik
+          image: traefik:v2.9
+          args:
+            - --api.insecure
+            - --providers.kubernetesingress
+          ports:
+            - name: web
+              containerPort: 80
+            - name: dashboard
+              containerPort: 8080
+```
+
+The deployment contains an important attribute for customizing Traefik: `args`.
+These arguments are the static configuration for Traefik.
+From here, it is possible to enable the dashboard,
+configure entry points,
+select dynamic configuration providers,
+and [more](../reference/static-configuration/cli.md)...
+
+In this deployment,
+the static configuration enables the Traefik dashboard,
+and uses Kubernetes native Ingress resources as router definitions to route incoming requests.
+
+!!! info "When there is no entry point in the static configuration"
+
+    Traefik creates a default one called `web` using the port `80` routing HTTP requests.
+
+!!! info "When enabling the [`api.insecure`](../../operations/api/#insecure) mode, Traefik exposes the dashboard on the port `8080`."
+
+A deployment manages scaling and then can create lots of containers, called [Pods](https://kubernetes.io/docs/concepts/workloads/pods/).
+Each Pod is configured following the `spec` field in the deployment.
+Given that, a Deployment can run multiple Traefik Proxy Pods,
+a piece is required to forward the traffic to any of the instance:
+namely a [`Service`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#Service).
+Create a file called `02-traefik-services.yml` and insert the two `Service` resources:
+
+```yaml tab="02-traefik-services.yml"
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-dashboard-service
+
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 8080
+      targetPort: dashboard
+  selector:
+    app: traefik
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-web-service
+
+spec:
+  type: LoadBalancer
+  ports:
+    - targetPort: web
+      port: 80
+  selector:
+    app: traefik
+```
+
+!!! warning "It is possible to expose a service in different ways."
+
+    Depending on your working environment and use case, the `spec.type` might change.
+    It is strongly recommended to understand the available [service types](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) before proceeding to the next step.
+
+It is now time to apply those files on your cluster to start Traefik.
+
+```shell
+kubectl apply -f 00-role.yml \
+              -f 00-account.yml \
+              -f 01-role-binding.yml \
+              -f 02-traefik.yml \
+              -f 02-traefik-services.yml
+```
+
+## Proxying applications
+
+The only part still missing is the business application behind the reverse proxy.
+For this guide, we use the example application [traefik/whoami](https://github.com/traefik/whoami),
+but the principles are applicable to any other application.
+
+The `whoami` application is a simple HTTP server running on port 80 which answers host-related information to the incoming requests.
+As usual, start by creating a file called `03-whoami.yml` and paste the following `Deployment` resource:
+
+```yaml tab="03-whoami.yml"
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+        - name: whoami
+          image: traefik/whoami
+          ports:
+            - name: web
+              containerPort: 80
+```
+
+And continue by creating the following `Service` resource in a file called `03-whoami-services.yml`:
+
+```yaml tab="03-whoami-services.yml"
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+
+spec:
+  ports:
+    - name: web
+      port: 80
+      targetPort: web
+      
+  selector:
+    app: whoami
+```
+
+Thanks to the Kubernetes API,
+Traefik is notified when an Ingress resource is created, updated, or deleted.
+This makes the process dynamic.
+The ingresses are, in a way, the [dynamic configuration](../../providers/kubernetes-ingress/) for Traefik.
+
+!!! tip
+
+    Find more information on [ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/),
+    and [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the official Kubernetes documentation.
+
+Create a file called `04-whoami-ingress.yml` and insert the `Ingress` resource:
+
+```yaml tab="04-whoami-ingress.yml"
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: whoami-ingress
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: whoami
+            port:
+              name: web
+```
+
+This `Ingress` configures Traefik to redirect any incoming requests starting with `/` to the `whoami:80` service.
+
+At this point, all the configurations are ready.
+It is time to apply those new files:
+
+```shell
+kubectl apply -f 03-whoami.yml \
+              -f 03-whoami-services.yml \
+              -f 04-whoami-ingress.yml
+```
+
+Now you should be able to access the `whoami` application and the Traefik dashboard.
+Load the dashboard on a web browser: [`http://localhost:8080`](http://localhost:8080).
+
+And now access the `whoami` application:
+
+```shell
+curl -v http://localhost/
+```
+
+!!! question "Going further"
+
+    - [Filter the ingresses](../providers/kubernetes-ingress.md#ingressclass) to use with [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)
+    - Use [IngressRoute CRD](../providers/kubernetes-crd.md)
+    - Protect [ingresses with TLS](../routing/providers/kubernetes-ingress.md#enabling-tls-via-annotations)
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Getting Started Quickly"
+description: "Looking to get started with Traefik Proxy quickly? Read the technical documentation to learn a simple use case that leverages Docker."
+---
+
 # Quick Start

 A Simple Use Case Using Docker
@@ -15,7 +20,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v2 Traefik docker image
-    image: traefik:v2.4
+    image: traefik:v2.9
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
@@ -36,7 +41,7 @@ Start your `reverse-proxy` with the following command:
 docker-compose up -d reverse-proxy
 ```

-You can open a browser and go to [http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata) to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).
+You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).

 ## Traefik Detects New Services and Creates the Route for You

@@ -61,7 +66,7 @@ Start the `whoami` service with the following command:
 docker-compose up -d whoami
 ```

-Go back to your browser ([http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata)) and see that Traefik has automatically detected the new container and updated its own configuration.
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new container and updated its own configuration.

 When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_  (Here, we're using curl)

@@ -85,7 +90,7 @@ Run more instances of your `whoami` service with the following command:
 docker-compose up -d --scale whoami=2
 ```

-Go back to your browser ([http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata)) and see that Traefik has automatically detected the new instance of the container.
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new instance of the container.

 Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:

@@ -108,4 +113,7 @@ IP: 172.27.0.4
 ```

 !!! question "Where to Go Next?"
+
    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/) and let Traefik work for you!
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Let's Encrypt Documentation"
+description: "Learn how to configure Traefik Proxy to use an ACME provider like Let's Encrypt for automatic certificate generation. Read the technical documentation."
+---
+
 # Let's Encrypt

 Automatic HTTPS
@@ -23,7 +28,9 @@ Certificates are requested for domain names retrieved from the router's [dynamic

 You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).

-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! warning "Defining an [ACME challenge type](#the-different-acme-challenges) is a requirement for a certificate resolver to be functional."
+
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."

 ??? note "Configuration Reference"

@@ -114,7 +121,7 @@ Please check the [configuration examples below](#configuration-examples) for mor
    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
    ```

-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."

 ??? example "Single Domain from Router's Rule Example"

@@ -140,7 +147,11 @@ Please check the [configuration examples below](#configuration-examples) for mor

 Traefik automatically tracks the expiry date of ACME certificates it generates.

-If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.
+By default, Traefik manages 90 days certificates,
+and starts to renew certificates 30 days before their expiry.
+
+When using a certificate resolver that issues certificates with custom durations,
+one can configure the certificates' duration with the [`certificatesDuration`](#certificatesduration) option.

 !!! info ""
    Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
@@ -154,7 +165,9 @@ When using LetsEncrypt with kubernetes, there are some known caveats with both t

 ## The Different ACME Challenges

-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! warning "Defining one ACME challenge is a requirement for a certificate resolver to be functional."
+
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."

 ### `tlsChallenge`

@@ -280,104 +293,124 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used

 For complete details, refer to your provider's _Additional configuration_ link.

-| Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       |                                                                             |
-|-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
-| [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
-| [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
-| [ArvanCloud](https://www.arvancloud.com/en)                 | `arvancloud`   | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)   |
-| [Auroradns](https://www.pcextreme.com/dns-health-checks)    | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
-| [Autodns](https://www.internetx.com/domains/autodns/)       | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
-| [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
-| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
-| [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
-| [Checkdomain](https://www.checkdomain.de/)                  | `checkdomain`  | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
-| [CloudDNS](https://vshosting.eu/)                           | `clouddns`     | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)     |
-| [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
-| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
-| [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
-| [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
-| [Constellix](https://constellix.com)                        | `constellix`   | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)   |
-| [deSEC](https://desec.io)                                   | `desec`        | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)        |
-| [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
-| [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
-| [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
-| [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)       |
-| [Domain Offensive (do.de)](https://www.do.de/)              | `dode`         | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)         |
-| [Domeneshop](https://domene.shop)                           | `domeneshop`   | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)   |
-| [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)    |
-| [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)      |
-| [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)          |
-| [Dynu](https://www.dynu.com)                                | `dynu`         | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)         |
-| [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)      |
-| [EdgeDNS](https://www.akamai.com/)                          | `edgedns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
-| External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
-| [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)     |
-| [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
-| [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)        |
-| [Gandi v5](http://doc.livedns.gandi.net)                    | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)      |
-| [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)       |
-| [GoDaddy](https://godaddy.com/)                             | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)      |
-| [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)       |
-| [Hetzner](https://hetzner.com)                              | `hetzner`      | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)      |
-| [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
-| HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
-| [HyperOne](https://www.hyperone.com)                        | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
-| [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
-| [Infoblox](https://www.infoblox.com/)                       | `infoblox`     | `INFOBLOX_USER`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)     |
-| [Infomaniak](https://www.infomaniak.com)                    | `infomaniak`   | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)   |
-| [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
-| [ionos](https://ionos.com/)                                 | `ionos`        | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)        |
-| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
-| [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
-| [Linode v4](https://www.linode.com)                         | `linode`       | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
-| [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
-| [Loopia](https://loopia.com/)                               | `loopia`       | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)       |
-| [LuaDNS](https://luadns.com)                                | `luadns`       | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)       |
-| manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
-| [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
-| [Mythic Beasts](https://www.mythic-beasts.com)              | `mythicbeasts` | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts) |
-| [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
-| [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
-| [Namesilo](https://www.namesilo.com/)                       | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)     |
-| [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
-| [Netlify](https://www.netlify.com)                          | `netlify`      | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)      |
-| [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
-| [Njalla](https://njal.la)                                   | `njalla`       | `NJALLA_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)       |
-| [NS1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
-| [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
-| [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
-| [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)    |
-| [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)  |
-| [Porkbun](https://porkbun.com/)                             | `porkbun`      | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)      |
-| [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)         |
-| [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)    |
-| [reg.ru](https://www.reg.ru)                                | `regru`        | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)        |
-| [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)      |
-| [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
-| [RimuHosting](https://rimuhosting.com)                      | `rimuhosting`  | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)  |
-| [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)  |
-| [Scaleway](https://www.scaleway.com)                        | `scaleway`     | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)     |
-| [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
-| [Servercow](https://servercow.de)                           | `servercow`    | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)    |
-| [Simply.com](https://www.simply.com/en/domains/)            | `simply`       | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/simply)       |
-| [Sonic](https://www.sonic.com/)                             | `sonic`        | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)        |
-| [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
-| [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
-| [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
-| [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
-| [VinylDNS](https://www.vinyldns.io)                         | `vinyldns`     | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)     |
-| [Vscale](https://vscale.io/)                                | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)       |
-| [VULTR](https://www.vultr.com)                              | `vultr`        | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)        |
-| [WEDOS](https://www.wedos.com)                              | `wedos`        | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)        |
-| [Yandex](https://yandex.com)                                | `yandex`       | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)       |
-| [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
-| [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
+| Provider Name                                                                                      | Provider Code      | Environment Variables                                                                                                                       |                                                                                 |
+|----------------------------------------------------------------------------------------------------|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
+| [ACME DNS](https://github.com/joohoi/acme-dns)                                                     | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
+| [Alibaba Cloud](https://www.alibabacloud.com)                                                      | `alidns`           | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)           |
+| [all-inkl](https://all-inkl.com)                                                                   | `allinkl`          | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)          |
+| [ArvanCloud](https://www.arvancloud.com/en)                                                        | `arvancloud`       | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)       |
+| [Auroradns](https://www.pcextreme.com/dns-health-checks)                                           | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
+| [Autodns](https://www.internetx.com/domains/autodns/)                                              | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
+| [Azure](https://azure.microsoft.com/services/dns/)                                                 | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)                                         | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
+| [Blue Cat](https://www.bluecatnetworks.com/)                                                       | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
+| [Checkdomain](https://www.checkdomain.de/)                                                         | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
+| [Civo](https://www.civo.com/)                                                                      | `civo`             | `CIVO_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
+| [CloudDNS](https://vshosting.eu/)                                                                  | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
+| [Cloudflare](https://www.cloudflare.com)                                                           | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
+| [ClouDNS](https://www.cloudns.net/)                                                                | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
+| [CloudXNS](https://www.cloudxns.net)                                                               | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [ConoHa](https://www.conoha.jp)                                                                    | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
+| [Constellix](https://constellix.com)                                                               | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
+| [deSEC](https://desec.io)                                                                          | `desec`            | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)            |
+| [DigitalOcean](https://www.digitalocean.com)                                                       | `digitalocean`     | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean)     |
+| [DNS Made Easy](https://dnsmadeeasy.com)                                                           | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
+| [DNSimple](https://dnsimple.com)                                                                   | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
+| [DNSPod](https://www.dnspod.com/)                                                                  | `dnspod`           | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
+| [Domain Offensive (do.de)](https://www.do.de/)                                                     | `dode`             | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
+| [Domeneshop](https://domene.shop)                                                                  | `domeneshop`       | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)       |
+| [DreamHost](https://www.dreamhost.com/)                                                            | `dreamhost`        | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)        |
+| [Duck DNS](https://www.duckdns.org/)                                                               | `duckdns`          | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)          |
+| [Dyn](https://dyn.com)                                                                             | `dyn`              | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)              |
+| [Dynu](https://www.dynu.com)                                                                       | `dynu`             | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)             |
+| [EasyDNS](https://easydns.com/)                                                                    | `easydns`          | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)          |
+| [EdgeDNS](https://www.akamai.com/)                                                                 | `edgedns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
+| [Epik](https://www.epik.com)                                                                       | `epik`             | `EPIK_SIGNATURE`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/epik)             |
+| [Exoscale](https://www.exoscale.com)                                                               | `exoscale`         | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)         |
+| [Fast DNS](https://www.akamai.com/)                                                                | `fastdns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
+| [Freemyip.com](https://freemyip.com)                                                               | `freemyip`         | `FREEMYIP_TOKEN`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip)         |
+| [G-Core Lab](https://gcorelabs.com/dns/)                                                           | `gcore`            | `GCORE_PERMANENT_API_TOKEN`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/gcore)            |
+| [Gandi v5](https://doc.livedns.gandi.net)                                                          | `gandiv5`          | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)          |
+| [Gandi](https://www.gandi.net)                                                                     | `gandi`            | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)            |
+| [Glesys](https://glesys.com/)                                                                      | `glesys`           | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)           |
+| [GoDaddy](https://godaddy.com/)                                                                    | `godaddy`          | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)          |
+| [Google Cloud DNS](https://cloud.google.com/dns/docs/)                                             | `gcloud`           | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)           |
+| [Hetzner](https://hetzner.com)                                                                     | `hetzner`          | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
+| [hosting.de](https://www.hosting.de)                                                               | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
+| [Hosttech](https://www.hosttech.eu)                                                                | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
+| [Hurricane Electric](https://dns.he.net)                                                           | `hurricane`        | `HURRICANE_TOKENS` [^6]                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)        |
+| [HyperOne](https://www.hyperone.com)                                                               | `hyperone`         | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)         |
+| [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)                                                | `ibmcloud`         | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)         |
+| [IIJ DNS Platform Service](https://www.iij.ad.jp)                                                  | `iijdpf`           | `IIJ_DPF_API_TOKEN` , `IIJ_DPF_DPM_SERVICE_CODE`                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/iijdpf)           |
+| [IIJ](https://www.iij.ad.jp/)                                                                      | `iij`              | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)              |
+| [Infoblox](https://www.infoblox.com/)                                                              | `infoblox`         | `INFOBLOX_USERNAME`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)         |
+| [Infomaniak](https://www.infomaniak.com)                                                           | `infomaniak`       | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)       |
+| [Internet.bs](https://internetbs.net)                                                              | `internetbs`       | `INTERNET_BS_API_KEY`, `INTERNET_BS_PASSWORD`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/internetbs)       |
+| [INWX](https://www.inwx.de/en)                                                                     | `inwx`             | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)             |
+| [ionos](https://ionos.com/)                                                                        | `ionos`            | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)            |
+| [iwantmyname](https://iwantmyname.com)                                                             | `iwantmyname`      | `IWANTMYNAME_USERNAME` , `IWANTMYNAME_PASSWORD`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/iwantmyname)      |
+| [Joker.com](https://joker.com)                                                                     | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
+| [Lightsail](https://aws.amazon.com/lightsail/)                                                     | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
+| [Linode v4](https://www.linode.com)                                                                | `linode`           | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)           |
+| [Liquid Web](https://www.liquidweb.com/)                                                           | `liquidweb`        | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)        |
+| [Loopia](https://loopia.com/)                                                                      | `loopia`           | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)           |
+| [LuaDNS](https://luadns.com)                                                                       | `luadns`           | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)           |
+| [MyDNS.jp](https://www.mydns.jp/)                                                                  | `mydnsjp`          | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)          |
+| [Mythic Beasts](https://www.mythic-beasts.com)                                                     | `mythicbeasts`     | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts)     |
+| [name.com](https://www.name.com/)                                                                  | `namedotcom`       | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)       |
+| [Namecheap](https://www.namecheap.com)                                                             | `namecheap`        | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)        |
+| [Namesilo](https://www.namesilo.com/)                                                              | `namesilo`         | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)         |
+| [NearlyFreeSpeech.NET](https://www.nearlyfreespeech.net/)                                          | `nearlyfreespeech` | `NEARLYFREESPEECH_API_KEY`, `NEARLYFREESPEECH_LOGIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/nearlyfreespeech) |
+| [Netcup](https://www.netcup.eu/)                                                                   | `netcup`           | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)           |
+| [Netlify](https://www.netlify.com)                                                                 | `netlify`          | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)          |
+| [Nicmanager](https://www.nicmanager.com)                                                           | `nicmanager`       | `NICMANAGER_API_EMAIL`, `NICMANAGER_API_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/nicmanager)       |
+| [NIFCloud](https://cloud.nifty.com/service/dns.htm)                                                | `nifcloud`         | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)         |
+| [Njalla](https://njal.la)                                                                          | `njalla`           | `NJALLA_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)           |
+| [NS1](https://ns1.com/)                                                                            | `ns1`              | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)              |
+| [Open Telekom Cloud](https://cloud.telekom.de)                                                     | `otc`              | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)              |
+| [Openstack Designate](https://docs.openstack.org/designate)                                        | `designate`        | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)        |
+| [Oracle Cloud](https://cloud.oracle.com/home)                                                      | `oraclecloud`      | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)      |
+| [OVH](https://www.ovh.com)                                                                         | `ovh`              | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)              |
+| [Porkbun](https://porkbun.com/)                                                                    | `porkbun`          | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)          |
+| [PowerDNS](https://www.powerdns.com)                                                               | `pdns`             | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)             |
+| [Rackspace](https://www.rackspace.com/cloud/dns)                                                   | `rackspace`        | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)        |
+| [reg.ru](https://www.reg.ru)                                                                       | `regru`            | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)            |
+| [RFC2136](https://tools.ietf.org/html/rfc2136)                                                     | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
+| [RimuHosting](https://rimuhosting.com)                                                             | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
+| [Route 53](https://aws.amazon.com/route53/)                                                        | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
+| [Sakura Cloud](https://cloud.sakura.ad.jp/)                                                        | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
+| [Scaleway](https://www.scaleway.com)                                                               | `scaleway`         | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
+| [Selectel](https://selectel.ru/en/)                                                                | `selectel`         | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)         |
+| [Servercow](https://servercow.de)                                                                  | `servercow`        | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)        |
+| [Simply.com](https://www.simply.com/en/domains/)                                                   | `simply`           | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/simply)           |
+| [Sonic](https://www.sonic.com/)                                                                    | `sonic`            | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)            |
+| [Stackpath](https://www.stackpath.com/)                                                            | `stackpath`        | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)        |
+| [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)                                         | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
+| [TransIP](https://www.transip.nl/)                                                                 | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
+| [UKFast SafeDNS](https://www.ans.co.uk/cloud-and-infrastructure/dedicated-servers/dns-management/) | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
+| [Variomedia](https://www.variomedia.de/)                                                           | `variomedia`       | `VARIOMEDIA_API_TOKEN`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/variomedia)       |
+| [VegaDNS](https://github.com/shupp/VegaDNS-API)                                                    | `vegadns`          | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)          |
+| [Vercel](https://vercel.com)                                                                       | `vercel`           | `VERCEL_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vercel)           |
+| [Versio](https://www.versio.nl/domeinnamen)                                                        | `versio`           | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)           |
+| [VinylDNS](https://www.vinyldns.io)                                                                | `vinyldns`         | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)         |
+| [VK Cloud](https://mcs.mail.ru/)                                                                   | `vkcloud`          | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud)          |
+| [Vscale](https://vscale.io/)                                                                       | `vscale`           | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)           |
+| [VULTR](https://www.vultr.com)                                                                     | `vultr`            | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)            |
+| [WEDOS](https://www.wedos.com)                                                                     | `wedos`            | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)            |
+| [Yandex Cloud](https://cloud.yandex.com/en/)                                                       | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
+| [Yandex](https://yandex.com)                                                                       | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
+| [Zone.ee](https://www.zone.ee)                                                                     | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
+| [Zonomi](https://zonomi.com)                                                                       | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
+| External Program                                                                                   | `exec`             | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)             |
+| HTTP request                                                                                       | `httpreq`          | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)          |
+| manual                                                                                             | `manual`           | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                                 |

-[^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
-[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production)
+[^1]: More information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/).
+[^2]: [Providing credentials to your application](https://cloud.google.com/docs/authentication/production).
 [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
 [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
 [^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
+[^6]: As explained in the [LEGO hurricane configuration](https://go-acme.github.io/lego/dns/hurricane/#credentials), each domain or wildcard (record name) needs a token. So each update of record name must be followed by an update of the `HURRICANE_TOKENS` variable, and a restart of Traefik.

 !!! info "`delayBeforeCheck`"
    By default, the `provider` verifies the TXT record _before_ letting ACME verify.
@@ -525,6 +558,50 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 !!! warning
    For concurrency reasons, this file cannot be shared across multiple instances of Traefik.

+### `certificatesDuration`
+
+_Optional, Default=2160_
+
+The `certificatesDuration` option defines the certificates' duration in hours.
+It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.
+
+!!! warning "Traefik cannot manage certificates with a duration lower than 1 hour."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      certificatesDuration: 72
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  certificatesDuration=72
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.certificatesduration=72
+# ...
+```
+
+`certificatesDuration` is used to calculate two durations:
+
+- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
+- `Renew Interval`: the interval between renew attempts.
+
+| Certificate Duration | Renew Period      | Renew Interval          |
+|----------------------|-------------------|-------------------------|
+| >= 1 year            | 4 months          | 1 week                  |
+| >= 90 days           | 30 days           | 1 day                   |
+| >= 7 days            | 1 day             | 1 hour                  |
+| >= 24 hours          | 6 hours           | 10 min                  |
+| < 24 hours           | 20 min            | 1 min                   |
+
 ### `preferredChain`

 _Optional, Default=""_
@@ -552,7 +629,7 @@ certificatesResolvers:

 ```bash tab="CLI"
 # ...
--certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
+--certificatesresolvers.myresolver.acme.preferredChain=ISRG Root X1
 # ...
 ```

@@ -580,7 +657,7 @@ certificatesResolvers:

 ```bash tab="CLI"
 # ...
--certificatesresolvers.myresolver.acme.keyType="RSA4096"
+--certificatesresolvers.myresolver.acme.keyType=RSA4096
 # ...
 ```

@@ -589,8 +666,10 @@ certificatesResolvers:
 If Let's Encrypt is not reachable, the following certificates will apply:

  1. Previously generated ACME certificates (before downtime)
-  1. Expired ACME certificates
-  1. Provided certificates
+  2. Expired ACME certificates
+  3. Provided certificates

 !!! important
    For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/https/overview.md
+++ b/docs/content/https/overview.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Proxy  HTTPS & TLS Overview |Traefik Docs"
+description: "Traefik supports HTTPS & TLS, which concerns roughly two parts of the configuration: routers, and the TLS connection. Read the documentation to learn more."
+---
+
 # HTTPS & TLS

 Overview
@@ -14,3 +19,5 @@ The next sections of this documentation explain how to configure the TLS connect
 That is to say, how to obtain [TLS certificates](./tls.md#certificates-definition):
 either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
 And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/https/ref-acme.toml
+++ b/docs/content/https/ref-acme.toml
@@ -22,6 +22,14 @@
  #
  # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

+  # The certificates' duration in hours.
+  # It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+  #
+  # Optional
+  # Default: 2160
+  #
+  # certificatesDuration=2160
+
  # Preferred chain to use.
  #
  # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/ref-acme.txt
+++ b/docs/content/https/ref-acme.txt
@@ -21,6 +21,14 @@
 #
 --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

+# The certificates' duration in hours.
+# It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+#
+# Optional
+# Default: 2160
+#
+--certificatesresolvers.myresolver.acme.certificatesDuration=2160
+
 # Preferred chain to use.
 #
 # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/ref-acme.yaml
+++ b/docs/content/https/ref-acme.yaml
@@ -24,6 +24,14 @@ certificatesResolvers:
      #
      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"

+      # The certificates' duration in hours.
+      # It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+      #
+      # Optional
+      # Default: 2160
+      #
+      # certificatesDuration: 2160
+
      # Preferred chain to use.
      #
      # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik TLS Documentation"
+description: "Learn how to configure the transport layer security (TLS) connection in Traefik Proxy. Read the technical documentation."
+---
+
 # TLS

 Transport Layer Security
@@ -128,7 +133,99 @@ tls:
      keyFile  = "path/to/cert.key"
 ```

-If no default certificate is provided, Traefik generates and uses a self-signed certificate.
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  defaultCertificate:
+    secretName: default-certificate
+    
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: default-certificate
+  namespace: default
+  
+type: Opaque
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+If no `defaultCertificate` is provided, Traefik will use the generated one.
+
+### ACME Default Certificate
+
+You can configure Traefik to use an ACME provider (like Let's Encrypt) to generate the default certificate.
+The configuration to resolve the default certificate should be defined in a TLS store:
+
+!!! important "Precedence with the `defaultGeneratedCert` option"
+
+    The `defaultGeneratedCert` definition takes precedence over the ACME default certificate configuration.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  stores:
+    default:
+      defaultGeneratedCert:
+        resolver: myresolver
+        domain:
+          main: example.org
+          sans:
+            - foo.example.org
+            - bar.example.org
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.stores]
+  [tls.stores.default.defaultGeneratedCert]
+    resolver = "myresolver"
+    [tls.stores.default.defaultGeneratedCert.domain]
+      main = "example.org"
+      sans = ["foo.example.org", "bar.example.org"]
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  defaultGeneratedCert:
+    resolver: myresolver
+    domain:
+      main: example.org
+      sans:
+        - foo.example.org
+        - bar.example.org
+```
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
+  - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org"
+  - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.tls.stores.default.defaultgeneratedcert.resolver": "myresolver",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.main": "example.org",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.sans": "foo.example.org, bar.example.org",
+}
+```

 ## TLS Options

@@ -143,11 +240,11 @@ The TLS options allow one to configure some parameters of the TLS connection.
    you must specify the provider namespace, for example:  
    `traefik.http.routers.myrouter.tls.options=myoptions@file`

-!!! important "TLSOptions in Kubernetes"
+!!! important "TLSOption in Kubernetes"

-    When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
    if not explicitly overwritten, should apply to all ingresses.  
-    To achieve that, you'll have to create a TLSOptions CR with the name `default`.
+    To achieve that, you'll have to create a TLSOption resource with the name `default`.
    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
    you'll have to add an annotation to the Ingress in the following form:
@@ -335,8 +432,9 @@ spec:

 ### Strict SNI Checking

-With strict SNI checking enabled, Traefik won't allow connections from clients
-that do not specify a server_name extension or don't match any certificate configured on the tlsOption.
+With strict SNI checking enabled, Traefik won't allow connections from clients that do not specify a server_name extension
+or don't match any of the configured certificates.
+The default certificate is irrelevant on that matter.

 ```yaml tab="File (YAML)"
 # Dynamic configuration
@@ -366,10 +464,14 @@ spec:
  sniStrict: true
 ```

-### Prefer Server Cipher Suites
+### ALPN Protocols

-This option allows the server to choose its most preferred cipher suite instead of the client's.
-Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
+_Optional, Default="h2, http/1.1, acme-tls/1"_
+
+This option allows to specify the list of supported application level protocols for the TLS handshake,
+in order of preference.
+If the client supports ALPN, the selected protocol will be one from this list, 
+and the connection will fail if there is no mutually supported protocol.

 ```yaml tab="File (YAML)"
 # Dynamic configuration
@@ -377,7 +479,9 @@ Please note that this is enabled automatically when `minVersion` or `maxVersion`
 tls:
  options:
    default:
-      preferServerCipherSuites: true
+      alpnProtocols:
+        - http/1.1
+        - h2
 ```

 ```toml tab="File (TOML)"
@@ -385,7 +489,7 @@ tls:

 [tls.options]
  [tls.options.default]
-    preferServerCipherSuites = true
+    alpnProtocols = ["http/1.1", "h2"]
 ```

 ```yaml tab="Kubernetes"
@@ -396,7 +500,9 @@ metadata:
  namespace: default

 spec:
-  preferServerCipherSuites: true
+  alpnProtocols:
+    - http/1.1
+    - h2
 ```

 ### Client Authentication (mTLS)
@@ -447,8 +553,10 @@ metadata:

 spec:
  clientAuth:
-    # the CA certificate is extracted from key `tls.ca` of the given secrets.
+    # the CA certificate is extracted from key `tls.ca` or `ca.crt` of the given secrets.
    secretNames:
      - secretCA
    clientAuthType: RequireAndVerifyClientCert
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/includes/.markdownlint.json
+++ b/docs/content/includes/.markdownlint.json
@@ -0,0 +1,4 @@
+{
+  "extends": "../../.markdownlint.json",
+  "MD041": false
+}
--- a/docs/content/includes/traefik-for-business-applications.md
+++ b/docs/content/includes/traefik-for-business-applications.md
@@ -0,0 +1,16 @@
+---
+
+!!! question "Using Traefik for Business Applications?"
+
+    If you are using Traefik for commercial applications,
+    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
+    You can use it as your:
+
+    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
+    - [Docker Swarm Ingress Controller](https://traefik.io/solutions/docker-swarm-ingress/)
+    - [API Gateway](https://traefik.io/solutions/api-gateway/)
+
+    Traefik Enterprise enables centralized access management,
+    distributed Let's Encrypt,
+    and other advanced capabilities.
+    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -1,3 +1,7 @@
+---
+title: "Traefik Proxy Documentation"
+description: "Traefik Proxy, an open source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
+---

 # Welcome

@@ -22,7 +26,8 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo

    Join our user friendly and active [Community Forum](https://community.traefik.io) to discuss, learn, and connect with the traefik community.
    
-    If you're a business running critical services behind Traefik,
-    know that [Traefik Labs](https://traefik.io), the company that sponsors Traefik's development,
-    can provide [commercial support](https://info.traefik.io/commercial-services)
-    and develops an [Enterprise Edition](https://traefik.io/traefik-enterprise/) of Traefik.
+    Using Traefik for commercial applications?
+    Consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/) of Traefik as your [Kubernetes Ingress](https://traefik.io/solutions/kubernetes-ingress/), 
+    your [Docker Swarm Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/), 
+    or your [API gateway](https://traefik.io/solutions/api-gateway/). 
+    Get started with a [free 30-day trial](https://info.traefik.io/get-traefik-enterprise-free-for-30-days).
--- a/docs/content/middlewares/errorpages.md
+++ b/docs/content/middlewares/errorpages.md
@@ -1,117 +0,0 @@
-# ErrorPage
-
-It Has Never Been Easier to Say That Something Went Wrong
-{: .subtitle }
-
-![ErrorPages](../assets/img/middleware/errorpages.png)
-
-The ErrorPage middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-
-!!! important
-    The error page itself is _not_ hosted by Traefik.
-
-## Configuration Examples
-
-```yaml tab="Docker"
-# Dynamic Custom Error Page for 5XX Status Code
-labels:
-  - "traefik.http.middlewares.test-errorpage.errors.status=500-599"
-  - "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
-  - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: test-errorpage
-spec:
-  errors:
-    status:
-      - "500-599"
-    query: /{status}.html
-    service:
-      name: whoami
-      port: 80
-```
-
-```yaml tab="Consul Catalog"
-# Dynamic Custom Error Page for 5XX Status Code
- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-errorpage.errors.status": "500-599",
-  "traefik.http.middlewares.test-errorpage.errors.service": "serviceError",
-  "traefik.http.middlewares.test-errorpage.errors.query": "/{status}.html"
-}
-```
-
-```yaml tab="Rancher"
-# Dynamic Custom Error Page for 5XX Status Code
-labels:
-  - "traefik.http.middlewares.test-errorpage.errors.status=500-599"
-  - "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
-  - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
-```
-
-```yaml tab="File (YAML)"
-# Custom Error Page for 5XX
-http:
-  middlewares:
-    test-errorpage:
-      errors:
-        status:
-          - "500-599"
-        service: serviceError
-        query: "/{status}.html"
-
-  services:
-    # ... definition of error-handler-service and my-service
-```
-
-```toml tab="File (TOML)"
-# Custom Error Page for 5XX
-[http.middlewares]
-  [http.middlewares.test-errorpage.errors]
-    status = ["500-599"]
-    service = "serviceError"
-    query = "/{status}.html"
-
-[http.services]
-  # ... definition of error-handler-service and my-service
-```
-
-!!! note ""
-
-    In this example, the error page URL is based on the status code (`query=/{status}.html`).
-
-## Configuration Options
-
-### `status`
-
-The `status` option defines which status or range of statuses should result in an error page.
-
-The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
-
-!!! note ""
-
-    You can define either a status code as a number (`500`),
-    as multiple comma-separated numbers (`500,502`),
-    as ranges by separating two codes with a dash (`500-599`),
-    or a combination of the two (`404,418,500-599`).
-
-### `service`
-
-The service that will serve the new requested error page.
-
-!!! note ""
-
-    In Kubernetes, you need to reference a Kubernetes Service instead of a Traefik service.
-
-### `query`
-
-The URL for the error page (hosted by `service`). You can use the `{status}` variable in the `query` option in order to insert the status code in the URL.
--- a/docs/content/middlewares/http/addprefix.md
+++ b/docs/content/middlewares/http/addprefix.md
@@ -1,9 +1,14 @@
+---
+title: "Traefik AddPrefix Documentation"
+description: "Learn how to implement the HTTP AddPrefix middleware in Traefik Proxy to updates request paths before being forwarded. Read the technical documentation."
+---
+
 # Add Prefix

 Prefixing the Path
 {: .subtitle }

-![AddPrefix](../assets/img/middleware/addprefix.png)
+![AddPrefix](../../assets/img/middleware/addprefix.png)

 The AddPrefix middleware updates the path of a request before forwarding it.

--- a/docs/content/middlewares/http/basicauth.md
+++ b/docs/content/middlewares/http/basicauth.md
@@ -1,9 +1,14 @@
+---
+title: "Traefik BasicAuth Documentation"
+description: "The HTTP basic authentication (BasicAuth) middleware in Traefik Proxy restricts access to your Services to known users. Read the technical documentation."
+---
+
 # BasicAuth

 Adding Basic Authentication
 {: .subtitle }

-![BasicAuth](../assets/img/middleware/basicauth.png)
+![BasicAuth](../../assets/img/middleware/basicauth.png)

 The BasicAuth middleware restricts access to your services to known users.

@@ -88,12 +93,21 @@ The `users` option is an array of authorized users. Each user must be declared u
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

+!!! note "Kubernetes kubernetes.io/basic-auth secret type"
+    
+    Kubernetes supports a special `kubernetes.io/basic-auth` secret type.
+    This secret must contain two keys: `username` and `password`.
+    Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
+    You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
+
 ```yaml tab="Docker"
 # Declaring the user list
 #
-# Note: all dollar signs in the hash need to be doubled for escaping.
+# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
 # To create a user:password pair, the following command can be used:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+#
+# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
 labels:
  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
@@ -118,11 +132,24 @@ kind: Secret
 metadata:
  name: authsecret
  namespace: default
-
 data:
  users: |2
    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+
+---
+# This is an alternate auth secret that demonstrates the basic-auth secret type.
+# Note: the password is not hashed, and is merely base64 encoded.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret2
+  namespace: default
+type: kubernetes.io/basic-auth
+data:
+  username: dXNlcg== # username: user
+  password: cGFzc3dvcmQ= # password: password
 ```

 ```yaml tab="Consul Catalog"
--- a/docs/content/middlewares/http/buffering.md
+++ b/docs/content/middlewares/http/buffering.md
@@ -1,9 +1,14 @@
+---
+title: "Traefik Buffering Documentation"
+description: "The HTTP buffering middleware in Traefik Proxy limits the size of requests that can be forwarded to Services. Read the technical documentation."
+---
+
 # Buffering

 How to Read the Request before Forwarding It
 {: .subtitle }

-![Buffering](../assets/img/middleware/buffering.png)
+![Buffering](../../assets/img/middleware/buffering.png)

 The Buffering middleware limits the size of requests that can be forwarded to services.

@@ -67,9 +72,11 @@ http:

 ### `maxRequestBodyBytes`

+_Optional, Default=0_
+
 The `maxRequestBodyBytes` option configures the maximum allowed body size for the request (in bytes).

-If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a `413 (Request Entity Too Large)` response.
+If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a `413` (Request Entity Too Large) response.

 ```yaml tab="Docker"
 labels:
@@ -117,6 +124,8 @@ http:

 ### `memRequestBodyBytes`

+_Optional, Default=1048576_
+
 You can configure a threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.

 ```yaml tab="Docker"
@@ -165,9 +174,11 @@ http:

 ### `maxResponseBodyBytes`

+_Optional, Default=0_
+
 The `maxResponseBodyBytes` option configures the maximum allowed response size from the service (in bytes).

-If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
+If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `500` (Internal Server Error) response instead.

 ```yaml tab="Docker"
 labels:
@@ -215,6 +226,8 @@ http:

 ### `memResponseBodyBytes`

+_Optional, Default=1048576_
+
 You can configure a threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.

 ```yaml tab="Docker"
@@ -263,6 +276,8 @@ http:

 ### `retryExpression`

+_Optional, Default=""_
+
 You can have the Buffering middleware replay the request using `retryExpression`.

 ??? example "Retries once in the case of a network error"
--- a/docs/content/middlewares/http/chain.md
+++ b/docs/content/middlewares/http/chain.md
@@ -1,9 +1,14 @@
+---
+title: "Traefik Command Line Documentation"
+description: "The HTTP chain middleware lets you define reusable combinations of other middleware, to reuse the same groups. Read the technical documentation."
+---
+
 # Chain

 When One Isn't Enough
 {: .subtitle }

-![Chain](../assets/img/middleware/chain.png)
+![Chain](../../assets/img/middleware/chain.png)

 The Chain middleware enables you to define reusable combinations of other pieces of middleware.
 It makes reusing the same groups easier.
--- a/docs/content/middlewares/http/circuitbreaker.md
+++ b/docs/content/middlewares/http/circuitbreaker.md
@@ -1,9 +1,14 @@
+---
+title: "Traefik CircuitBreaker Documentation"
+description: "The HTTP circuit breaker in Traefik Proxy prevents stacking requests to unhealthy Services, resulting in cascading failures. Read the technical documentation."
+---
+
 # CircuitBreaker

 Don't Waste Time Calling Unhealthy Services
 {: .subtitle }

-![CircuitBreaker](../assets/img/middleware/circuitbreaker.png)
+![CircuitBreaker](../../assets/img/middleware/circuitbreaker.png)

 The circuit breaker protects your system from stacking requests to unhealthy services, resulting in cascading failures.

@@ -171,15 +176,18 @@ This behavior cannot be configured.

 ### `CheckPeriod`

-The interval used to evaluate `expression` and decide if the state of the circuit breaker must change.
-By default, `CheckPeriod` is 100ms. This value cannot be configured.
+_Optional, Default="100ms"_
+
+The interval between successive checks of the circuit breaker condition (when in standby state).

 ### `FallbackDuration`

-By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
+_Optional, Default="10s"_

-### `RecoveringDuration`
+The duration for which the circuit breaker will wait before trying to recover (from a tripped state).

-The duration of the recovering mode (recovering state).
+### `RecoveryDuration`

-By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.
+_Optional, Default="10s"_
+
+The duration for which the circuit breaker will try to recover (as soon as it is in recovering state).
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -1,9 +1,14 @@
+---
+title: "Traefik Compress Documentation"
+description: "Traefik Proxy's HTTP middleware lets you compress responses before sending them to the client. Read the technical documentation."
+---
+
 # Compress

 Compress Responses before Sending them to the Client
 {: .subtitle }

-![Compress](../assets/img/middleware/compress.png)
+![Compress](../../assets/img/middleware/compress.png)

 The Compress middleware uses gzip compression.

@@ -60,7 +65,7 @@ http:

    Responses are compressed when the following criteria are all met:

-    * The response body is larger than `1400` bytes.
+    * The response body is larger than the configured minimum amount of bytes (default is `1024`).
    * The `Accept-Encoding` request header contains `gzip`.
    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.

@@ -122,3 +127,55 @@ http:
  [http.middlewares.test-compress.compress]
    excludedContentTypes = ["text/event-stream"]
 ```
+
+### `minResponseBodyBytes`
+
+`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
+
+The default value is `1024`, which should be a reasonable value for most cases.
+
+Responses smaller than the specified values will not be compressed.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    minResponseBodyBytes: 1200
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress.minresponsebodybytes": 1200
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        minResponseBodyBytes: 1200
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    minResponseBodyBytes = 1200
+```
--- a/docs/content/middlewares/http/contenttype.md
+++ b/docs/content/middlewares/http/contenttype.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik ContentType Documentation"
+description: "Traefik Proxy's HTTP middleware can automatically specify the content-type header if it has not been defined by the backend. Read the technical documentation."
+---
+
 # ContentType

 Handling Content-Type auto-detection
--- a/docs/content/middlewares/http/digestauth.md
+++ b/docs/content/middlewares/http/digestauth.md
@@ -1,9 +1,14 @@
+---
+title: "Traefik DigestAuth Documentation"
+description: "Traefik Proxy's HTTP DigestAuth middleware restricts access to your services to known users. Read the technical documentation."
+---
+
 # DigestAuth

 Adding Digest Authentication
 {: .subtitle }

-![BasicAuth](../assets/img/middleware/digestauth.png)
+![BasicAuth](../../assets/img/middleware/digestauth.png)

 The DigestAuth middleware restricts access to your services to known users.

--- a/docs/content/middlewares/http/errorpages.md
+++ b/docs/content/middlewares/http/errorpages.md
@@ -0,0 +1,137 @@
+---
+title: "Traefik Errors Documentation"
+description: "In Traefik Proxy, the Errors middleware returns custom pages according to configured ranges of HTTP Status codes. Read the technical documentation."
+---
+
+# Errors
+
+It Has Never Been Easier to Say That Something Went Wrong
+{: .subtitle }
+
+![Errors](../../assets/img/middleware/errorpages.png)
+
+The Errors middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
+
+!!! important
+
+    The error page itself is _not_ hosted by Traefik.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+# Dynamic Custom Error Page for 5XX Status Code
+labels:
+  - "traefik.http.middlewares.test-errors.errors.status=500-599"
+  - "traefik.http.middlewares.test-errors.errors.service=serviceError"
+  - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-errors
+spec:
+  errors:
+    status:
+      - "500-599"
+    query: /{status}.html
+    service:
+      name: whoami
+      port: 80
+```
+
+```yaml tab="Consul Catalog"
+# Dynamic Custom Error Page for 5XX Status Code
+- "traefik.http.middlewares.test-errors.errors.status=500-599"
+- "traefik.http.middlewares.test-errors.errors.service=serviceError"
+- "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-errors.errors.status": "500-599",
+  "traefik.http.middlewares.test-errors.errors.service": "serviceError",
+  "traefik.http.middlewares.test-errors.errors.query": "/{status}.html"
+}
+```
+
+```yaml tab="Rancher"
+# Dynamic Custom Error Page for 5XX Status Code
+labels:
+  - "traefik.http.middlewares.test-errors.errors.status=500-599"
+  - "traefik.http.middlewares.test-errors.errors.service=serviceError"
+  - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
+```
+
+```yaml tab="File (YAML)"
+# Custom Error Page for 5XX
+http:
+  middlewares:
+    test-errors:
+      errors:
+        status:
+          - "500-599"
+        service: serviceError
+        query: "/{status}.html"
+
+  services:
+    # ... definition of error-handler-service and my-service
+```
+
+```toml tab="File (TOML)"
+# Custom Error Page for 5XX
+[http.middlewares]
+  [http.middlewares.test-errors.errors]
+    status = ["500-599"]
+    service = "serviceError"
+    query = "/{status}.html"
+
+[http.services]
+  # ... definition of error-handler-service and my-service
+```
+
+!!! note ""
+
+    In this example, the error page URL is based on the status code (`query=/{status}.html`).
+
+## Configuration Options
+
+### `status`
+
+The `status` option defines which status or range of statuses should result in an error page.
+
+The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
+
+!!! note ""
+
+    You can define either a status code as a number (`500`),
+    as multiple comma-separated numbers (`500,502`),
+    as ranges by separating two codes with a dash (`500-599`),
+    or a combination of the two (`404,418,500-599`).
+
+### `service`
+
+The service that will serve the new requested error page.
+
+!!! note ""
+
+    In Kubernetes, you need to reference a Kubernetes Service instead of a Traefik service.
+
+!!! info "Host Header"
+
+    By default, the client `Host` header value is forwarded to the configured error [service](#service).
+    To forward the `Host` value corresponding to the configured error service URL, the [passHostHeader](../../../routing/services/#pass-host-header) option must be set to `false`.
+
+### `query`
+
+The URL for the error page (hosted by [`service`](#service))).
+
+There are multiple variables that can be placed in the `query` option to insert values in the URL.
+
+The table below lists all the available variables and their associated values.
+
+| Variable   | Value                                                              |
+|------------|--------------------------------------------------------------------|
+| `{status}` | The response status code.                                          |
+| `{url}`    | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL. |
--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -1,9 +1,14 @@
+---
+title: "Traefik ForwardAuth Documentation"
+description: "In Traefik Proxy, the HTTP ForwardAuth middleware delegates authentication to an external Service. Read the technical documentation."
+---
+
 # ForwardAuth

 Using an External Service to Forward Authentication
 {: .subtitle }

-![AuthForward](../assets/img/middleware/authforward.png)
+![AuthForward](../../assets/img/middleware/authforward.png)

 The ForwardAuth middleware delegates authentication to an external service.
 If the service answers with a 2XX code, access is granted, and the original request is performed.
@@ -284,6 +289,12 @@ http:
    authResponseHeadersRegex = "^X-"
 ```

+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
+
 ### `authRequestHeaders`

 The `authRequestHeaders` option is the list of the headers to copy from the request to the authentication server.
@@ -343,11 +354,16 @@ http:

 ### `tls`

-The `tls` option is the TLS configuration from Traefik to the authentication server.
+_Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to the authentication server.

-Certificate Authority used for the secured connection to the authentication server.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secured connection to the authentication server,
+it defaults to the system bundle.

 ```yaml tab="Docker"
 labels:
@@ -373,7 +389,8 @@ metadata:
  namespace: default

 data:
-  ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  # Must contain a certificate under either a `tls.ca` or a `ca.crt` key. 
+  tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
 ```

 ```yaml tab="Consul Catalog"
@@ -409,71 +426,12 @@ http:
      ca = "path/to/local.crt"
 ```

-#### `tls.caOptional`
+#### `cert`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.
+_Optional_

-!!! warning ""
-
-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
-
-When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
-
-When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
-
-```yaml tab="Docker"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    address: https://example.com/auth
-    tls:
-      caOptional: true
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-auth:
-      forwardAuth:
-        address: "https://example.com/auth"
-        tls:
-          caOptional: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    [http.middlewares.test-auth.forwardAuth.tls]
-      caOptional = true
-```
-
-#### `tls.cert`
-
-The public certificate used for the secure connection to the authentication server.
+`cert` is the path to the public certificate used for the secure connection to the authentication server.
+When using this option, setting the `key` option is required.

 ```yaml tab="Docker"
 labels:
@@ -546,9 +504,12 @@ http:

    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

-#### `tls.key`
+#### `key`

-The private certificate used for the secure connection to the authentication server.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the authentication server.
+When using this option, setting the `cert` option is required.

 ```yaml tab="Docker"
 labels:
@@ -621,7 +582,9 @@ http:

    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@@ -1,12 +1,19 @@
+---
+title: "Traefik Headers Documentation"
+description: "In Traefik Proxy, the HTTP headers middleware manages the headers of requests and responses. Read the technical documentation."
+---
+
 # Headers

 Managing Request/Response headers
 {: .subtitle }

-![Headers](../assets/img/middleware/headers.png)
+![Headers](../../assets/img/middleware/headers.png)

 The Headers middleware manages the headers of requests and responses.

+A set of forwarded headers are automatically added by default. See the [FAQ](../../getting-started/faq.md#what-are-the-forwarded-headers-when-proxying-http-requests) for more information.
+
 ## Configuration Examples

 ### Adding Headers to the Request and the Response
@@ -23,7 +30,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
  headers:
    customRequestHeaders:
@@ -86,7 +93,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
  headers:
    customRequestHeaders:
@@ -141,42 +148,42 @@ http:

 ### Using Security Headers

-Security-related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
+Security-related headers (HSTS headers, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
 This functionality makes it possible to easily use security features by adding headers.

 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testHeader.headers.framedeny=true"
-  - "traefik.http.middlewares.testHeader.headers.sslredirect=true"
+  - "traefik.http.middlewares.testHeader.headers.browserxssfilter=true"
 ```

 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
  headers:
    frameDeny: true
-    sslRedirect: true
+    browserXssFilter: true
 ```

 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.testheader.headers.framedeny=true"
- "traefik.http.middlewares.testheader.headers.sslredirect=true"
+- "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
 ```

 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.testheader.headers.framedeny": "true",
-  "traefik.http.middlewares.testheader.headers.sslredirect": "true"
+  "traefik.http.middlewares.testheader.headers.browserxssfilter": "true"
 }
 ```

 ```yaml tab="Rancher"
 labels:
  - "traefik.http.middlewares.testheader.headers.framedeny=true"
-  - "traefik.http.middlewares.testheader.headers.sslredirect=true"
+  - "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
 ```

 ```yaml tab="File (YAML)"
@@ -185,20 +192,22 @@ http:
    testHeader:
      headers:
        frameDeny: true
-        sslRedirect: true
+        browserXssFilter: true
 ```

 ```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.testHeader.headers]
    frameDeny = true
-    sslRedirect = true
+    browserXssFilter = true
 ```

 ### CORS Headers

 CORS (Cross-Origin Resource Sharing) headers can be added and configured in a manner similar to the custom headers above.
 This functionality allows for more advanced security features to quickly be set.
+If CORS headers are set, then the middleware does not pass preflight requests to any service,
+instead the response will be generated and sent back to the client directly.

 ```yaml tab="Docker"
 labels:
@@ -212,7 +221,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
  headers:
    accessControlAllowMethods:
@@ -331,7 +340,9 @@ It allows all origins that contain any match of a regular expression in the `acc

 !!! tip

-    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.

 ### `accessControlExposeHeaders`

@@ -355,14 +366,26 @@ The `hostsProxyHeaders` option is a set of header keys that may hold a proxied h

 ### `sslRedirect`

+!!! warning
+
+    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
+
 The `sslRedirect` only allow HTTPS requests when set to `true`.

 ### `sslTemporaryRedirect`

+!!! warning
+
+    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
+
 Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).

 ### `sslHost`

+!!! warning
+
+    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
+
 The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.

 ### `sslProxyHeaders`
@@ -372,6 +395,10 @@ It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https

 ### `sslForceHost`

+!!! warning
+
+    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
+
 Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.

 ### `stsSeconds`
@@ -427,10 +454,20 @@ The `referrerPolicy` allows sites to control whether browsers forward the `Refer

 ### `featurePolicy`

+!!! warning
+
+    Deprecated in favor of `permissionsPolicy`
+
 The `featurePolicy` allows sites to control browser features.

+### `permissionsPolicy`
+
+The `permissionsPolicy` allows sites to control browser features.
+
 ### `isDevelopment`

 Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options.
 Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
 If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/inflightreq.md
+++ b/docs/content/middlewares/http/inflightreq.md
@@ -1,9 +1,14 @@
+---
+title: "Traefik InFlightReq Documentation"
+description: "Traefik Proxy's HTTP middleware lets you limit the number of simultaneous in-flight requests. Read the technical documentation."
+---
+
 # InFlightReq

 Limiting the Number of Simultaneous In-Flight Requests
 {: .subtitle }

-![InFlightReq](../assets/img/middleware/inflightreq.png)
+![InFlightReq](../../assets/img/middleware/inflightreq.png)

 To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous in-flight requests can be limited.

@@ -115,7 +120,7 @@ http:
 ### `sourceCriterion`

 The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
-The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
+If several strategies are defined at the same time, an error will be raised.
 If none are set, the default is to use the `requestHost`.

 #### `sourceCriterion.ipStrategy`
--- a/docs/content/middlewares/http/ipwhitelist.md
+++ b/docs/content/middlewares/http/ipwhitelist.md
@@ -1,9 +1,14 @@
+---
+title: "Traefik HTTP Middlewares IPWhiteList"
+description: "Learn how to use IPWhiteList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+---
+
 # IPWhiteList

 Limiting Clients to Specific IPs
 {: .subtitle }

-![IpWhiteList](../assets/img/middleware/ipwhitelist.png)
+![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)

 IPWhitelist accepts / refuses requests based on the client IP.

@@ -92,8 +97,8 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 ```yaml tab="Docker"
 # Whitelisting Based on `X-Forwarded-For` with `depth=2`
 labels:
-  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
 ```

 ```yaml tab="Kubernetes"
@@ -101,7 +106,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testIPwhitelist
+  name: test-ipwhitelist
 spec:
  ipWhiteList:
    sourceRange:
@@ -113,22 +118,22 @@ spec:

 ```yaml tab="Consul Catalog"
 # Whitelisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-  "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
 }
 ```

 ```yaml tab="Rancher"
 # Whitelisting Based on `X-Forwarded-For` with `depth=2`
 labels:
-  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
 ```

 ```yaml tab="File (YAML)"
--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -0,0 +1,161 @@
+---
+title: "Traefik Proxy HTTP Middleware Overview"
+description: "Read the official Traefik Proxy documentation for an overview of the available HTTP middleware."
+---
+
+# HTTP Middlewares
+
+Controlling connections
+{: .subtitle }
+
+![Overview](../../assets/img/middleware/overview.png)
+
+## Configuration Example
+
+```yaml tab="Docker"
+# As a Docker Label
+whoami:
+  #  A container that exposes an API to show its IP address
+  image: traefik/whoami
+  labels:
+    # Create a middleware named `foo-add-prefix`
+    - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+    # Apply the middleware named `foo-add-prefix` to the router named `router1`
+    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
+```
+
+```yaml tab="Kubernetes IngressRoute"
+# As a Kubernetes Traefik IngressRoute
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: Middleware
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: stripprefix
+spec:
+  stripPrefix:
+    prefixes:
+      - /stripit
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ingressroute
+spec:
+# more fields...
+  routes:
+    # more fields...
+    middlewares:
+      - name: stripprefix
+```
+
+```yaml tab="Consul Catalog"
+# Create a middleware named `foo-add-prefix`
+- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+# Apply the middleware named `foo-add-prefix` to the router named `router1`
+- "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
+  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
+}
+```
+
+```yaml tab="Rancher"
+# As a Rancher Label
+labels:
+  # Create a middleware named `foo-add-prefix`
+  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+  # Apply the middleware named `foo-add-prefix` to the router named `router1`
+  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
+```
+
+```toml tab="File (TOML)"
+# As TOML Configuration File
+[http.routers]
+  [http.routers.router1]
+    service = "service1"
+    middlewares = ["foo-add-prefix"]
+    rule = "Host(`example.com`)"
+
+[http.middlewares]
+  [http.middlewares.foo-add-prefix.addPrefix]
+    prefix = "/foo"
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://127.0.0.1:80"
+```
+
+```yaml tab="File (YAML)"
+# As YAML Configuration File
+http:
+  routers:
+    router1:
+      service: service1
+      middlewares:
+        - "foo-add-prefix"
+      rule: "Host(`example.com`)"
+
+  middlewares:
+    foo-add-prefix:
+      addPrefix:
+        prefix: "/foo"
+
+  services:
+    service1:
+      loadBalancer:
+        servers:
+          - url: "http://127.0.0.1:80"
+```
+
+## Available HTTP Middlewares
+
+| Middleware                                | Purpose                                           | Area                        |
+|-------------------------------------------|---------------------------------------------------|-----------------------------|
+| [AddPrefix](addprefix.md)                 | Adds a Path Prefix                                | Path Modifier               |
+| [BasicAuth](basicauth.md)                 | Adds Basic Authentication                         | Security, Authentication    |
+| [Buffering](buffering.md)                 | Buffers the request/response                      | Request Lifecycle           |
+| [Chain](chain.md)                         | Combines multiple pieces of middleware            | Misc                        |
+| [CircuitBreaker](circuitbreaker.md)       | Prevents calling unhealthy services               | Request Lifecycle           |
+| [Compress](compress.md)                   | Compresses the response                           | Content Modifier            |
+| [ContentType](contenttype.md)             | Handles Content-Type auto-detection               | Misc                        |
+| [DigestAuth](digestauth.md)               | Adds Digest Authentication                        | Security, Authentication    |
+| [Errors](errorpages.md)                   | Defines custom error pages                        | Request Lifecycle           |
+| [ForwardAuth](forwardauth.md)             | Delegates Authentication                          | Security, Authentication    |
+| [Headers](headers.md)                     | Adds / Updates headers                            | Security                    |
+| [IPWhiteList](ipwhitelist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
+| [InFlightReq](inflightreq.md)             | Limits the number of simultaneous connections     | Security, Request lifecycle |
+| [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header              | Security                    |
+| [RateLimit](ratelimit.md)                 | Limits the call frequency                         | Security, Request lifecycle |
+| [RedirectScheme](redirectscheme.md)       | Redirects based on scheme                         | Request lifecycle           |
+| [RedirectRegex](redirectregex.md)         | Redirects based on regex                          | Request lifecycle           |
+| [ReplacePath](replacepath.md)             | Changes the path of the request                   | Path Modifier               |
+| [ReplacePathRegex](replacepathregex.md)   | Changes the path of the request                   | Path Modifier               |
+| [Retry](retry.md)                         | Automatically retries in case of error            | Request lifecycle           |
+| [StripPrefix](stripprefix.md)             | Changes the path of the request                   | Path Modifier               |
+| [StripPrefixRegex](stripprefixregex.md)   | Changes the path of the request                   | Path Modifier               |
+
+## Community Middlewares
+
+Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/passtlsclientcert.md
+++ b/docs/content/middlewares/http/passtlsclientcert.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik PassTLSClientCert Documentation"
+description: "In Traefik Proxy's HTTP middleware, the PassTLSClientCert adds selected data from passed client TLS certificates to headers. Read the technical documentation."
+---
+
 # PassTLSClientCert

 Adding Client Certificates in a Header
@@ -11,10 +16,10 @@ PassTLSClientCert adds the selected data from the passed client TLS certificate

 ## Configuration Examples

-Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.

 ```yaml tab="Docker"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```
@@ -23,14 +28,14 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: addprefix
+  name: test-passtlsclientcert
 spec:
  passTLSClientCert:
    pem: true
 ```

 ```yaml tab="Consul Catalog"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header
 - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```

@@ -41,13 +46,13 @@ spec:
 ```

 ```yaml tab="Rancher"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```

 ```yaml tab="File (YAML)"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 http:
  middlewares:
    test-passtlsclientcert:
@@ -56,13 +61,13 @@ http:
 ```

 ```toml tab="File (TOML)"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 [http.middlewares]
  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
    pem = true
 ```

-??? example "Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
+??? example "Pass the pem in the `X-Forwarded-Tls-Client-Cert` header"

    ```yaml tab="Docker"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
@@ -76,6 +81,7 @@ http:
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
@@ -104,6 +110,7 @@ http:
            province: true
            locality: true
            organization: true
+            organizationalUnit: true
            commonName: true
            serialNumber: true
            domainComponent: true
@@ -127,6 +134,7 @@ http:
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
@@ -148,6 +156,7 @@ http:
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
@@ -171,6 +180,7 @@ http:
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
@@ -197,6 +207,7 @@ http:
                province: true
                locality: true
                organization: true
+                organizationalUnit: true
                commonName: true
                serialNumber: true
                domainComponent: true
@@ -223,6 +234,7 @@ http:
            province = true
            locality = true
            organization = true
+            organizationalUnit = true
            commonName = true
            serialNumber = true
            domainComponent = true
@@ -242,13 +254,13 @@ http:

 PassTLSClientCert can add two headers to the request:

- `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
+- `X-Forwarded-Tls-Client-Cert` that contains the pem.
 - `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.

 !!! info

-    * The headers are filled with escaped string so it can be safely placed inside a URL query.
-    * These options only work accordingly to the [MutualTLS configuration](../https/tls.md#client-authentication-mtls).
+    * `X-Forwarded-Tls-Client-Cert-Info` header value is a string that has been escaped in order to be a valid URL query.
+    * These options only work accordingly to the [MutualTLS configuration](../../https/tls.md#client-authentication-mtls).
    That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.

 The following example shows a complete certificate and explains each of the middleware options.
@@ -359,7 +371,7 @@ The following example shows a complete certificate and explains each of the midd

 ### `pem`

-The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escaped certificate.
+The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the certificate.

 In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters:

@@ -412,15 +424,18 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
 !!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"

    The header size limit of web servers is commonly between 4kb and 8kb.
-    You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).
+    If that turns out to be a problem, and if reconfiguring the server to allow larger headers is not an option,
+    one can alleviate the problem by selecting only the interesting parts of the cert,
+    through the use of the `info` options described below. (And by setting `pem` to false).

 ### `info`

 The `info` option selects the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.

 The value of the header is an escaped concatenation of all the selected certificate details.
+But in the following, unless specified otherwise, all the header values examples are shown unescaped, for readability.

-The following example shows an unescaped result that uses all the available fields:
+The following example shows such a concatenation, when all the available fields are selected:

 ```text
 Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
@@ -430,6 +445,23 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO

    If there are more than one certificate, they are separated by a `,`.

+#### `info.serialNumber`
+
+Set the `info.serialNumber` option to `true` to add the `Serial Number` of the certificate.
+
+The data is taken from the following certificate part:
+
+```text
+Serial Number:
+   6a:2f:20:f8:ce:8d:48:52:ba:d9:bb:be:60:ec:bf:79
+```
+
+And it is formatted as follows in the header (decimal representation):
+
+```text
+SerialNumber="141142874255168551917600297745052909433"
+```
+
 #### `info.notAfter`

 Set the `info.notAfter` option to `true` to add the `Not After` information from the `Validity` part.
@@ -437,11 +469,11 @@ Set the `info.notAfter` option to `true` to add the `Not After` information from
 The data is taken from the following certificate part:

 ```text
-    Validity
-        Not After : Dec  5 11:10:16 2020 GMT
+Validity
+    Not After : Dec  5 11:10:16 2020 GMT
 ```

-The escaped `notAfter` info part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 NA="1607166616"
@@ -458,7 +490,7 @@ Validity
    Not Before: Dec  6 11:10:16 2018 GMT
 ```

-The escaped `notBefore` info part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 NB="1544094616"
@@ -471,11 +503,11 @@ Set the `info.sans` option to `true` to add the `Subject Alternative Name` infor
 The data is taken from the following certificate part:

 ```text
- X509v3 Subject Alternative Name:
-    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
+X509v3 Subject Alternative Name:
+   DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
 ```

-The escape SANs info part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
@@ -501,7 +533,7 @@ Set the `info.subject.country` option to `true` to add the `country` information

 The data is taken from the subject part with the `C` key.

-The escape country info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 C=FR,C=US
@@ -513,7 +545,7 @@ Set the `info.subject.province` option to `true` to add the `province` informati

 The data is taken from the subject part with the `ST` key.

-The escape province info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 ST=Cheese org state,ST=Cheese com state
@@ -525,7 +557,7 @@ Set the `info.subject.locality` option to `true` to add the `locality` informati

 The data is taken from the subject part with the `L` key.

-The escape locality info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 L=TOULOUSE,L=LYON
@@ -537,19 +569,31 @@ Set the `info.subject.organization` option to `true` to add the `organization` i

 The data is taken from the subject part with the `O` key.

-The escape organization info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 O=Cheese,O=Cheese 2
 ```

+##### `info.subject.organizationalUnit`
+
+Set the `info.subject.organizationalUnit` option to `true` to add the `organizationalUnit` information into the subject.
+
+The data is taken from the subject part with the `OU` key.
+
+And it is formatted as follows in the header:
+
+```text
+OU=Cheese Section,OU=Cheese Section 2
+```
+
 ##### `info.subject.commonName`

 Set the `info.subject.commonName` option to `true` to add the `commonName` information into the subject.

 The data is taken from the subject part with the `CN` key.

-The escape common name info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 CN=*.example.com
@@ -561,7 +605,7 @@ Set the `info.subject.serialNumber` option to `true` to add the `serialNumber` i

 The data is taken from the subject part with the `SN` key.

-The escape serial number info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 SN=1234567890
@@ -573,7 +617,7 @@ Set the `info.subject.domainComponent` option to `true` to add the `domainCompon

 The data is taken from the subject part with the `DC` key.

-The escape domain component info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 DC=org,DC=cheese
@@ -595,7 +639,7 @@ Set the `info.issuer.country` option to `true` to add the `country` information

 The data is taken from the issuer part with the `C` key.

-The escape country info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 C=FR,C=US
@@ -607,7 +651,7 @@ Set the `info.issuer.province` option to `true` to add the `province` informatio

 The data is taken from the issuer part with the `ST` key.

-The escape province info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 ST=Signing State,ST=Signing State 2
@@ -619,7 +663,7 @@ Set the `info.issuer.locality` option to `true` to add the `locality` informatio

 The data is taken from the issuer part with the `L` key.

-The escape locality info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 L=TOULOUSE,L=LYON
@@ -631,7 +675,7 @@ Set the `info.issuer.organization` option to `true` to add the `organization` in

 The data is taken from the issuer part with the `O` key.

-The escape organization info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 O=Cheese,O=Cheese 2
@@ -643,7 +687,7 @@ Set the `info.issuer.commonName` option to `true` to add the `commonName` inform

 The data is taken from the issuer part with the `CN` key.

-The escape common name info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 CN=Simple Signing CA 2
@@ -655,7 +699,7 @@ Set the `info.issuer.serialNumber` option to `true` to add the `serialNumber` in

 The data is taken from the issuer part with the `SN` key.

-The escape serial number info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 SN=1234567890
@@ -667,7 +711,7 @@ Set the `info.issuer.domainComponent` option to `true` to add the `domainCompone

 The data is taken from the issuer part with the `DC` key.

-The escape domain component info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 DC=org,DC=cheese
--- a/docs/content/middlewares/http/ratelimit.md
+++ b/docs/content/middlewares/http/ratelimit.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik RateLimit Documentation"
+description: "Traefik Proxy's HTTP RateLimit middleware ensures Services receive fair amounts of requests. Read the technical documentation."
+---
+
 # RateLimit

 To Control the Number of Requests Going to a Service
@@ -250,7 +255,7 @@ http:
 ### `sourceCriterion`

 The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
-The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
+If several strategies are defined at the same time, an error will be raised.
 If none are set, the default is to use the request's remote address field (as an `ipStrategy`).

 #### `sourceCriterion.ipStrategy`
--- a/docs/content/middlewares/http/redirectregex.md
+++ b/docs/content/middlewares/http/redirectregex.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik RedirectRegex Documentation"
+description: "In Traefik Proxy's HTTP middleware, RedirectRegex redirecting clients to different locations. Read the technical documentation."
+---
+
 # RedirectRegex

 Redirecting the Client to a Different Location
@@ -73,10 +78,6 @@ http:

 ## Configuration Options

-!!! tip
-
-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-
 ### `permanent`

 Set the `permanent` option to `true` to apply a permanent redirection.
@@ -85,6 +86,12 @@ Set the `permanent` option to `true` to apply a permanent redirection.

 The `regex` option is the regular expression to match and capture elements from the request URL.

+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
+
 ### `replacement`

 The `replacement` option defines how to modify the URL to have the new target URL.
--- a/docs/content/middlewares/http/redirectscheme.md
+++ b/docs/content/middlewares/http/redirectscheme.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik RedirectScheme Documentation"
+description: "In Traefik Proxy's HTTP middleware, RedirectScheme redirects clients to different schemes/ports. Read the technical documentation."
+---
+
 # RedirectScheme

 Redirecting the Client to a Different Scheme/Port
@@ -7,7 +12,16 @@ Redirecting the Client to a Different Scheme/Port
 TODO: add schema
 -->

-RedirectScheme redirects requests from a scheme/port to another.
+The RedirectScheme middleware redirects the request if the request scheme is different from the configured scheme.
+
+!!! warning "When behind another reverse-proxy"
+
+    When there is at least one other reverse-proxy between the client and Traefik, 
+    the other reverse-proxy (i.e. the last hop) needs to be a [trusted](../../routing/entrypoints.md#forwarded-headers) one. 
+    
+    Otherwise, Traefik would clean up the X-Forwarded headers coming from this last hop, 
+    and as the RedirectScheme middleware relies on them to determine the scheme used,
+    it would not function as intended.

 ## Configuration Examples

--- a/docs/content/middlewares/http/replacepath.md
+++ b/docs/content/middlewares/http/replacepath.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik ReplacePath Documentation"
+description: "In Traefik Proxy's HTTP middleware, ReplacePath updates paths before forwarding requests. Read the technical documentation."
+---
+
 # ReplacePath

 Updating the Path Before Forwarding the Request
--- a/docs/content/middlewares/http/replacepathregex.md
+++ b/docs/content/middlewares/http/replacepathregex.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik ReplacePathRegex Documentation"
+description: "In Traefik Proxy's HTTP middleware, ReplacePathRegex updates paths before forwarding requests, using a regex. Read the technical documentation."
+---
+
 # ReplacePathRegex

 Updating the Path Before Forwarding the Request (Using a Regex)
@@ -79,7 +84,9 @@ The ReplacePathRegex middleware will:

 !!! tip

-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or [Regex101](https://regex101.com/r/58sIgx/2).
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.

 ### `regex`

--- a/docs/content/middlewares/http/retry.md
+++ b/docs/content/middlewares/http/retry.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik HTTP Retry Documentation"
+description: "Configure Traefik Proxy's HTTP Retry middleware, so you can retry requests to a backend server until it succeeds. Read the technical documentation."
+---
+
 # Retry

 Retrying until it Succeeds
--- a/docs/content/middlewares/http/stripprefix.md
+++ b/docs/content/middlewares/http/stripprefix.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik StripPrefix Documentation"
+description: "In Traefik Proxy's HTTP middleware, StripPrefix removes prefixes from paths before forwarding requests. Read the technical documentation."
+---
+
 # StripPrefix

 Removing Prefixes From the Path Before Forwarding the Request
@@ -82,7 +87,7 @@ The `prefixes` option defines the prefixes to strip from the request URL.
 For instance, `/products` also matches `/products/shoes` and `/products/shirts`.

 If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
-Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).
+Using the previous example, the backend should return `/products/shoes/image.png` (and not `/image.png`, which Traefik would likely not be able to associate with the same backend).

 ### `forceSlash`

--- a/docs/content/middlewares/http/stripprefixregex.md
+++ b/docs/content/middlewares/http/stripprefixregex.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik StripPrefixRegex Documentation"
+description: "In Traefik Proxy's HTTP middleware, StripPrefixRegex removes prefixes from paths before forwarding requests, using regex. Read the technical documentation."
+---
+
 # StripPrefixRegex

 Removing Prefixes From the Path Before Forwarding the Request (Using a Regex)
@@ -67,11 +72,13 @@ The StripPrefixRegex middleware strips the matching path prefix and stores it in

 The `regex` option is the regular expression to match the path prefix from the request URL.

-!!! tip
-
-    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-
 For instance, `/products` also matches `/products/shoes` and `/products/shirts`.

 If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
 Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).
+
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik Proxy Middleware Overview"
+description: "There are several available middleware in Traefik Proxy used to modify requests or headers, take charge of redirections, add authentication, and so on."
+---
+
 # Middlewares

 Tweaking the Request
@@ -9,7 +14,7 @@ Attached to the routers, pieces of middleware are a means of tweaking the reques

 There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.

-Pieces of middleware can be combined in chains to fit every scenario.
+Middlewares that use the same protocol can be combined into chains to fit every scenario.

 !!! warning "Provider Namespace"

@@ -31,20 +36,6 @@ whoami:
 ```

 ```yaml tab="Kubernetes IngressRoute"
-# As a Kubernetes Traefik IngressRoute
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: middlewares.traefik.containo.us
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: Middleware
-    plural: middlewares
-    singular: middleware
-  scope: Namespaced
-
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
@@ -135,26 +126,8 @@ http:

 ## Available Middlewares

-| Middleware                                | Purpose                                           | Area                        |
-|-------------------------------------------|---------------------------------------------------|-----------------------------|
-| [AddPrefix](addprefix.md)                 | Add a Path Prefix                                 | Path Modifier               |
-| [BasicAuth](basicauth.md)                 | Basic auth mechanism                              | Security, Authentication    |
-| [Buffering](buffering.md)                 | Buffers the request/response                      | Request Lifecycle           |
-| [Chain](chain.md)                         | Combine multiple pieces of middleware             | Middleware tool             |
-| [CircuitBreaker](circuitbreaker.md)       | Stop calling unhealthy services                   | Request Lifecycle           |
-| [Compress](compress.md)                   | Compress the response                             | Content Modifier            |
-| [DigestAuth](digestauth.md)               | Adds Digest Authentication                        | Security, Authentication    |
-| [Errors](errorpages.md)                   | Define custom error pages                         | Request Lifecycle           |
-| [ForwardAuth](forwardauth.md)             | Authentication delegation                         | Security, Authentication    |
-| [Headers](headers.md)                     | Add / Update headers                              | Security                    |
-| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs                      | Security, Request lifecycle |
-| [InFlightReq](inflightreq.md)             | Limit the number of simultaneous connections      | Security, Request lifecycle |
-| [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header            | Security                    |
-| [RateLimit](ratelimit.md)                 | Limit the call frequency                          | Security, Request lifecycle |
-| [RedirectScheme](redirectscheme.md)       | Redirect easily the client elsewhere              | Request lifecycle           |
-| [RedirectRegex](redirectregex.md)         | Redirect the client elsewhere                     | Request lifecycle           |
-| [ReplacePath](replacepath.md)             | Change the path of the request                    | Path Modifier               |
-| [ReplacePathRegex](replacepathregex.md)   | Change the path of the request                    | Path Modifier               |
-| [Retry](retry.md)                         | Automatically retry the request in case of errors | Request lifecycle           |
-| [StripPrefix](stripprefix.md)             | Change the path of the request                    | Path Modifier               |
-| [StripPrefixRegex](stripprefixregex.md)   | Change the path of the request                    | Path Modifier               |
+A list of HTTP middlewares can be found [here](http/overview.md).
+
+A list of TCP middlewares can be found [here](tcp/overview.md).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/tcp/inflightconn.md
+++ b/docs/content/middlewares/tcp/inflightconn.md
@@ -0,0 +1,63 @@
+# InFlightConn
+
+Limiting the Number of Simultaneous connections.
+{: .subtitle }
+
+To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous connections by IP can be limited.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+labels:
+  - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: test-inflightconn
+spec:
+  inFlightConn:
+    amount: 10
+```
+
+```yaml tab="Consul Catalog"
+# Limiting to 10 simultaneous connections
+- "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections.
+labels:
+  - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
+```
+
+```yaml tab="File (YAML)"
+# Limiting to 10 simultaneous connections.
+tcp:
+  middlewares:
+    test-inflightconn:
+      inFlightConn:
+        amount: 10
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[tcp.middlewares]
+  [tcp.middlewares.test-inflightconn.inFlightConn]
+    amount = 10
+```
+
+## Configuration Options
+
+### `amount`
+
+The `amount` option defines the maximum amount of allowed simultaneous connections.
+The middleware closes the connection if there are already `amount` connections opened.
--- a/docs/content/middlewares/tcp/ipwhitelist.md
+++ b/docs/content/middlewares/tcp/ipwhitelist.md
@@ -0,0 +1,72 @@
+---
+title: "Traefik TCP Middlewares IPWhiteList"
+description: "Learn how to use IPWhiteList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+---
+
+# IPWhiteList
+
+Limiting Clients to Specific IPs
+{: .subtitle }
+
+IPWhitelist accepts / refuses connections based on the client IP.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+# Accepts connections from defined IP
+labels:
+  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: test-ipwhitelist
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 127.0.0.1/32
+      - 192.168.1.7
+```
+
+```yaml tab="Consul Catalog"
+# Accepts request from defined IP
+- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Accepts request from defined IP
+labels:
+  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
+```toml tab="File (TOML)"
+# Accepts request from defined IP
+[tcp.middlewares]
+  [tcp.middlewares.test-ipwhitelist.ipWhiteList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+```
+
+```yaml tab="File (YAML)"
+# Accepts request from defined IP
+tcp:
+  middlewares:
+    test-ipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.1.7"
+```
+
+## Configuration Options
+
+### `sourceRange`
+
+The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
--- a/docs/content/middlewares/tcp/overview.md
+++ b/docs/content/middlewares/tcp/overview.md
@@ -0,0 +1,140 @@
+---
+title: "Traefik Proxy TCP Middleware Overview"
+description: "Read the official Traefik Proxy documentation for an overview of the available TCP middleware."
+---
+
+# TCP Middlewares
+
+Controlling connections
+{: .subtitle }
+
+![Overview](../../assets/img/middleware/overview.png)
+
+## Configuration Example
+
+```yaml tab="Docker"
+# As a Docker Label
+whoami:
+  #  A container that exposes an API to show its IP address
+  image: traefik/whoami
+  labels:
+    # Create a middleware named `foo-ip-whitelist`
+    - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+    # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
+    - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
+```
+
+```yaml tab="Kubernetes IngressRoute"
+# As a Kubernetes Traefik IngressRoute
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewaretcps.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: MiddlewareTCP
+    plural: middlewaretcps
+    singular: middlewaretcp
+  scope: Namespaced
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: foo-ip-whitelist
+spec:
+  ipWhiteList:
+    sourcerange:
+      - 127.0.0.1/32
+      - 192.168.1.7
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: ingressroute
+spec:
+# more fields...
+  routes:
+    # more fields...
+    middlewares:
+      - name: foo-ip-whitelist
+```
+
+```yaml tab="Consul Catalog"
+# Create a middleware named `foo-ip-whitelist`
+- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
+- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
+  "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
+}
+```
+
+```yaml tab="Rancher"
+# As a Rancher Label
+labels:
+  # Create a middleware named `foo-ip-whitelist`
+  - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
+  - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
+```
+
+```toml tab="File (TOML)"
+# As TOML Configuration File
+[tcp.routers]
+  [tcp.routers.router1]
+    service = "myService"
+    middlewares = ["foo-ip-whitelist"]
+    rule = "Host(`example.com`)"
+
+[tcp.middlewares]
+  [tcp.middlewares.foo-ip-whitelist.ipWhiteList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+
+[tcp.services]
+  [tcp.services.service1]
+    [tcp.services.service1.loadBalancer]
+    [[tcp.services.service1.loadBalancer.servers]]
+      address = "10.0.0.10:4000"
+    [[tcp.services.service1.loadBalancer.servers]]
+      address = "10.0.0.11:4000"
+```
+
+```yaml tab="File (YAML)"
+# As YAML Configuration File
+tcp:
+  routers:
+    router1:
+      service: myService
+      middlewares:
+        - "foo-ip-whitelist"
+      rule: "Host(`example.com`)"
+
+  middlewares:
+    foo-ip-whitelist:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.1.7"
+
+  services:
+    service1:
+      loadBalancer:
+        servers:
+        - address: "10.0.0.10:4000"
+        - address: "10.0.0.11:4000"
+```
+
+## Available TCP Middlewares
+
+| Middleware                                | Purpose                                           | Area                        |
+|-------------------------------------------|---------------------------------------------------|-----------------------------|
+| [InFlightConn](inflightconn.md)           | Limits the number of simultaneous connections.    | Security, Request lifecycle |
+| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -1,3 +1,8 @@
+---
+title: "Traefik V2 Migration Documentation"
+description: "Migrate from Traefik Proxy v1 to v2 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
+---
+
 # Migration Guide: From v1 to v2

 How to Migrate from Traefik v1 to Traefik v2.
@@ -104,7 +109,7 @@ Then any router can refer to an instance of the wanted middleware.

    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the Middleware and IngressRoute kinds.
-    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
    metadata:
@@ -275,7 +280,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o

    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
-    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.containo.us/v1alpha1
    kind: TLSOption
    metadata:
@@ -327,7 +332,7 @@ With Traefik v2 it is applied on an entry point or a [Router](../routing/routers
 To apply a redirection:

 - on an entry point, the [HTTP redirection](../routing/entrypoints.md#redirection) has to be configured.
- on a router, one of the redirect middlewares, [RedirectRegex](../middlewares/redirectregex.md) or [RedirectScheme](../middlewares/redirectscheme.md), has to be configured and added to the router middlewares list.
+- on a router, one of the redirect middlewares, [RedirectRegex](../middlewares/http/redirectregex.md) or [RedirectScheme](../middlewares/http/redirectscheme.md), has to be configured and added to the router middlewares list.

 !!! example "Global HTTP to HTTPS redirection"

@@ -441,7 +446,7 @@ To apply a redirection:
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
-      name: http-redirect-ingressRoute
+      name: http-redirect-ingressroute

    spec:
      entryPoints:
@@ -459,7 +464,7 @@ To apply a redirection:
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
-      name: https-ingressRoute
+      name: https-ingressroute

    spec:
      entryPoints:
@@ -545,7 +550,7 @@ Use Case: Incoming requests to `http://example.org/admin` are forwarded to the w
 with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, you must:

 - First, configure a router named `admin` with a rule matching at least the path prefix with the `PathPrefix` keyword,
- Then, define a middleware of type [`stripprefix`](../middlewares/stripprefix.md), which removes the prefix `/admin`, associated to the router `admin`.
+- Then, define a middleware of type [`stripprefix`](../middlewares/http/stripprefix.md), which removes the prefix `/admin`, associated to the router `admin`.

 !!! example "Strip Path Prefix When Forwarding to Backend"

@@ -595,7 +600,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
    apiVersion: traefik.containo.us/v1alpha1
    kind: IngressRoute
    metadata:
-      name: http-redirect-ingressRoute
+      name: http-redirect-ingressroute
      namespace: admin-web
    spec:
      entryPoints:
@@ -660,12 +665,12 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo

 ??? question "What About Other Path Transformations?"

-    Instead of removing the path prefix with the [`stripprefix` middleware](../../middlewares/stripprefix/), you can also:
+    Instead of removing the path prefix with the [`stripprefix` middleware](../../middlewares/http/stripprefix/), you can also:

-    - Add a path prefix with the [`addprefix` middleware](../../middlewares/addprefix/)
-    - Replace the complete path of the request with the [`replacepath` middleware](../../middlewares/replacepath/)
-    - ReplaceRewrite path using Regexp with the [`replacepathregex` middleware](../../middlewares/replacepathregex/)
-    - And a lot more on the [`middlewares` page](../../middlewares/overview/)
+    - Add a path prefix with the [`addprefix` middleware](../../middlewares/http/addprefix/)
+    - Replace the complete path of the request with the [`replacepath` middleware](../../middlewares/http/replacepath/)
+    - ReplaceRewrite path using Regexp with the [`replacepathregex` middleware](../../middlewares/http/replacepathregex/)
+    - And a lot more on the [`HTTP middlewares` page](../../middlewares/http/overview/)

 ## ACME (LetsEncrypt)

--- a/Show More
+++ b/Show More