Prepare release v2.0.0-rc3

Prepare release v1.7.14
Finish kubernetes throttling refactoring
2019-09-10 18:58:03 +02:00 · 2019-09-10 18:30:05 +02:00 · 2019-09-10 18:30:05 +02:00 · 2019-09-10 18:30:05 +02:00 · 2019-09-10 17:52:04 +02:00 · 2019-09-10 17:24:03 +02:00
215 changed files with 7624 additions and 633 deletions
--- a/.golangci.toml
+++ b/.golangci.toml
@@ -23,6 +23,10 @@
  [linters-settings.misspell]
    locale = "US"

+  [linters-settings.funlen]
+    lines = 230 # default 60
+    statements = 120 # default 40
+
 [linters]
  enable-all = true
  disable = [
@@ -37,7 +41,6 @@
    "gochecknoinits",
    "gochecknoglobals",
    "bodyclose", # Too many false-positive and panics.
-    "typecheck", # v1.17.1 and Go1.13 => bug
  ]

 [issues]
@@ -50,8 +53,8 @@
    "should have a package comment, unless it's in another file for this package",
  ]
 [[issues.exclude-rules]]
-    path = ".+_test.go"
-    linters = ["goconst"]
+    path = "(.+)_test.go"
+    linters = ["goconst", "funlen"]
 [[issues.exclude-rules]]
    path = "integration/.+_test.go"
    text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
--- a/.semaphoreci/setup.sh
+++ b/.semaphoreci/setup.sh
@@ -18,10 +18,9 @@ echo ${SHOULD_TEST}
 #if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
 #if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
 if [ -n "$SHOULD_TEST" ]; then docker version; fi
-
 export GO_VERSION=1.12
 if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
-if [ "${GO_VERSION}" == '1.13' ]; then export GO_VERSION=1.13rc2; fi
+#if [ "${GO_VERSION}" == '1.13' ]; then export GO_VERSION=1.13rc2; fi
 echo "Selected Go version: ${GO_VERSION}"

 if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi
@@ -34,5 +33,3 @@ if [ -f "./go.mod" ]; then export GOPROXY=https://proxy.golang.org; fi
 if [ -f "./go.mod" ]; then go mod download; fi

 df
-
-
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,29 @@
 # Change Log

+## [v2.0.0-rc3](https://github.com/containous/traefik/tree/v2.0.0-rc3) (2019-09-10)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc2...v2.0.0-rc3)
+
+**Enhancements:**
+- **[acme,api,tracing]** New API security ([#5311](https://github.com/containous/traefik/pull/5311) by [juliens](https://github.com/juliens))
+- **[authentication,middleware,k8s,k8s/crd]** Auth middlewares in kubernetes CRD use secrets ([#5299](https://github.com/containous/traefik/pull/5299) by [juliens](https://github.com/juliens))
+- **[logs]** Default to CLF when accesslog format is unsupported ([#5314](https://github.com/containous/traefik/pull/5314) by [mpl](https://github.com/mpl))
+- **[middleware,k8s,k8s/crd]** k8s ErrorPage middleware now uses k8s service ([#5339](https://github.com/containous/traefik/pull/5339) by [juliens](https://github.com/juliens))
+- **[webui]** Add more pages in the WebUI ([#5278](https://github.com/containous/traefik/pull/5278) by [Basgrani](https://github.com/Basgrani))
+
+**Bug fixes:**
+- **[api]** Add provider in middleware chain ([#5334](https://github.com/containous/traefik/pull/5334) by [juliens](https://github.com/juliens))
+- **[k8s,k8s/crd]** fix: TLS domains with IngressRoute. ([#5327](https://github.com/containous/traefik/pull/5327) by [ldez](https://github.com/ldez))
+- **[middleware]** Improve rate limiter tests ([#5310](https://github.com/containous/traefik/pull/5310) by [mpl](https://github.com/mpl))
+- **[server]** Write HTTP server logs into the global logger. ([#5329](https://github.com/containous/traefik/pull/5329) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Misc documentation fixes ([#5307](https://github.com/containous/traefik/pull/5307) by [ldez](https://github.com/ldez))
+- misc documentation fixes ([#5302](https://github.com/containous/traefik/pull/5302) by [mpl](https://github.com/mpl))
+- Enhance the Retry Middleware Documentation ([#5298](https://github.com/containous/traefik/pull/5298) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+**Misc:**
+- Cherry pick v1.7 into v2.0 ([#5341](https://github.com/containous/traefik/pull/5341) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
 ## [v2.0.0-rc2](https://github.com/containous/traefik/tree/v2.0.0-rc2) (2019-09-03)
 [All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc1...v2.0.0-rc2)

@@ -62,6 +86,13 @@
 **Misc:**
 - Cherry pick v1.7 into v2.0 ([#5192](https://github.com/containous/traefik/pull/5192) by [ldez](https://github.com/ldez))

+## [v1.7.14](https://github.com/containous/traefik/tree/v1.7.14) (2019-08-14)
+[All Commits](https://github.com/containous/traefik/compare/v1.7.13...v1.7.14)
+
+**Bug fixes:**
+- Update to go1.12.8 ([#5201](https://github.com/containous/traefik/pull/5201) by [ldez](https://github.com/ldez)). HTTP/2 Denial of Service [CVE-2019-9512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512) and [CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514)
+- **[server]** Make hijackConnectionTracker.Close thread safe ([#5194](https://github.com/containous/traefik/pull/5194) by [jlevesy](https://github.com/jlevesy))
+
 ## [v1.7.13](https://github.com/containous/traefik/tree/v1.7.13) (2019-08-07)
 [All Commits](https://github.com/containous/traefik/compare/v1.7.12...v1.7.13)

--- a/README.md
+++ b/README.md
@@ -90,8 +90,7 @@ To get your hands on Traefik, you can use the [5-Minute Quickstart](http://docs.

 You can access the simple HTML frontend of Traefik.

-![Web UI Providers](docs/content/assets/img/dashboard-main.png)
-![Web UI Health](docs/content/assets/img/dashboard-health.png)
+![Web UI Providers](docs/content/assets/img/webui-dashboard.png)

 ## Documentation

--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.13rc2-alpine
+FROM golang:1.13-alpine

 RUN apk --update upgrade \
    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
    && chmod +x /usr/local/bin/go-bindata

 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.17.1
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.18.0

 # Download golangci-lint and misspell binary to bin folder in $GOPATH
 RUN GO111MODULE=off go get github.com/client9/misspell/cmd/misspell
--- a/docs/content/assets/img/dashboard-health.png
+++ b/docs/content/assets/img/dashboard-health.png
--- a/docs/content/assets/img/dashboard-main.png
+++ b/docs/content/assets/img/dashboard-main.png
--- a/docs/content/assets/img/webui-dashboard.png
+++ b/docs/content/assets/img/webui-dashboard.png
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -28,7 +28,7 @@ Successfully tagged traefik-webui:latest
 [...]
 docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
 Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.13rc2-alpine
+Step 1/10 : FROM golang:1.13-alpine
 ---> f4bfb3d22bda
 [...]
 Successfully built 5c3c1a911277
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -141,17 +141,17 @@ tls:

 ### Client Authentication (mTLS)

-Traefik supports mutual authentication, through the `ClientAuth` section.
+Traefik supports mutual authentication, through the `clientAuth` section.

-For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `ClientAuth.caFiles`.
+For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `clientAuth.caFiles`.
 
-The `ClientAuth.clientAuthType` option governs the behaviour as follows:
+The `clientAuth.clientAuthType` option governs the behaviour as follows:

 - `NoClientCert`: disregards any client certificate.
 - `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `ClientAuth.caFiles`.
- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `ClientAuth.caFiles`. Otherwise proceeds without any certificate.
- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `ClientAuth.caFiles`. 
+- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles`.
+- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles`. Otherwise proceeds without any certificate.
+- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`. 

 ```toml tab="TOML"
 [tls.options]
--- a/docs/content/middlewares/basicauth.md
+++ b/docs/content/middlewares/basicauth.md
@@ -16,7 +16,7 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
 # To create user:password pair, it's possible to use this command:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
 labels:
-  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```

 ```yaml tab="Kubernetes"
@@ -27,9 +27,7 @@ metadata:
  name: test-auth
 spec:
  basicAuth:
-    users:
-    - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
-    - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
+    secret: secretName
 ```

 ```json tab="Marathon"
@@ -41,7 +39,7 @@ spec:
 ```yaml tab="Rancher"
 # Declaring the user list
 labels:
-  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```

 ```toml tab="File (TOML)"
@@ -79,12 +77,140 @@ Passwords must be encoded using MD5, SHA1, or BCrypt.

 The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.

+!!! Note
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+```yaml tab="Docker"
+# Declaring the user list
+#
+# Note: all dollar signs in the hash need to be doubled for escaping.
+# To create user:password pair, it's possible to use this command:
+# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="Kubernetes"
+# Declaring the user list
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    users = [
+      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+    ]
+```
+
+```yaml tab="File (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        users:
+        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+        - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ### `usersFile`

 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.

 The file content is a list of `name:encoded-password`.

+!!! Note
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        usersFile: "/path/to/my/usersfile"
+```
+
 ??? example "A file containing test/test and test2/test2"

    ```txt
@@ -92,21 +218,57 @@ The file content is a list of `name:encoded-password`.
    test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
    ```

-!!! Note
-    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-
 ### `realm`

 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 

+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    realm: MyRealm
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.realm": "MyRealm"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    realm = "MyRealm"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        realm: "MyRealm"
+```
+
 ### `headerField`

 You can define a header field to store the authenticated user using the `headerField`option.

 ```yaml tab="Docker"
 labels:
-  - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
+- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
 ```

 ```yaml tab="Kubernetes"
@@ -144,3 +306,43 @@ http:
 ### `removeHeader`

 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    removeHeader: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+    removeHeader = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        removeHeader: true
+```
--- a/docs/content/middlewares/digestauth.md
+++ b/docs/content/middlewares/digestauth.md
@@ -10,6 +10,7 @@ The DigestAuth middleware is a quick way to restrict access to your services to
 ## Configuration Examples

 ```yaml tab="Docker"
+# Declaring the user list
 labels:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
@@ -22,9 +23,82 @@ metadata:
  name: test-auth
 spec:
  digestAuth:
-    users:
-    - test:traefik:a2688e031edb4be6a3797f3882655c05
-    - test2:traefik:518845800f9e2bfb1f1f740ec24f074e
+    secret: userssecret
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```toml tab="File (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    users = [
+      "test:traefik:a2688e031edb4be6a3797f3882655c05",
+      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+    ]
+```
+
+```yaml tab="File (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        users:
+        - "test:traefik:a2688e031edb4be6a3797f3882655c05"
+        - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+## Configuration Options
+
+!!! tip 
+   
+    Use `htdigest` to generate passwords.
+
+### `users`
+
+The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
+
+!!! Note
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
 ```

 ```json tab="Marathon"
@@ -57,26 +131,69 @@ http:
        - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```

-!!! tip 
-   
-    Use `htdigest` to generate passwords.
-
-## Configuration Options
-
-### `users`
-
-The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
-
-!!! Note
-    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-
 ### `usersFile`

 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.

 The file content is a list of `name:realm:encoded-password`.

+!!! Note
+    
+    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
+    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead. 
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    secret: authsecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret
+  namespace: default
+
+data:
+  users: |2
+    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
+    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    usersFile = "/path/to/my/usersfile"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        usersFile: "/path/to/my/usersfile"
+```
+
 ??? example "A file containing test/test and test2/test2"

    ```txt
@@ -84,20 +201,54 @@ The file content is a list of `name:realm:encoded-password`.
    test2:traefik:518845800f9e2bfb1f1f740ec24f074e
    ```

-!!! Note
-    
-    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-
 ### `realm`

 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 

+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    realm: MyRealm
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    realm = "MyRealm"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        realm: "MyRealm"
+```
+
 ### `headerField`

 You can customize the header field for the authenticated user using the `headerField`option.

-Example "File -- Passing Authenticated User to Services Via Headers"
-
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
@@ -143,3 +294,43 @@ http:
 ### `removeHeader`

 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    removeHeader: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    removeHeader = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        removeHeader: true
+```
--- a/docs/content/middlewares/errorpages.md
+++ b/docs/content/middlewares/errorpages.md
@@ -29,8 +29,10 @@ spec:
  errors:
    status:
    - 500-599
-    service: serviceError
    query: /{status}.html
+    service:
+      name: whoami
+      port: 80
 ```

 ```json tab="Marathon"
@@ -95,6 +97,9 @@ The status code ranges are inclusive (`500-599` will trigger with every code bet

 The service that will serve the new requested error page.

+!!! Note
+    In kubernetes, you need to reference a kubernetes service instead of a traefik service.
+
 ### `query`

 The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.
--- a/docs/content/middlewares/forwardauth.md
+++ b/docs/content/middlewares/forwardauth.md
@@ -15,12 +15,99 @@ Otherwise, the response from the authentication server is returned.
 # Forward authentication to authserver.com
 labels:
 - "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
- "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+# Forward authentication to authserver.com
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+}
+```
+
+```yaml tab="Rancher"
+# Forward authentication to authserver.com
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
+```toml tab="File (TOML)"
+# Forward authentication to authserver.com
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+```
+
+```yaml tab="File (YAML)"
+# Forward authentication to authserver.com
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+```
+
+## Configuration Options
+
+### `address`
+
+The `address` option defines the authentication server address.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth 
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+```
+
+### `trustForwardHeader`
+
+Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
+
+```yaml tab="Docker"
+labels:
 - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```

@@ -33,89 +120,381 @@ spec:
  forwardAuth:
    address: https://authserver.com/auth
    trustForwardHeader: true
-    authResponseHeaders:
-    - X-Auth-User
-    - X-Secret
-    tls:
-      ca: path/to/local.crt
-      caOptional: true
-      cert: path/to/foo.cert
-      key: path/to/foo.key  
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth",
-  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key",
  "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
 }
 ```

 ```yaml tab="Rancher"
-# Forward authentication to authserver.com
 labels:
- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
- "traefik.http.middlewares.test-auth.forwardauth.tls.InisecureSkipVerify=true"
- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```

 ```toml tab="File (TOML)"
-# Forward authentication to authserver.com
 [http.middlewares]
  [http.middlewares.test-auth.forwardAuth]
    address = "https://authserver.com/auth"
    trustForwardHeader = true
-    authResponseHeaders = ["X-Auth-User", "X-Secret"]
-
-    [http.middlewares.test-auth.forwardAuth.tls]
-      ca = "path/to/local.crt"
-      caOptional = true
-      cert = "path/to/foo.cert"
-      key = "path/to/foo.key"
 ```

 ```yaml tab="File (YAML)"
-# Forward authentication to authserver.com
 http:
  middlewares:
    test-auth:
      forwardAuth:
        address: "https://authserver.com/auth"
        trustForwardHeader: true
-        authResponseHeaders:
-        - "X-Auth-User"
-        - "X-Secret"
-        tls:
-          ca: "path/to/local.crt"
-          caOptional: true
-          cert: "path/to/foo.cert"
-          key: "path/to/foo.key"
 ```

-## Configuration Options
-
-### `address`
-
-The `address` option defines the authentication server address.
-
-### `trustForwardHeader`
-
-Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
-
 ### `authResponseHeaders`

 The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.

+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    authResponseHeaders:
+    - X-Auth-User
+    - X-Secret
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    authResponseHeaders = ["X-Auth-User", "X-Secret"]
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        authResponseHeaders:
+        - "X-Auth-User"
+        - "X-Secret"
+```
+
 ### `tls`

 The `tls` option is the TLS configuration from Traefik to the authentication server.
+
+#### `tls.ca`
+
+TODO add description.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      caSecret: mycasercret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mycasercret
+  namespace: default
+
+data:
+  ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      ca = "path/to/local.crt"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          ca: "path/to/local.crt"
+```
+
+#### `tls.caOptional`
+
+TODO add description.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      caOptional: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      caOptional = true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          caOptional: true
+```
+
+#### `tls.cert`
+
+TODO add description.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      certSecret: mytlscert
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mytlscert
+  namespace: default
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          cert: "path/to/foo.cert"
+          key: "path/to/foo.key"
+```
+
+!!! Note
+    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+#### `tls.key`
+
+TODO add description.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    tls:
+      certSecret: mytlscert
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mytlscert
+  namespace: default
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    [http.middlewares.test-auth.forwardAuth.tls]
+      cert = "path/to/foo.cert"
+      key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        tls:
+          cert: "path/to/foo.cert"
+          key: "path/to/foo.key"
+```
+
+!!! Note
+    For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
+
+#### `tls.insecureSkipVerify`
+
+TODO add description.
+
+```yaml tab="Docker"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://authserver.com/auth
+    insecureSkipVerify: true
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+- "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://authserver.com/auth"
+    insecureSkipVerify: true
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://authserver.com/auth"
+        insecureSkipVerify: true
+```
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -66,7 +66,7 @@ spec:
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
-  "traefik.http.router.router1.middlewares": "foo-add-prefix@marathon"
+  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
 }
 ```

@@ -76,7 +76,7 @@ labels:
  # Create a middleware named `foo-add-prefix`
  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
  # Apply the middleware named `foo-add-prefix` to the router named `router1`
-  - "traefik.http.router.router1.middlewares=foo-add-prefix@rancher"
+  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
 ```

 ```toml tab="File (TOML)"
--- a/docs/content/middlewares/passtlsclientcert.md
+++ b/docs/content/middlewares/passtlsclientcert.md
@@ -3,7 +3,9 @@
 Adding Client Certificates in a Header
 {: .subtitle }

-`TODO add schema`
+<!--
+TODO: add schema
+-->

 PassTLSClientCert adds in header the selected data from the passed client tls certificate.

--- a/docs/content/middlewares/redirectregex.md
+++ b/docs/content/middlewares/redirectregex.md
@@ -3,7 +3,9 @@
 Redirecting the Client to a Different Location
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

 RegexRedirect redirect a request from an url to another with regex matching and replacement.

@@ -11,6 +13,7 @@ RegexRedirect redirect a request from an url to another with regex matching and

 ```yaml tab="Docker"
 # Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
 labels:
 - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
 - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
@@ -37,9 +40,10 @@ spec:

 ```yaml tab="Rancher"
 # Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
 labels:
 - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/${1}"
+- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```

 ```toml tab="File (TOML)"
--- a/docs/content/middlewares/redirectscheme.md
+++ b/docs/content/middlewares/redirectscheme.md
@@ -3,7 +3,9 @@
 Redirecting the Client to a Different Scheme/Port
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

 RegexRedirect redirect request from a scheme to another.

--- a/docs/content/middlewares/replacepath.md
+++ b/docs/content/middlewares/replacepath.md
@@ -3,7 +3,9 @@
 Updating the Path Before Forwarding the Request
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

 Replace the path of the request url.

--- a/docs/content/middlewares/replacepathregex.md
+++ b/docs/content/middlewares/replacepathregex.md
@@ -3,7 +3,9 @@
 Updating the Path Before Forwarding the Request (Using a Regex)
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

 The ReplaceRegex replace a path from an url to another with regex matching and replacement.

--- a/docs/content/middlewares/retry.md
+++ b/docs/content/middlewares/retry.md
@@ -3,9 +3,12 @@
 Retrying until it Succeeds
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

-Retry to send request on attempt failure.
+The Retry middleware is in charge of reissuing a request a given number of times to a backend server if that server does not reply.
+To be clear, as soon as the server answers, the middleware stops retrying, regardless of the response status.

 ## Configuration Examples

@@ -60,4 +63,4 @@ http:

 _mandatory_

-The `attempts` option defines how many times to try sending the request.
+The `attempts` option defines how many times the request should be retried.
--- a/docs/content/middlewares/stripprefix.md
+++ b/docs/content/middlewares/stripprefix.md
@@ -3,7 +3,9 @@
 Removing Prefixes From the Path Before Forwarding the Request
 {: .subtitle }

-`TODO: add schema`
+<!--
+TODO: add schema
+-->

 Remove the specified prefixes from the URL path.

@@ -12,7 +14,7 @@ Remove the specified prefixes from the URL path.
 ```yaml tab="Docker"
 # Strip prefix /foobar and /fiibar
 labels:
- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar, /fiibar"
+- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```

 ```yaml tab="Kubernetes"
@@ -30,14 +32,14 @@ spec:

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar, /fiibar"
+  "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar,/fiibar"
 }
 ```

 ```yaml tab="Rancher"
 # Strip prefix /foobar and /fiibar
 labels:
- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar, /fiibar"
+- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```

 ```toml tab="File (TOML)"
--- a/docs/content/middlewares/stripprefixregex.md
+++ b/docs/content/middlewares/stripprefixregex.md
@@ -9,7 +9,7 @@ Remove the matching prefixes from the URL path.

 ```yaml tab="Docker"
 labels:
- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/",
+- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```

 ```yaml tab="Kubernetes"
@@ -31,7 +31,7 @@ spec:

 ```yaml tab="Rancher"
 labels:
- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/",
+- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```

 ```toml tab="File (TOML)"
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -8,6 +8,15 @@ which require one to update their configuration when they migrate from v1 to v2.
 The goal of this page is to recapitulate all of these changes, and in particular to give examples, 
 feature by feature, of how the configuration looked like in v1, and how it now looks like in v2.

+!!! Note "Migration Helper"
+    
+    We created a tool to help during the migration: [traefik-migration-tool](https://github.com/containous/traefik-migration-tool)
+
+    This tool allows to:
+
+    - convert `Ingress` to Traefik `IngressRoute` resources.
+    - convert `acme.json` file from v1 to v2 format.
+
 ## Frontends and Backends Are Dead... <br/>... Long Live Routers, Middlewares, and Services

 During the transition from v1 to v2, a number of internal pieces and components of Traefik were rewritten and reorganized.
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -26,12 +26,11 @@ accessLog: {}
 By default access logs are written to the standard output.
 To write the logs into a log file, use the `filePath` option.

-in the Common Log Format (CLF), extended with additional fields.
-
 ### `format`
 
 By default, logs are written using the Common Log Format (CLF).
 To write logs in JSON, use `json` in the `format` option.
+If the given format is unsupported, the default (CLF) is used instead.

 !!! note "Common Log Format"
    
@@ -152,15 +151,14 @@ accessLog:
  format: json
  fields:
    defaultMode: keep
-    fields:
+    names:
+      ClientUsername: drop
+    headers:
+      defaultMode: keep
      names:
-        ClientUsername: drop
-      headers:
-        defaultMode: keep
-        names:
-        - User-Agent: redact
-        - Authorization: drop
-        - Content-Type: keep
+          User-Agent: redact
+          Authorization: drop
+          Content-Type: keep
 ```

 ```bash tab="CLI"
--- a/docs/content/observability/metrics/prometheus.md
+++ b/docs/content/observability/metrics/prometheus.md
@@ -85,3 +85,34 @@ metrics:
 ```bash tab="CLI"
 --metrics.prometheus.addServicesLabels=true
 ```
+
+#### `entryPoint`
+
+_Optional, Default=traefik_
+
+Entry point used to expose metrics.
+
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.metrics]
+    address = ":8082"
+
+[metrics]
+  [metrics.prometheus]
+    entryPoint = "metrics"
+```
+
+```yaml tab="File (YAML)"
+entryPoints:
+  metrics:
+    address: ":8082"
+
+metrics:
+  prometheus:
+    entryPoint: metrics
+```
+
+```bash tab="CLI"
+--entryPoints.metrics.address=":8082"
+--metrics.prometheus..entryPoint="metrics"
+```
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -1,8 +1,5 @@
 # API

-!!! important
-    In the RC version, you can't configure middlewares (basic authentication or white listing) anymore, but as security is important, this will change before the GA version.
-
 Traefik exposes a number of information through an API handler, such as the configuration of all routers, services, middlewares, etc.

 As with all features of Traefik, this handler can be enabled with the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
@@ -22,11 +19,10 @@ would be to apply the following protection mechanisms:
  keeping it restricted to internal networks
  (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).

-!!! important
-    In the beta version, you can't configure middlewares (basic authentication or white listing) anymore, but as security is important, this will change before the RC version.
-
 ## Configuration

+If you enable the API, a new special `service` named `api@internal` is created and then can be reference in a router.
+
 To enable the API handler:

 ```toml tab="File (TOML)"
@@ -41,6 +37,83 @@ api: {}
 --api=true
 ```

+And then you will able to reference it like this.
+
+```yaml tab="Docker"
+  - "traefik.http.routers.api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+  - "traefik.http.routers.api.service=api@internal"
+  - "traefik.http.routers.api.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.routers.api.rule": "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+  "traefik.http.routers.api.service": "api@internal"
+  "traefik.http.routers.api.middlewares": "auth"
+  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.routers.api.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+    - "traefik.http.routers.api.service=api@internal"
+    - "traefik.http.routers.api.middlewares=auth"
+    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+[http.routers.my-api]
+    rule="PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+    service="api@internal"
+    middlewares=["auth"]
+
+[http.middlewares.auth.basicAuth]
+    users = [
+        "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+        "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+      ]
+```
+
+```yaml tab="File (YAML)"
+http:
+  routers:
+    api:
+      rule: PathPrefix(`/api`) || PathPrefix(`/dashboard`)
+      service: api@internal
+      middlewares:
+        - auth
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+        - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/" 
+        - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+### `insecure`
+
+Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`.
+
+!!! Note
+    If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080.
+
+```toml tab="File (TOML)"
+[api]
+  insecure = true
+```
+
+```yaml tab="File (YAML)"
+api:
+  insecure: true
+```
+
+```bash tab="CLI"
+--api.insecure=true
+```
+
 ### `dashboard`

 _Optional, Default=true_
--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@@ -5,25 +5,16 @@ See What's Going On

 The dashboard is the central place that shows you the current active routes handled by Traefik. 

-!!! warning "Dashboard WIP"
-    Currently, the dashboard is in a Work In Progress State while being reconstructed for v2. 
-    Therefore, the dashboard is currently not working.
-
 <figure>
-    <img src="../../assets/img/dashboard-main.png" alt="Dashboard - Providers" />
-    <figcaption>The dashboard in action with Traefik listening to 3 different providers</figcaption>
-</figure>
-
-<figure>
-    <img src="../../assets/img/dashboard-health.png" alt="Dashboard - Health" />
-    <figcaption>The dashboard shows the health of the system.</figcaption>
+    <img src="../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
+    <figcaption>The dashboard in action</figcaption>
 </figure>

 By default, the dashboard is available on `/` on port `:8080`.

 !!! tip "Did You Know?"
    It is possible to customize the dashboard endpoint. 
-    To learn how, refer to the `Traefik's API documentation`(TODO: add doc and link).
+    To learn how, refer to the [API documentation](./api.md)
    
 ## Enabling the Dashboard

@@ -64,4 +55,4 @@ api:

 !!! tip "Did You Know?"
    The API provides more features than the Dashboard. 
-    To learn more about it, refer to the `Traefik's API documentation`(TODO: add doc and link).
+    To learn more about it, refer to the [API documentation](./api.md)
--- a/docs/content/operations/ping.md
+++ b/docs/content/operations/ping.md
@@ -5,7 +5,7 @@ Checking the Health of Your Traefik Instances

 ## Configuration Examples

-??? example "Enabling /ping"
+To enable the API handler:

 ```toml tab="File (TOML)"
 [ping]
@@ -19,10 +19,39 @@ ping: {}
 --ping=true
 ```

+## Configuration Options
+
+The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
+
+You can customize the `entryPoint` where the `/ping` is active with the `entryPoint` option (default value: `traefik`)
+
 | Path    | Method        | Description                                                                                         |
 |---------|---------------|-----------------------------------------------------------------------------------------------------|
 | `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |

-## Configuration Options
+### `entryPoint`

-The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
+Enabling /ping on a dedicated EntryPoint.
+
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.ping]
+    address = ":8082"
+
+[ping]
+  entryPoint = "ping"
+```
+
+```yaml tab="File (YAML)"
+entryPoints:
+  ping:
+    address: ":8082"
+
+ping:
+  entryPoint: "ping"
+```
+
+```bash tab="CLI"
+--entryPoints.ping.address=":8082"
+--ping.entryPoint="ping"
+```
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -77,6 +77,7 @@ Attach labels to your containers and let Traefik do the rest!
        deploy:
          labels:
            - traefik.http.routers.my-container.rule=Host(`my-domain`)
+            - traefik.http.services.my-container-service.loadbalancer.server.port=8080
    ```

    !!! important "Labels in Docker Swarm Mode"
@@ -387,7 +388,7 @@ Constraints is an expression that Traefik matches against the container's labels
 That is to say, if none of the container's labels match the expression, no route for the container is created.
 If the expression is empty, all detected containers are included.

-The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.

 ??? example "Constraints Expression Examples"

@@ -418,11 +419,121 @@ The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp(
    
    ```toml
    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegexp(`a.label.name`, `a.+`)"
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```

 See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

+### `tls`
+
+_Optional_
+
+#### `tls.ca`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.docker.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.docker.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.docker.tls.cert=path/to/foo.cert
+--providers.docker.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.docker.tls.cert=path/to/foo.cert
+--providers.docker.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.docker.tls]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    tls:
+      insecureSkipVerify: true
+```
+
+```bash tab="CLI"
+--providers.docker.tls.insecureSkipVerify=true
+```
+
 ## Routing Configuration Options

 ### General
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -168,6 +168,27 @@ Value of `kubernetes.io/ingress.class` annotation that identifies Ingress object
 If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
 Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.

+### `throttleDuration`
+
+_Optional, Default: 0 (no throttling)_
+
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  throttleDuration = "10s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    throttleDuration: "10s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.throttleDuration="10s"
+```
+
 ## Resource Configuration

 If you're in a hurry, maybe you'd rather go through the [dynamic](../reference/dynamic-configuration/kubernetes-crd.md) configuration reference.
--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -305,6 +305,27 @@ providers:

 Published Kubernetes Service to copy status from.

+### `throttleDuration`
+
+_Optional, Default: 0 (no throttling)_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  throttleDuration = "10s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    throttleDuration: "10s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.throttleDuration="10s"
+```
+
 ## Further

 If one wants to know more about the various aspects of the Ingress spec that Traefik supports, many examples of Ingresses definitions are located in the tests [data](https://github.com/containous/traefik/tree/v2.0/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
--- a/docs/content/providers/marathon.md
+++ b/docs/content/providers/marathon.md
@@ -243,7 +243,7 @@ That is to say, if none of the application's labels match the expression, no rou
 In addition, the expression also matched against the application's constraints, such as described in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
 If the expression is empty, all detected applications are included.

-The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp("key", "value")`, as well as the usual boolean logic.
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")`, as well as the usual boolean logic.
 In addition, to match against marathon constraints, the function `MarathonConstraint("field:operator:value")` can be used, where the field, operator, and value parts are joined together in a single string with the `:` separator.

 ??? example "Constraints Expression Examples"
@@ -275,7 +275,7 @@ In addition, to match against marathon constraints, the function `MarathonConstr
    
    ```toml
    # Includes only applications having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegexp(`a.label.name`, `a.+`)"
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```

    ```toml
@@ -398,37 +398,116 @@ when waiting for the first response header from a Marathon master.

 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration), or directly as a number of seconds.

-### `TLS`
+### `tls`

 _Optional_

+#### `tls.ca`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  ca = "path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.ca=path/to/ca.crt
+```
+
+#### `tls.caOptional`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  caOptional = true
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      caOptional: true
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.caOptional=true
+```
+
+#### `tls.cert`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.cert=path/to/foo.cert
+--providers.marathon.tls.key=path/to/foo.key
+```
+
+#### `tls.key`
+
+TODO add description.
+
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```bash tab="CLI"
+--providers.marathon.tls.cert=path/to/foo.cert
+--providers.marathon.tls.key=path/to/foo.key
+```
+
+#### `tls.insecureSkipVerify`
+
+TODO add description.
+
 ```toml tab="File (TOML)"
 [providers.marathon.tls]
-  ca = "/etc/ssl/ca.crt"
-  cert = "/etc/ssl/marathon.cert"
-  key = "/etc/ssl/marathon.key"
  insecureSkipVerify = true
 ```

 ```yaml tab="File (YAML)"
 providers:
-  marathon
+  marathon:
    tls:
-      ca: "/etc/ssl/ca.crt"
-      cert: "/etc/ssl/marathon.cert"
-      key: "/etc/ssl/marathon.key"
-      insecureSkipVerify:  true
+      insecureSkipVerify: true
 ```

 ```bash tab="CLI"
--providers.marathon.tls.ca="/etc/ssl/ca.crt"
--providers.marathon.tls.cert="/etc/ssl/marathon.cert"
--providers.marathon.tls.key="/etc/ssl/marathon.key"
--providers.marathon.tls.insecureskipverify=true
+--providers.marathon.tls.insecureSkipVerify=true
 ```

-TLS client configuration. [tls/#Config](https://golang.org/pkg/crypto/tls/#Config).
-
 ### `tlsHandshakeTimeout`

 _Optional, Default=5s_
--- a/docs/content/providers/rancher.md
+++ b/docs/content/providers/rancher.md
@@ -239,7 +239,7 @@ Constraints is an expression that Traefik matches against the container's labels
 That is to say, if none of the container's labels match the expression, no route for the container is created.
 If the expression is empty, all detected containers are included.

-The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.

 ??? example "Constraints Expression Examples"

@@ -270,7 +270,7 @@ The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp(
    
    ```toml
    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegexp(`a.label.name`, `a.+`)"
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```

 See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -45,6 +45,9 @@ Activate dashboard. (Default: ```true```)
 `--api.debug`:  
 Enable additional endpoints for debugging and profiling. (Default: ```false```)

+`--api.insecure`:  
+Activate API directly on the entryPoint named traefik. (Default: ```false```)
+
 `--certificatesresolvers.<name>`:  
 Certificates resolvers configuration. (Default: ```false```)

@@ -207,6 +210,9 @@ Enable metrics on services. (Default: ```true```)
 `--metrics.prometheus.buckets`:  
 Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)

+`--metrics.prometheus.entrypoint`:  
+EntryPoint (Default: ```traefik```)
+
 `--metrics.statsd`:  
 StatsD metrics exporter type. (Default: ```false```)

@@ -223,7 +229,10 @@ Enable metrics on services. (Default: ```true```)
 StatsD push interval. (Default: ```10```)

 `--ping`:  
-Enable ping. (Default: ```true```)
+Enable ping. (Default: ```false```)
+
+`--ping.entrypoint`:  
+EntryPoint (Default: ```traefik```)

 `--providers.docker`:  
 Enable Docker backend with default settings. (Default: ```false```)
@@ -303,6 +312,9 @@ Kubernetes label selector to use.
 `--providers.kubernetescrd.namespaces`:  
 Kubernetes namespaces.

+`--providers.kubernetescrd.throttleduration`:  
+Ingress refresh throttle duration (Default: ```0```)
+
 `--providers.kubernetescrd.token`:  
 Kubernetes bearer token (not needed for in-cluster client).

@@ -336,6 +348,9 @@ Kubernetes Ingress label selector to use.
 `--providers.kubernetesingress.namespaces`:  
 Kubernetes namespaces.

+`--providers.kubernetesingress.throttleduration`:  
+Ingress refresh throttle duration (Default: ```0```)
+
 `--providers.kubernetesingress.token`:  
 Kubernetes bearer token (not needed for in-cluster client).

@@ -433,7 +448,10 @@ Defines the polling interval in seconds. (Default: ```15```)
 Watch provider. (Default: ```true```)

 `--providers.rest`:  
-Enable Rest backend with default settings. (Default: ```true```)
+Enable Rest backend with default settings. (Default: ```false```)
+
+`--providers.rest.insecure`:  
+Activate REST Provider directly on the entryPoint named traefik. (Default: ```false```)

 `--serverstransport.forwardingtimeouts.dialtimeout`:  
 The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -45,6 +45,9 @@ Activate dashboard. (Default: ```true```)
 `TRAEFIK_API_DEBUG`:  
 Enable additional endpoints for debugging and profiling. (Default: ```false```)

+`TRAEFIK_API_INSECURE`:  
+Activate API directly on the entryPoint named traefik. (Default: ```false```)
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>`:  
 Certificates resolvers configuration. (Default: ```false```)

@@ -207,6 +210,9 @@ Enable metrics on services. (Default: ```true```)
 `TRAEFIK_METRICS_PROMETHEUS_BUCKETS`:  
 Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)

+`TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT`:  
+EntryPoint (Default: ```traefik```)
+
 `TRAEFIK_METRICS_STATSD`:  
 StatsD metrics exporter type. (Default: ```false```)

@@ -223,7 +229,10 @@ Enable metrics on services. (Default: ```true```)
 StatsD push interval. (Default: ```10```)

 `TRAEFIK_PING`:  
-Enable ping. (Default: ```true```)
+Enable ping. (Default: ```false```)
+
+`TRAEFIK_PING_ENTRYPOINT`:  
+EntryPoint (Default: ```traefik```)

 `TRAEFIK_PROVIDERS_DOCKER`:  
 Enable Docker backend with default settings. (Default: ```false```)
@@ -303,6 +312,9 @@ Kubernetes label selector to use.
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_NAMESPACES`:  
 Kubernetes namespaces.

+`TRAEFIK_PROVIDERS_KUBERNETESCRD_THROTTLEDURATION`:  
+Ingress refresh throttle duration (Default: ```0```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_TOKEN`:  
 Kubernetes bearer token (not needed for in-cluster client).

@@ -336,6 +348,9 @@ Kubernetes Ingress label selector to use.
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_NAMESPACES`:  
 Kubernetes namespaces.

+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_THROTTLEDURATION`:  
+Ingress refresh throttle duration (Default: ```0```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_TOKEN`:  
 Kubernetes bearer token (not needed for in-cluster client).

@@ -433,7 +448,10 @@ Defines the polling interval in seconds. (Default: ```15```)
 Watch provider. (Default: ```true```)

 `TRAEFIK_PROVIDERS_REST`:  
-Enable Rest backend with default settings. (Default: ```true```)
+Enable Rest backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_REST_INSECURE`:  
+Activate REST Provider directly on the entryPoint named traefik. (Default: ```false```)

 `TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_DIALTIMEOUT`:  
 The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@@ -83,6 +83,7 @@
    namespaces = ["foobar", "foobar"]
    labelSelector = "foobar"
    ingressClass = "foobar"
+    throttleDuration = "10s"
    [providers.kubernetesIngress.ingressEndpoint]
      ip = "foobar"
      hostname = "foobar"
@@ -95,7 +96,9 @@
    namespaces = ["foobar", "foobar"]
    labelSelector = "foobar"
    ingressClass = "foobar"
+    throttleDuration = "10s"
  [providers.rest]
+    insecure = true
  [providers.rancher]
    constraints = "foobar"
    watch = true
@@ -107,6 +110,7 @@
    prefix = "foobar"

 [api]
+  insecure = true
  dashboard = true
  debug = true

@@ -115,6 +119,7 @@
    buckets = [42.0, 42.0]
    addEntryPointsLabels = true
    addServicesLabels = true
+    entryPoint = "foobar"
  [metrics.datadog]
    address = "foobar"
    pushInterval = "10s"
@@ -137,6 +142,7 @@
    addServicesLabels = true

 [ping]
+  entryPoint = "foobar"

 [log]
  level = "foobar"
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@@ -88,6 +88,7 @@ providers:
    - foobar
    labelSelector: foobar
    ingressClass: foobar
+    throttleDuration: 10s
    ingressEndpoint:
      ip: foobar
      hostname: foobar
@@ -102,7 +103,9 @@ providers:
    - foobar
    labelSelector: foobar
    ingressClass: foobar
-  rest: {}
+    throttleDuration: 10s
+  rest:
+    insecure: true
  rancher:
    constraints: foobar
    watch: true
@@ -113,6 +116,7 @@ providers:
    intervalPoll: true
    prefix: foobar
 api:
+  insecure: true
  dashboard: true
  debug: true
 metrics:
@@ -122,6 +126,7 @@ metrics:
    - 42
    addEntryPointsLabels: true
    addServicesLabels: true
+    entryPoint: foobar
  datadog:
    address: foobar
    pushInterval: 42
@@ -142,7 +147,8 @@ metrics:
    password: foobar
    addEntryPointsLabels: true
    addServicesLabels: true
-ping: {}
+ping:
+  entryPoint: foobar
 log:
  level: foobar
  filePath: foobar
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@@ -149,7 +149,7 @@ If the proxyprotocol header is passed, then the version is determined automatica
    entryPoints:
      web:
        address: ":80"
-        proxyProtocol
+        proxyProtocol:
          trustedIPs:
          - "127.0.0.1/32"
          - "192.168.1.7"
@@ -213,7 +213,7 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
    entryPoints:
      web:
        address: ":80"
-        forwardedHeaders
+        forwardedHeaders:
          trustedIPs:
          - "127.0.0.1/32"
          - "192.168.1.7"
--- a/docs/content/routing/routers/index.md
+++ b/docs/content/routing/routers/index.md
@@ -631,7 +631,7 @@ Services are the target for the router.
          rule: "HostSNI(`foo-domain`)"
          service: service-id
          # will terminate the TLS request by default
-          tld: {}
+          tls: {}
    ```

 ??? example "Configuring passthrough"
--- a/exp.Dockerfile
+++ b/exp.Dockerfile
@@ -12,7 +12,7 @@ RUN yarn install
 RUN npm run build

 # BUILD
-FROM golang:1.13rc2-alpine as gobuild
+FROM golang:1.13-alpine as gobuild

 RUN apk --update upgrade \
    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
--- a/integration/fixtures/access_log_config.toml
+++ b/integration/fixtures/access_log_config.toml
@@ -22,6 +22,7 @@
    address = ":8008"

 [api]
+  insecure = true

 [providers]
  [providers.docker]
--- a/integration/fixtures/acme/acme_base.toml
+++ b/integration/fixtures/acme/acme_base.toml
@@ -31,6 +31,7 @@
 {{end}}

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/acme/acme_domains.toml
+++ b/integration/fixtures/acme/acme_domains.toml
@@ -31,6 +31,7 @@
 {{end}}

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/acme/acme_multiple_resolvers.toml
+++ b/integration/fixtures/acme/acme_multiple_resolvers.toml
@@ -31,6 +31,7 @@
 {{end}}

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/acme/acme_tcp.toml
+++ b/integration/fixtures/acme/acme_tcp.toml
@@ -31,6 +31,7 @@
 {{end}}

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/acme/acme_tls.toml
+++ b/integration/fixtures/acme/acme_tls.toml
@@ -31,6 +31,7 @@
 {{end}}

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/acme/acme_tls_dynamic.toml
+++ b/integration/fixtures/acme/acme_tls_dynamic.toml
@@ -31,6 +31,7 @@
 {{end}}

 [api]
+  insecure = true

 [providers]
  [providers.file]
--- a/integration/fixtures/acme/acme_tls_multiple_entrypoints.toml
+++ b/integration/fixtures/acme/acme_tls_multiple_entrypoints.toml
@@ -34,3 +34,4 @@
 {{end}}

 [api]
+  insecure = true
--- a/integration/fixtures/docker/minimal.toml
+++ b/integration/fixtures/docker/minimal.toml
@@ -10,6 +10,7 @@
    address = ":8000"

 [api]
+  insecure = true

 [providers]
  [providers.docker]
--- a/integration/fixtures/docker/simple.toml
+++ b/integration/fixtures/docker/simple.toml
@@ -10,6 +10,7 @@
    address = ":8000"

 [api]
+  insecure = true

 [providers]
  [providers.docker]
--- a/integration/fixtures/grpc/config.toml
+++ b/integration/fixtures/grpc/config.toml
@@ -13,6 +13,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/grpc/config_h2c.toml
+++ b/integration/fixtures/grpc/config_h2c.toml
@@ -10,6 +10,7 @@
    address = ":8081"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/grpc/config_h2c_termination.toml
+++ b/integration/fixtures/grpc/config_h2c_termination.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/grpc/config_insecure.toml
+++ b/integration/fixtures/grpc/config_insecure.toml
@@ -13,6 +13,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/grpc/config_retry.toml
+++ b/integration/fixtures/grpc/config_retry.toml
@@ -13,6 +13,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/healthcheck/multiple-entrypoints.toml
+++ b/integration/fixtures/healthcheck/multiple-entrypoints.toml
@@ -12,6 +12,7 @@
    address = ":9000"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/healthcheck/port_overload.toml
+++ b/integration/fixtures/healthcheck/port_overload.toml
@@ -10,6 +10,7 @@
    address = ":8000"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/healthcheck/simple.toml
+++ b/integration/fixtures/healthcheck/simple.toml
@@ -10,6 +10,7 @@
    address = ":8000"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/clientca/https_1ca1config.toml
+++ b/integration/fixtures/https/clientca/https_1ca1config.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/clientca/https_2ca1config.toml
+++ b/integration/fixtures/https/clientca/https_2ca1config.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/clientca/https_2ca2config.toml
+++ b/integration/fixtures/https/clientca/https_2ca2config.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/dynamic_https_sni.toml
+++ b/integration/fixtures/https/dynamic_https_sni.toml
@@ -13,6 +13,7 @@
     address = ":8443"

 [api]
+  insecure = true

 [providers]
  [providers.file]
--- a/integration/fixtures/https/dynamic_https_sni_default_cert.toml
+++ b/integration/fixtures/https/dynamic_https_sni_default_cert.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/https_redirect.toml
+++ b/integration/fixtures/https/https_redirect.toml
@@ -13,6 +13,7 @@
    address = ":8443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/https_sni.toml
+++ b/integration/fixtures/https/https_sni.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/https_sni_case_insensitive_dynamic.toml
+++ b/integration/fixtures/https/https_sni_case_insensitive_dynamic.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/https_sni_default_cert.toml
+++ b/integration/fixtures/https/https_sni_default_cert.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/https_sni_strict.toml
+++ b/integration/fixtures/https/https_sni_strict.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/https_tls_options.toml
+++ b/integration/fixtures/https/https_tls_options.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/rootcas/https.toml
+++ b/integration/fixtures/https/rootcas/https.toml
@@ -29,6 +29,7 @@ fblo6RBxUQ==
    address = ":8081"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/https/rootcas/https_with_file.toml
+++ b/integration/fixtures/https/rootcas/https_with_file.toml
@@ -14,6 +14,7 @@
    address = ":8081"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/k8s_crd.toml
+++ b/integration/fixtures/k8s_crd.toml
@@ -6,6 +6,7 @@
  level = "DEBUG"

 [api]
+  insecure = true

 [entryPoints]
  [entryPoints.footcp]
--- a/integration/fixtures/k8s_default.toml
+++ b/integration/fixtures/k8s_default.toml
@@ -3,6 +3,7 @@
  sendAnonymousUsage = false

 [api]
+  insecure = true

 [log]
  level = "DEBUG"
--- a/integration/fixtures/marathon/simple.toml
+++ b/integration/fixtures/marathon/simple.toml
@@ -12,6 +12,7 @@
    address = ":9090"

 [api]
+  insecure = true

 [providers]
  [providers.marathon]
--- a/integration/fixtures/mirror.toml
+++ b/integration/fixtures/mirror.toml
@@ -3,6 +3,7 @@
  sendAnonymousUsage = false

 [api]
+  insecure = true

 [log]
  level = "DEBUG"
--- a/integration/fixtures/multiple_provider.toml
+++ b/integration/fixtures/multiple_provider.toml
@@ -10,6 +10,7 @@
    address = ":8000"

 [api]
+  insecure = true

 [providers]
  [providers.docker]
--- a/integration/fixtures/multiprovider.toml
+++ b/integration/fixtures/multiprovider.toml
@@ -6,6 +6,7 @@
  level = "DEBUG"

 [api]
+  insecure = true

 [entryPoints]
  [entryPoints.web]
@@ -13,6 +14,7 @@

 [providers]
  [providers.rest]
+    insecure = true

  [providers.file]
    filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/proxy-protocol/with.toml
+++ b/integration/fixtures/proxy-protocol/with.toml
@@ -12,6 +12,7 @@
      trustedIPs = ["{{.HaproxyIP}}"]

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/proxy-protocol/without.toml
+++ b/integration/fixtures/proxy-protocol/without.toml
@@ -12,6 +12,7 @@
      trustedIPs = ["1.2.3.4"]

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/ratelimit/simple.toml
+++ b/integration/fixtures/ratelimit/simple.toml
@@ -3,6 +3,7 @@
  sendAnonymousUsage = false

 [api]
+  insecure = true

 [log]
  level = "DEBUG"
--- a/integration/fixtures/rest/simple.toml
+++ b/integration/fixtures/rest/simple.toml
@@ -10,6 +10,8 @@
    address = ":8000"

 [api]
+  insecure = true

 [providers]
  [providers.rest]
+  insecure = true
--- a/integration/fixtures/rest/simple_secure.toml
+++ b/integration/fixtures/rest/simple_secure.toml
@@ -0,0 +1,27 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+[api]
+  insecure = true
+
+[providers.rest]
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+[http.routers.rest]
+    rule="PathPrefix(`/secure`)"
+    service="rest@internal"
+    middlewares=["strip"]
+
+[http.middlewares.strip.stripPrefix]
+    prefixes = [ "/secure" ]
+    
--- a/integration/fixtures/retry/simple.toml
+++ b/integration/fixtures/retry/simple.toml
@@ -10,6 +10,7 @@
    address = ":8000"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/router_errors.toml
+++ b/integration/fixtures/router_errors.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/service_errors.toml
+++ b/integration/fixtures/service_errors.toml
@@ -10,6 +10,7 @@
    address = ":4443"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/simple_auth.toml
+++ b/integration/fixtures/simple_auth.toml
@@ -13,6 +13,7 @@
    address = ":8001"

 [api]
+  insecure = true
  middlewares = ["authentication@file"]

 [ping]
--- a/integration/fixtures/simple_hostresolver.toml
+++ b/integration/fixtures/simple_hostresolver.toml
@@ -10,6 +10,7 @@
    address = ":8000"

 [api]
+  insecure = true

 [providers]
  [providers.docker]
--- a/integration/fixtures/simple_secure_api.toml
+++ b/integration/fixtures/simple_secure_api.toml
@@ -0,0 +1,25 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+ [entryPoints.traefik]
+    address = ":8080"
+
+
+[api]
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+[http.routers.api]
+    rule="PathPrefix(`/secure`)"
+    service="api@internal"
+    middlewares=["strip"]
+
+[http.middlewares.strip.stripPrefix]
+    prefixes = [ "/secure" ]
+    
--- a/integration/fixtures/simple_stats.toml
+++ b/integration/fixtures/simple_stats.toml
@@ -10,6 +10,7 @@
    address = ":8000"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/simple_web.toml
+++ b/integration/fixtures/simple_web.toml
@@ -10,3 +10,4 @@
    address = ":8000"

 [api]
+  insecure = true
--- a/integration/fixtures/simple_whitelist.toml
+++ b/integration/fixtures/simple_whitelist.toml
@@ -9,9 +9,10 @@
  [entryPoints.web]
    address = ":8000"
    [entryPoints.web.ForwardedHeaders]
-      insecure=true
+      insecure = true

 [api]
+  insecure = true

 [providers]
  [providers.docker]
--- a/integration/fixtures/tcp/catch-all-no-tls-with-https.toml
+++ b/integration/fixtures/tcp/catch-all-no-tls-with-https.toml
@@ -10,6 +10,7 @@
    address = ":8093"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/tcp/catch-all-no-tls.toml
+++ b/integration/fixtures/tcp/catch-all-no-tls.toml
@@ -10,6 +10,7 @@
    address = ":8093"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/tcp/mixed.toml
+++ b/integration/fixtures/tcp/mixed.toml
@@ -10,6 +10,7 @@
    address = ":8093"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/tcp/multi-tls-options.toml
+++ b/integration/fixtures/tcp/multi-tls-options.toml
@@ -10,6 +10,7 @@
    address = ":8093"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/tcp/non-tls-fallback.toml
+++ b/integration/fixtures/tcp/non-tls-fallback.toml
@@ -10,6 +10,7 @@
    address = ":8093"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/tcp/non-tls.toml
+++ b/integration/fixtures/tcp/non-tls.toml
@@ -10,6 +10,7 @@
    address = ":8093"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/timeout/forwarding_timeouts.toml
+++ b/integration/fixtures/timeout/forwarding_timeouts.toml
@@ -17,6 +17,7 @@
  format = "json"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/integration/fixtures/timeout/keepalive.toml
+++ b/integration/fixtures/timeout/keepalive.toml
@@ -13,6 +13,7 @@
    address = ":8000"

 [api]
+  insecure = true

 [providers.file]
  filename = "{{ .SelfFilename }}"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ludovic Fernandez	e40e3af760	Prepare release v2.0.0-rc3	2019-09-10 18:58:03 +02:00
Ludovic Fernandez	24a2788081	Prepare release v1.7.14	2019-09-10 18:30:05 +02:00
mpl	1388266102	Finish kubernetes throttling refactoring	2019-09-10 18:30:05 +02:00
Ben Weissmann	43af0b051f	Throttle Kubernetes config refresh	2019-09-10 18:30:05 +02:00
Ludovic Fernandez	6e8138e19b	Update golangci-lint	2019-09-10 17:52:04 +02:00
Julien Salleyron	fb8edd86d5	k8s ErrorPage middleware now uses k8s service	2019-09-10 17:24:03 +02:00
Julien Salleyron	34be181706	Add provider in middleware chain	2019-09-10 16:12:05 +02:00
Jorge Gonzalez	fcc1109e76	Add more pages in the WebUI	2019-09-10 14:40:05 +02:00
mpl	2b828765e3	Improve rate limiter tests Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2019-09-09 20:02:04 +02:00
Ludovic Fernandez	25f4c23ab2	Write HTTP server logs into the global logger.	2019-09-09 14:52:04 +02:00
Ludovic Fernandez	be90b20a5d	fix: TLS domains with IngressRoute.	2019-09-09 13:52:04 +02:00
Ludovic Fernandez	232c113dae	Misc documentation fixes	2019-09-09 10:36:08 +02:00
mpl	605a9b2817	Default to CLF when accesslog format is unsupported	2019-09-09 09:24:03 +02:00
Julien Salleyron	d044c0f4cc	New API security	2019-09-06 15:08:04 +02:00
Julien Salleyron	1959e1fd44	Auth middlewares in kubernetes CRD uses secrets	2019-09-05 13:42:04 +02:00
mpl	6712423dd1	misc documentation fixes	2019-09-05 10:48:04 +02:00
Jean-Baptiste Doumenjou	3689990bd5	Enhance the Retry Middleware Documentation Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2019-09-04 17:28:03 +02:00
Michael	81a1f618f9	Update to go 1.13	2019-09-04 11:16:03 +02:00