fix: doc requirements

Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>

.goreleaser.yml

@@ -34,8 +34,10 @@ builds:
         goarch: 386
       - goos: openbsd
         goarch: arm
+      - goos: openbsd
+        goarch: arm64
       - goos: freebsd
-        goarch: arm
+        goarch: arm64
 
 changelog:
   skip: true

CHANGELOG.md

@@ -1,3 +1,32 @@
+## [v2.1.9](https://github.com/containous/traefik/tree/v2.1.9) (2020-03-23)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.8...v2.1.9)
+
+**Bug fixes:**
+- **[provider,sticky-session]** Fix sameSite ([#6538](https://github.com/containous/traefik/pull/6538) by [ldez](https://github.com/ldez))
+- **[server]** Force http/1.1 for upgrade ([#6554](https://github.com/containous/traefik/pull/6554) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- Fix tab name ([#6543](https://github.com/containous/traefik/pull/6543) by [mavimo](https://github.com/mavimo))
+
+## [v2.1.8](https://github.com/containous/traefik/tree/v2.1.8) (2020-03-19)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.7...v2.1.8)
+
+**Bug fixes:**
+- **[middleware,metrics]** Fix memory leak in metrics ([#6522](https://github.com/containous/traefik/pull/6522) by [juliens](https://github.com/juliens))
+
+## [v2.1.7](https://github.com/containous/traefik/tree/v2.1.7) (2020-03-18)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.6...v2.1.7)
+
+**Bug fixes:**
+- **[logs,middleware]** Access log field quotes. ([#6484](https://github.com/containous/traefik/pull/6484) by [ldez](https://github.com/ldez))
+- **[metrics]** fix statsd scale for duration based metrics ([#6054](https://github.com/containous/traefik/pull/6054) by [ddtmachado](https://github.com/ddtmachado))
+- **[middleware]** Added support for replacement containing escaped characters ([#6413](https://github.com/containous/traefik/pull/6413) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[acme,docker]** Add some missing doc. ([#6422](https://github.com/containous/traefik/pull/6422) by [ldez](https://github.com/ldez))
+- **[acme]** Added wildcard ACME example ([#6423](https://github.com/containous/traefik/pull/6423) by [Basster](https://github.com/Basster))
+- **[acme]** fix typo ([#6408](https://github.com/containous/traefik/pull/6408) by [hamiltont](https://github.com/hamiltont))
+
 ## [v2.1.6](https://github.com/containous/traefik/tree/v2.1.6) (2020-02-28)
 [All Commits](https://github.com/containous/traefik/compare/v2.1.4...v2.1.6)
 

build.Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.13-alpine
+FROM golang:1.14-alpine
 
 RUN apk --update upgrade \
     && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.23.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.23.8
 
 # Download golangci-lint and misspell binary to bin folder in $GOPATH
 RUN GO111MODULE=off go get github.com/client9/misspell/cmd/misspell

docs/check.Dockerfile

@@ -1,5 +1,4 @@
-
-FROM alpine:3.10 as alpine
+FROM alpine:3.15 as alpine
 
 RUN apk --no-cache --no-progress add \
     libcurl \
@@ -9,7 +8,7 @@ RUN apk --no-cache --no-progress add \
     ruby-ffi \
     ruby-json \
     ruby-nokogiri
-RUN gem install html-proofer --version 3.13.0 --no-document -- --use-system-libraries
+RUN gem install html-proofer --version 3.19.3 --no-document -- --use-system-libraries
 
 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \

docs/content/contributing/building-testing.md

@@ -60,7 +60,7 @@ PRE_TARGET= make test-unit
 
 Requirements:
 
-- `go` v1.13+
+- `go` v1.14+
 - environment variable `GO111MODULE=on`
 - [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
 

docs/content/https/include-acme-single-domain-example.md

@@ -52,7 +52,7 @@ labels:
   - traefik.http.routers.blog.tls.certresolver=myresolver
 ```
 
-```toml tab="Single Domain"
+```toml tab="File (TOML)"
 ## Dynamic configuration
 [http.routers]
   [http.routers.blog]

docs/content/middlewares/headers.md

@@ -23,7 +23,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     customRequestHeaders:
@@ -86,7 +86,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     customRequestHeaders:
@@ -148,7 +148,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     frameDeny: "true"
@@ -206,7 +206,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     accessControlAllowMethods:

docs/content/middlewares/ipwhitelist.md

@@ -90,7 +90,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
-      name: testIPwhitelist
+      name: test-ipwhitelist
     spec:
       ipWhiteList:
         sourceRange:

docs/content/migration/v1-to-v2.md

@@ -748,6 +748,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
           middlewares:
             - name: admin-stripprefix
     ---
+    apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
       name: admin-stripprefix

docs/content/observability/access-logs.md

@@ -35,7 +35,7 @@ If the given format is unsupported, the default (CLF) is used instead.
 !!! info "Common Log Format"
     
     ```html
-    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms 
+    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
     ```
 
 ### `bufferingSize`
@@ -195,6 +195,7 @@ accessLog:
     | `RequestMethod`         | The HTTP method.                                                                                                                                                    |
     | `RequestPath`           | The HTTP request URI, not including the scheme, host or port.                                                                                                       |
     | `RequestProtocol`       | The version of HTTP requested.                                                                                                                                      |
+    | `RequestScheme`         | The HTTP scheme requested `http` or `https`.                                                                                                                        |
     | `RequestLine`           | `RequestMethod` + `RequestPath` + `RequestProtocol`                                                                                                                 |
     | `RequestContentSize`    | The number of bytes in the request entity (a.k.a. body) sent by the client.                                                                                         |
     | `OriginDuration`        | The time taken by the origin server ('upstream') to return its response.                                                                                            |

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -146,6 +146,7 @@
 - "traefik.http.services.service01.loadbalancer.sticky.cookie.httponly=true"
 - "traefik.http.services.service01.loadbalancer.sticky.cookie.name=foobar"
 - "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
+- "traefik.http.services.service01.loadbalancer.sticky.cookie.samesite=foobar"
 - "traefik.http.services.service01.loadbalancer.server.port=foobar"
 - "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
 - "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -43,6 +43,7 @@
             name = "foobar"
             secure = true
             httpOnly = true
+            sameSite = "foobar"
 
         [[http.services.Service01.loadBalancer.servers]]
           url = "foobar"
@@ -87,6 +88,7 @@
             name = "foobar"
             secure = true
             httpOnly = true
+            sameSite = "foobar"
   [http.middlewares]
     [http.middlewares.Middleware00]
       [http.middlewares.Middleware00.addPrefix]

docs/content/reference/dynamic-configuration/file.yaml

@@ -52,6 +52,7 @@ http:
             name: foobar
             secure: true
             httpOnly: true
+            sameSite: foobar
         servers:
         - url: foobar
         - url: foobar
@@ -88,6 +89,7 @@ http:
             name: foobar
             secure: true
             httpOnly: true
+            sameSite: foobar
   middlewares:
     Middleware00:
       addPrefix:

docs/content/reference/dynamic-configuration/marathon-labels.json

@@ -143,6 +143,7 @@
 "traefik.http.services.service01.loadbalancer.sticky.cookie.httponly": "true",
 "traefik.http.services.service01.loadbalancer.sticky.cookie.name": "foobar",
 "traefik.http.services.service01.loadbalancer.sticky.cookie.secure": "true",
+"traefik.http.services.service01.loadbalancer.sticky.cookie.samesite": "foobar",
 "traefik.http.services.service01.loadbalancer.server.port": "foobar",
 "traefik.http.services.service01.loadbalancer.server.scheme": "foobar",
 "traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",

docs/content/routing/providers/consul-catalog.md

@@ -225,6 +225,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.samesite`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval`"
     <!-- TODO doc responseforwarding in services page -->
     

docs/content/routing/providers/docker.md

@@ -358,6 +358,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.samesite`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval`"
 
     See [response forwarding](../services/index.md#response-forwarding) for more information.

docs/content/routing/providers/kubernetes-crd.md

@@ -195,6 +195,7 @@ Register the `IngressRoute` kind in the Kubernetes cluster before creating `Ingr
               httpOnly: true
               name: cookie
               secure: true
+              sameSite: none
           strategy: RoundRobin
           weight: 10
       tls:                              # [9]

docs/content/routing/providers/marathon.md

@@ -256,6 +256,14 @@ For example, to change the passHostHeader behavior, you'd add the label `"traefi
     "traefik.http.services.myservice.loadbalancer.sticky.cookie.secure": "true"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.samesite`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite": "none"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval`"
     
     See [response forwarding](../services/index.md#response-forwarding) for more information.

docs/content/routing/providers/rancher.md

@@ -262,6 +262,14 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.samesite`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval`"
     
     See [response forwarding](../services/index.md#response-forwarding) for more information.

docs/content/routing/services/index.md

@@ -156,9 +156,12 @@ On subsequent requests, the client is forwarded to the same server.
 
     The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
 
-!!! info "Secure & HTTPOnly flags"
+!!! info "Secure & HTTPOnly & SameSite flags"
 
-    By default, the affinity cookie is created without those flags. One however can change that through configuration.
+    By default, the affinity cookie is created without those flags.
+    One however can change that through configuration.
+    
+    `SameSite` can be `none`, `lax`, `strict` or empty.
 
 ??? example "Adding Stickiness -- Using the [File Provider](../../providers/file.md)"
 
@@ -189,6 +192,7 @@ On subsequent requests, the client is forwarded to the same server.
           name = "my_sticky_cookie_name"
           secure = true
           httpOnly = true
+          sameSite = "none"
     ```
 
     ```yaml tab="YAML"

docs/mkdocs.yml

@@ -26,11 +26,7 @@ theme:
     prev: 'Previous'
     next: 'Next'
 
-copyright: "Copyright © 2016-2019 Containous"
-
-google_analytics:
-  - 'UA-51880359-3'
-  - 'docs.traefik.io'
+copyright: "Copyright © 2016-2020 Containous"
 
 extra_css:
   - assets/styles/extra.css # Our custom styles

docs/requirements.txt

@@ -4,3 +4,23 @@ mkdocs-bootswatch==1.0
 mkdocs-material==4.4.3
 markdown-include==0.5.1
 mkdocs-exclude==1.0.2
+Jinja2==3.0.0
+
+click==8.1.3
+csscompressor==0.9.5
+htmlmin==0.1.12
+importlib-metadata==4.12.0
+jsmin==3.0.1
+livereload==2.6.3
+Markdown==3.3.7
+MarkupSafe==2.1.1
+mkdocs-exclude==1.0.2
+mkdocs-minify-plugin==0.5.0
+pep562==1.1
+Pygments==2.12.0
+pymdown-extensions==6.1
+PyYAML==6.0
+six==1.16.0
+tornado==6.2
+typing-extensions==4.3.0
+zipp==3.8.1

docs/theme/main.html

@@ -1,5 +1,15 @@
 {% extends "base.html" %}
 
+{% block analytics %}
+<!-- Google Tag Manager -->
+<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+            new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+        j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+        'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+    })(window,document,'script','dataLayer','GTM-NMWC63S');</script>
+<!-- End Google Tag Manager -->
+{% endblock %}
+
 {% block footer %}
 
 {% import "partials/language.html" as lang with context %}
@@ -34,4 +44,4 @@
     </div>
 </footer>
 
-{% endblock %}
+{% endblock %}

exp.Dockerfile

@@ -12,7 +12,7 @@ RUN npm install
 RUN npm run build
 
 # BUILD
-FROM golang:1.13-alpine as gobuild
+FROM golang:1.14-alpine as gobuild
 
 RUN apk --update upgrade \
     && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \

go.mod

@@ -1,6 +1,6 @@
 module github.com/containous/traefik/v2
 
-go 1.13
+go 1.14
 
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
@@ -46,7 +46,7 @@ require (
 	github.com/google/go-github/v28 v28.0.0
 	github.com/googleapis/gnostic v0.1.0 // indirect
 	github.com/gorilla/mux v1.7.3
-	github.com/gorilla/websocket v1.4.0
+	github.com/gorilla/websocket v1.4.2
 	github.com/hashicorp/consul/api v1.2.0
 	github.com/hashicorp/go-version v1.2.0
 	github.com/huandu/xstrings v1.2.0 // indirect
@@ -76,7 +76,7 @@ require (
 	github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4
 	github.com/rancher/go-rancher-metadata v0.0.0-00010101000000-000000000000
 	github.com/sirupsen/logrus v1.4.2
-	github.com/stretchr/testify v1.4.0
+	github.com/stretchr/testify v1.5.1
 	github.com/stvp/go-udp-testing v0.0.0-20171104055251-c4434f09ec13
 	github.com/tinylib/msgp v1.0.2 // indirect
 	github.com/transip/gotransip v5.8.2+incompatible // indirect
@@ -85,7 +85,7 @@ require (
 	github.com/unrolled/render v1.0.1
 	github.com/unrolled/secure v1.0.5
 	github.com/vdemeester/shakers v0.1.0
-	github.com/vulcand/oxy v1.0.0
+	github.com/vulcand/oxy v1.1.0
 	github.com/vulcand/predicate v1.1.0
 	golang.org/x/net v0.0.0-20191027093000-83d349e8ac1a
 	golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a // indirect

go.sum

@@ -282,6 +282,8 @@ github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/websocket v1.4.0 h1:WDFjx/TMzVgy9VdMMQi2K2Emtwi2QcUQsztZ/zLaH/Q=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
+github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gravitational/trace v0.0.0-20190726142706-a535a178675f h1:68WxnfBzJRYktZ30fmIjGQ74RsXYLoeH2/NITPktTMY=
 github.com/gravitational/trace v0.0.0-20190726142706-a535a178675f/go.mod h1:RvdOUHE4SHqR3oXlFFKnGzms8a5dugHygGw1bqDstYI=
 github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
@@ -558,6 +560,8 @@ github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stvp/go-udp-testing v0.0.0-20171104055251-c4434f09ec13 h1:WYRIgR83bWdH2zjqXalfLuQYtgBG1KKxDRxinx2ygMI=
 github.com/stvp/go-udp-testing v0.0.0-20171104055251-c4434f09ec13/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc=
 github.com/timewasted/linode v0.0.0-20160829202747-37e84520dcf7 h1:CpHxIaZzVy26GqJn8ptRyto8fuoYOd1v0fXm9bG3wQ8=
@@ -582,8 +586,8 @@ github.com/unrolled/secure v1.0.5/go.mod h1:R6rugAuzh4TQpbFAq69oqZggyBQxFRFQIewt
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/vdemeester/shakers v0.1.0 h1:K+n9sSyUCg2ywmZkv+3c7vsYZfivcfKhMh8kRxCrONM=
 github.com/vdemeester/shakers v0.1.0/go.mod h1:IZ1HHynUOQt32iQ3rvAeVddXLd19h/6LWiKsh9RZtAQ=
-github.com/vulcand/oxy v1.0.0 h1:7vL5/pjDFzHGbtBEhmlHITUi6KLH4xXTDF33/wrdRKw=
-github.com/vulcand/oxy v1.0.0/go.mod h1:6EXgOAl6CRa46/2ZGcDJKf3ywJUp5WtT7vSlGSkvecI=
+github.com/vulcand/oxy v1.1.0 h1:DbBijGo1+6cFqR9jarkMxasdj0lgWwrrFtue6ijek4Q=
+github.com/vulcand/oxy v1.1.0/go.mod h1:ADiMYHi8gkGl2987yQIzDRoXZilANF4WtKaQ92OppKY=
 github.com/vulcand/predicate v1.1.0 h1:Gq/uWopa4rx/tnZu2opOSBqHK63Yqlou/SzrbwdJiNg=
 github.com/vulcand/predicate v1.1.0/go.mod h1:mlccC5IRBoc2cIFmCB8ZM62I3VDb6p2GXESMHa3CnZg=
 github.com/vultr/govultr v0.1.4 h1:UnNMixYFVO0p80itc8PcweoVENyo1PasfvwKhoasR9U=
@@ -853,6 +857,7 @@ k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30 h1:TRb4wNWoBVrH9plmkp2q86
 k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/utils v0.0.0-20190221042446-c2654d5206da h1:ElyM7RPonbKnQqOcw7dG2IK5uvQQn3b/WPHqD5mBvP4=
 k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
+launchpad.net/gocheck v0.0.0-20140225173054-000000000087/go.mod h1:hj7XX3B/0A+80Vse0e+BUHsHMTEhd0O4cpUHr/e/BUM=
 modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw=
 modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk=
 modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k=

pkg/config/dynamic/http_config.go

@@ -97,6 +97,7 @@ type Cookie struct {
 	Name     string `json:"name,omitempty" toml:"name,omitempty" yaml:"name,omitempty"`
 	Secure   bool   `json:"secure,omitempty" toml:"secure,omitempty" yaml:"secure,omitempty"`
 	HTTPOnly bool   `json:"httpOnly,omitempty" toml:"httpOnly,omitempty" yaml:"httpOnly,omitempty"`
+	SameSite string `json:"sameSite,omitempty" toml:"sameSite,omitempty" yaml:"sameSite,omitempty"`
 }
 
 // +k8s:deepcopy-gen=true

pkg/metrics/metrics.go

@@ -191,36 +191,29 @@ func (r *standardRegistry) ServiceServerUpGauge() metrics.Gauge {
 // used when producing observations without explicitly setting the observed value.
 type ScalableHistogram interface {
 	With(labelValues ...string) ScalableHistogram
-	StartAt(t time.Time)
 	Observe(v float64)
-	ObserveDuration()
+	ObserveFromStart(start time.Time)
 }
 
 // HistogramWithScale is a histogram that will convert its observed value to the specified unit.
 type HistogramWithScale struct {
 	histogram metrics.Histogram
 	unit      time.Duration
-	start     time.Time
 }
 
 // With implements ScalableHistogram.
 func (s *HistogramWithScale) With(labelValues ...string) ScalableHistogram {
-	s.histogram = s.histogram.With(labelValues...)
-	return s
+	h, _ := NewHistogramWithScale(s.histogram.With(labelValues...), s.unit)
+	return h
 }
 
-// StartAt implements ScalableHistogram.
-func (s *HistogramWithScale) StartAt(t time.Time) {
-	s.start = t
-}
-
-// ObserveDuration implements ScalableHistogram.
-func (s *HistogramWithScale) ObserveDuration() {
+// ObserveFromStart implements ScalableHistogram.
+func (s *HistogramWithScale) ObserveFromStart(start time.Time) {
 	if s.unit <= 0 {
 		return
 	}
 
-	d := float64(time.Since(s.start).Nanoseconds()) / float64(s.unit)
+	d := float64(time.Since(start).Nanoseconds()) / float64(s.unit)
 	if d < 0 {
 		d = 0
 	}
@@ -251,17 +244,10 @@ func NewMultiHistogram(h ...ScalableHistogram) MultiHistogram {
 	return MultiHistogram(h)
 }
 
-// StartAt implements ScalableHistogram.
-func (h MultiHistogram) StartAt(t time.Time) {
+// ObserveFromStart implements ScalableHistogram.
+func (h MultiHistogram) ObserveFromStart(start time.Time) {
 	for _, histogram := range h {
-		histogram.StartAt(t)
-	}
-}
-
-// ObserveDuration implements ScalableHistogram.
-func (h MultiHistogram) ObserveDuration() {
-	for _, histogram := range h {
-		histogram.ObserveDuration()
+		histogram.ObserveFromStart(start)
 	}
 }
 

pkg/metrics/metrics_test.go

@@ -19,9 +19,9 @@ func TestScalableHistogram(t *testing.T) {
 
 	ticker := time.NewTicker(500 * time.Millisecond)
 	<-ticker.C
-	sh.StartAt(time.Now())
+	start := time.Now()
 	<-ticker.C
-	sh.ObserveDuration()
+	sh.ObserveFromStart(start)
 
 	var b bytes.Buffer
 	h.Print(&b)
@@ -99,9 +99,7 @@ func (c *histogramMock) With(labelValues ...string) ScalableHistogram {
 
 func (c *histogramMock) Start() {}
 
-func (c *histogramMock) StartAt(t time.Time) {}
-
-func (c *histogramMock) ObserveDuration() {}
+func (c *histogramMock) ObserveFromStart(t time.Time) {}
 
 func (c *histogramMock) Observe(v float64) {
 	c.lastHistogramValue = v

pkg/middlewares/accesslog/logger_formatters.go

@@ -45,8 +45,8 @@ func (f *CommonLogFormatter) Format(entry *logrus.Entry) ([]byte, error) {
 		toLog(entry.Data, "request_Referer", `"-"`, true),
 		toLog(entry.Data, "request_User-Agent", `"-"`, true),
 		toLog(entry.Data, RequestCount, defaultValue, true),
-		toLog(entry.Data, RouterName, defaultValue, true),
-		toLog(entry.Data, ServiceURL, defaultValue, true),
+		toLog(entry.Data, RouterName, `"-"`, true),
+		toLog(entry.Data, ServiceURL, `"-"`, true),
 		elapsedMillis)
 
 	return b.Bytes(), err

pkg/middlewares/accesslog/logger_formatters_test.go

@@ -36,7 +36,7 @@ func TestCommonLogFormatter_Format(t *testing.T) {
 				RouterName:             "",
 				ServiceURL:             "",
 			},
-			expectedLog: `10.0.0.1 - Client [10/Nov/2009:23:00:00 +0000] "GET /foo http" - - "-" "-" 0 - - 123000ms
+			expectedLog: `10.0.0.1 - Client [10/Nov/2009:23:00:00 +0000] "GET /foo http" - - "-" "-" 0 "-" "-" 123000ms
 `,
 		},
 		{

pkg/middlewares/accesslog/logger_test.go

@@ -449,7 +449,7 @@ func TestNewLogHandlerOutputStdout(t *testing.T) {
 					DefaultMode: "drop",
 				},
 			},
-			expectedLog: `- - - [-] "- - -" - - "testReferer" "testUserAgent" - - - 0ms`,
+			expectedLog: `- - - [-] "- - -" - - "testReferer" "testUserAgent" - "-" "-" 0ms`,
 		},
 		{
 			desc: "Default mode drop with override",
@@ -464,7 +464,7 @@ func TestNewLogHandlerOutputStdout(t *testing.T) {
 					},
 				},
 			},
-			expectedLog: `- - TestUser [-] "- - -" - - "testReferer" "testUserAgent" - - - 0ms`,
+			expectedLog: `- - TestUser [-] "- - -" - - "testReferer" "testUserAgent" - "-" "-" 0ms`,
 		},
 		{
 			desc: "Default mode drop with header dropped",
@@ -482,7 +482,7 @@ func TestNewLogHandlerOutputStdout(t *testing.T) {
 					},
 				},
 			},
-			expectedLog: `- - TestUser [-] "- - -" - - "-" "-" - - - 0ms`,
+			expectedLog: `- - TestUser [-] "- - -" - - "-" "-" - "-" "-" 0ms`,
 		},
 		{
 			desc: "Default mode drop with header redacted",
@@ -500,7 +500,7 @@ func TestNewLogHandlerOutputStdout(t *testing.T) {
 					},
 				},
 			},
-			expectedLog: `- - TestUser [-] "- - -" - - "REDACTED" "REDACTED" - - - 0ms`,
+			expectedLog: `- - TestUser [-] "- - -" - - "REDACTED" "REDACTED" - "-" "-" 0ms`,
 		},
 		{
 			desc: "Default mode drop with header redacted",
@@ -521,7 +521,7 @@ func TestNewLogHandlerOutputStdout(t *testing.T) {
 					},
 				},
 			},
-			expectedLog: `- - TestUser [-] "- - -" - - "REDACTED" "testUserAgent" - - - 0ms`,
+			expectedLog: `- - TestUser [-] "- - -" - - "REDACTED" "testUserAgent" - "-" "-" 0ms`,
 		},
 	}
 

pkg/middlewares/metrics/metrics.go

@@ -96,11 +96,9 @@ func (m *metricsMiddleware) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 	labels = append(labels, "code", strconv.Itoa(recorder.getCode()))
 
 	histograms := m.reqDurationHistogram.With(labels...)
-	histograms.StartAt(start)
+	histograms.ObserveFromStart(start)
 
 	m.reqsCounter.With(labels...).Add(1)
-
-	histograms.ObserveDuration()
 }
 
 func getRequestProtocol(req *http.Request) string {

pkg/server/service/roundtripper.go

@@ -23,12 +23,12 @@ func (t *h2cTransportWrapper) RoundTrip(req *http.Request) (*http.Response, erro
 	return t.Transport.RoundTrip(req)
 }
 
-// createHTTPTransport creates an http.Transport configured with the Transport configuration settings.
+// createRoundtripper creates an http.Roundtripper configured with the Transport configuration settings.
 // For the settings that can't be configured in Traefik it uses the default http.Transport settings.
 // An exception to this is the MaxIdleConns setting as we only provide the option MaxIdleConnsPerHost
 // in Traefik at this point in time. Setting this value to the default of 100 could lead to confusing
 // behavior and backwards compatibility issues.
-func createHTTPTransport(transportConfiguration *static.ServersTransport) (*http.Transport, error) {
+func createRoundtripper(transportConfiguration *static.ServersTransport) (http.RoundTripper, error) {
 	if transportConfiguration == nil {
 		return nil, errors.New("no transport configuration given")
 	}
@@ -66,25 +66,26 @@ func createHTTPTransport(transportConfiguration *static.ServersTransport) (*http
 		transport.IdleConnTimeout = time.Duration(transportConfiguration.ForwardingTimeouts.IdleConnTimeout)
 	}
 
-	if transportConfiguration.InsecureSkipVerify {
-		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-
-	if len(transportConfiguration.RootCAs) > 0 {
+	if transportConfiguration.InsecureSkipVerify || len(transportConfiguration.RootCAs) > 0 {
 		transport.TLSClientConfig = &tls.Config{
-			RootCAs: createRootCACertPool(transportConfiguration.RootCAs),
+			InsecureSkipVerify: transportConfiguration.InsecureSkipVerify,
+			RootCAs:            createRootCACertPool(transportConfiguration.RootCAs),
 		}
 	}
 
-	err := http2.ConfigureTransport(transport)
+	smartTransport, err := newSmartRoundTripper(transport)
 	if err != nil {
 		return nil, err
 	}
 
-	return transport, nil
+	return smartTransport, nil
 }
 
 func createRootCACertPool(rootCAs []traefiktls.FileOrContent) *x509.CertPool {
+	if len(rootCAs) == 0 {
+		return nil
+	}
+
 	roots := x509.NewCertPool()
 
 	for _, cert := range rootCAs {
@@ -100,7 +101,7 @@ func createRootCACertPool(rootCAs []traefiktls.FileOrContent) *x509.CertPool {
 }
 
 func setupDefaultRoundTripper(conf *static.ServersTransport) http.RoundTripper {
-	transport, err := createHTTPTransport(conf)
+	transport, err := createRoundtripper(conf)
 	if err != nil {
 		log.WithoutContext().Errorf("Could not configure HTTP Transport, fallbacking on default transport: %v", err)
 		return http.DefaultTransport

pkg/server/service/service.go

@@ -283,8 +283,15 @@ func (m *Manager) getLoadBalancer(ctx context.Context, serviceName string, servi
 	var cookieName string
 	if service.Sticky != nil && service.Sticky.Cookie != nil {
 		cookieName = cookie.GetName(service.Sticky.Cookie.Name, serviceName)
-		opts := roundrobin.CookieOptions{HTTPOnly: service.Sticky.Cookie.HTTPOnly, Secure: service.Sticky.Cookie.Secure}
+
+		opts := roundrobin.CookieOptions{
+			HTTPOnly: service.Sticky.Cookie.HTTPOnly,
+			Secure:   service.Sticky.Cookie.Secure,
+			SameSite: convertSameSite(service.Sticky.Cookie.SameSite),
+		}
+
 		options = append(options, roundrobin.EnableStickySession(roundrobin.NewStickySessionWithOptions(cookieName, opts)))
+
 		logger.Debugf("Sticky session cookie name: %v", cookieName)
 	}
 
@@ -320,3 +327,16 @@ func (m *Manager) upsertServers(ctx context.Context, lb healthcheck.BalancerHand
 	}
 	return nil
 }
+
+func convertSameSite(sameSite string) http.SameSite {
+	switch sameSite {
+	case "none":
+		return http.SameSiteNoneMode
+	case "lax":
+		return http.SameSiteLaxMode
+	case "strict":
+		return http.SameSiteStrictMode
+	default:
+		return 0
+	}
+}

pkg/server/service/smart_roundtripper.go

@@ -0,0 +1,38 @@
+package service
+
+import (
+	"net/http"
+
+	"golang.org/x/net/http/httpguts"
+	"golang.org/x/net/http2"
+)
+
+func newSmartRoundTripper(transport *http.Transport) (http.RoundTripper, error) {
+	transportHTTP1 := transport.Clone()
+
+	err := http2.ConfigureTransport(transport)
+	if err != nil {
+		return nil, err
+	}
+
+	return &smartRoundTripper{
+		http2: transport,
+		http:  transportHTTP1,
+	}, nil
+}
+
+type smartRoundTripper struct {
+	http2 *http.Transport
+	http  *http.Transport
+}
+
+// smartRoundTripper implements RoundTrip while making sure that HTTP/2 is not used
+// with protocols that start with a Connection Upgrade, such as SPDY or Websocket.
+func (m *smartRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	// If we have a connection upgrade, we don't use HTTP/2
+	if httpguts.HeaderValuesContainsToken(req.Header["Connection"], "Upgrade") {
+		return m.http.RoundTrip(req)
+	}
+
+	return m.http2.RoundTrip(req)
+}