Prepare release v1.4.3

Add Traefik prefix to the KV key
Flush and errorcode
2017-11-14 12:06:03 +01:00 · 2017-11-14 11:38:03 +01:00 · 2017-11-14 11:16:03 +01:00 · 2017-11-13 12:14:02 +01:00 · 2017-11-10 14:12:02 +01:00 · 2017-11-09 15:54:04 +01:00
35 changed files with 1028 additions and 236 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -16,8 +16,21 @@ HOW TO WRITE A GOOD PULL REQUEST?

 -->

-### Description
+### What does this PR do?

-<!--
-Briefly describe the pull request in a few paragraphs.
-->
+<!-- A brief description of the change being made with this pull request. -->
+
+
+### Motivation
+
+<!-- What inspired you to submit this pull request? -->
+
+
+### More
+
+- [ ] Added/updated tests
+- [ ] Added/updated documentation
+
+### Additional Notes
+
+<!-- Anything else we should know when reviewing? -->
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,41 @@
 # Change Log

+## [v1.4.3](https://github.com/containous/traefik/tree/v1.4.3) (2017-11-14)
+[All Commits](https://github.com/containous/traefik/compare/v1.4.2...v1.4.3)
+
+**Bug fixes:**
+- **[consulcatalog]** Fix Traefik reload if Consul Catalog tags change ([#2389](https://github.com/containous/traefik/pull/2389) by [mmatur](https://github.com/mmatur))
+- **[kv]** Add Traefik prefix to the KV key ([#2400](https://github.com/containous/traefik/pull/2400) by [nmengin](https://github.com/nmengin))
+- **[middleware]** Flush and Status code ([#2403](https://github.com/containous/traefik/pull/2403) by [ldez](https://github.com/ldez))
+- **[middleware]** Exclude GRPC from compress ([#2391](https://github.com/containous/traefik/pull/2391) by [ldez](https://github.com/ldez))
+- **[middleware]** Keep status when stream mode and compress ([#2380](https://github.com/containous/traefik/pull/2380) by [Juliens](https://github.com/Juliens))
+
+**Documentation:**
+- **[acme]** Fix some typos ([#2363](https://github.com/containous/traefik/pull/2363) by [tomsaleeba](https://github.com/tomsaleeba))
+- **[docker]** Minor fix for docker volume vs created directory ([#2372](https://github.com/containous/traefik/pull/2372) by [visibilityspots](https://github.com/visibilityspots))
+- **[k8s]** Link corrected ([#2385](https://github.com/containous/traefik/pull/2385) by [xlazex](https://github.com/xlazex))
+
+**Misc:**
+- **[k8s]** Add secret creation to docs for kubernetes backend ([#2374](https://github.com/containous/traefik/pull/2374) by [shadycuz](https://github.com/shadycuz))
+
+## [v1.4.2](https://github.com/containous/traefik/tree/v1.4.2) (2017-11-02)
+[All Commits](https://github.com/containous/traefik/compare/v1.4.1...v1.4.2)
+
+**Bug fixes:**
+- **[cluster]** Fix datastore corruption on reload due to shrinking config size ([#2340](https://github.com/containous/traefik/pull/2340) by [else](https://github.com/else))
+- **[docker,docker/swarm]** Make frontend names differents for similar routes ([#2338](https://github.com/containous/traefik/pull/2338) by [nmengin](https://github.com/nmengin))
+- **[docker]** Fix IP address when Docker container network mode is container ([#2331](https://github.com/containous/traefik/pull/2331) by [nmengin](https://github.com/nmengin))
+- **[docker]** Make the traefik.port label optional when using service labels in Docker containers. ([#2330](https://github.com/containous/traefik/pull/2330) by [nmengin](https://github.com/nmengin))
+- **[docker]** Add unique ID to Docker services replicas ([#2314](https://github.com/containous/traefik/pull/2314) by [nmengin](https://github.com/nmengin))
+- **[marathon]** Missing Backend key in configuration when application has no tasks ([#2333](https://github.com/containous/traefik/pull/2333) by [aantono](https://github.com/aantono))
+- Remove hardcoded runtime.GOMAXPROCS. ([#2317](https://github.com/containous/traefik/pull/2317) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[k8s]** fixed dead link in kubernetes backend config docs ([#2337](https://github.com/containous/traefik/pull/2337) by [perplexa](https://github.com/perplexa))
+- **[k8s]** Fix the k8s docs example deployment yaml ([#2308](https://github.com/containous/traefik/pull/2308) by [gnur](https://github.com/gnur))
+- Minor grammar change ([#2350](https://github.com/containous/traefik/pull/2350) by [haxorjim](https://github.com/haxorjim))
+- Minor typo ([#2343](https://github.com/containous/traefik/pull/2343) by [burningTyger](https://github.com/burningTyger))
+
 ## [v1.4.1](https://github.com/containous/traefik/tree/v1.4.1) (2017-10-24)
 [All Commits](https://github.com/containous/traefik/compare/v1.4.0...v1.4.1)

--- a/cluster/datastore.go
+++ b/cluster/datastore.go
@@ -119,19 +119,8 @@ func (d *Datastore) watchChanges() error {

 func (d *Datastore) reload() error {
 	log.Debug("Datastore reload")
-	d.localLock.Lock()
-	err := d.kv.LoadConfig(d.meta)
-	if err != nil {
-		d.localLock.Unlock()
-		return err
-	}
-	err = d.meta.unmarshall()
-	if err != nil {
-		d.localLock.Unlock()
-		return err
-	}
-	d.localLock.Unlock()
-	return nil
+	_, err := d.Load()
+	return err
 }

 // Begin creates a transaction with the KV store.
--- a/cmd/traefik/anonymize/anonymize_doOnJSON_test.go
+++ b/cmd/traefik/anonymize/anonymize_doOnJSON_test.go
@@ -1,8 +1,9 @@
 package anonymize

 import (
-	"github.com/stretchr/testify/assert"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )

 func Test_doOnJSON(t *testing.T) {
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -9,7 +9,6 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
-	"runtime"
 	"strings"
 	"time"

@@ -34,8 +33,6 @@ import (
 )

 func main() {
-	runtime.GOMAXPROCS(runtime.NumCPU())
-
 	//traefik config inits
 	traefikConfiguration := NewTraefikConfiguration()
 	traefikPointersConfiguration := NewTraefikDefaultPointersConfiguration()
--- a/docs/configuration/backends/docker.md
+++ b/docs/configuration/backends/docker.md
@@ -187,6 +187,12 @@ Services labels can be used for overriding default behaviour
 | `traefik.<service-name>.frontend.priority`        | Overrides `traefik.frontend.priority`.                                                           |
 | `traefik.<service-name>.frontend.rule`            | Overrides `traefik.frontend.rule`.                                                               |

+
+!!! note
+    if a label is defined both as a `container label` and a `service label` (for example `traefik.<service-name>.port=PORT` and `traefik.port=PORT` ), the `service label` is used to defined the `<service-name>` property (`port` in the example).
+    It's possible to mix `container labels` and `service labels`, in this case `container labels` are used as default value for missing `service labels` but no frontends are going to be created with the `container labels`.
+    More details in this [example](/user-guide/docker-and-lets-encrypt/#labels).
+
 !!! warning
    when running inside a container, Træfik will need network access through:

--- a/docs/configuration/backends/kubernetes.md
+++ b/docs/configuration/backends/kubernetes.md
@@ -118,10 +118,10 @@ If one of the Net-Specifications are invalid, the whole list is invalid and allo
 ### Authentication

 Is possible to add additional authentication annotations in the Ingress rule.
-The source of the authentication is a secret that contains usernames and passwords inside the the key auth.
+The source of the authentication is a secret that contains usernames and passwords inside the key auth.

 - `ingress.kubernetes.io/auth-type`: `basic`
- `ingress.kubernetes.io/auth-secret`  
+- `ingress.kubernetes.io/auth-secret`: `mysecret`  
    Contains the usernames and passwords with access to the paths defined in the Ingress Rule.

 The secret must be created in the same namespace as the Ingress rule.
--- a/docs/configuration/entrypoints.md
+++ b/docs/configuration/entrypoints.md
@@ -118,10 +118,10 @@ Otherwise, the response from the auth server is returned.

 ```toml
 [entryPoints]
-  [entrypoints.http]
+  [entryPoints.http]
    # ...
    # To enable forward auth on an entrypoint
-    [entrypoints.http.auth.forward]
+    [entryPoints.http.auth.forward]
    address = "https://authserver.com/auth"
    
    # Trust existing X-Forwarded-* headers.
@@ -136,7 +136,7 @@ Otherwise, the response from the auth server is returned.
    #
    # Optional
    #
-    [entrypoints.http.auth.forward.tls]
+    [entryPoints.http.auth.forward.tls]
    cert = "authserver.crt"
    key = "authserver.key"
 ```
@@ -221,7 +221,7 @@ Only IPs in `trustedIPs` will lead to remote client address replacement: you sho

 ## Forwarded Header

-Only IPs in `trustedIPs` will be authorize to trust the client forwarded headers (`X-Forwarded-*`).
+Only IPs in `trustedIPs` will be authorized to trust the client forwarded headers (`X-Forwarded-*`).

 ```toml
 [entryPoints]
--- a/docs/user-guide/docker-and-lets-encrypt.md
+++ b/docs/user-guide/docker-and-lets-encrypt.md
@@ -1,8 +1,8 @@
 # Docker & Traefik

-In this use case, we want to use Traefik as a _layer-7_ load balancer with SSL termination for a set of micro-services used to run a web application.
+In this use case, we want to use Træfik as a _layer-7_ load balancer with SSL termination for a set of micro-services used to run a web application.

-We also want to automatically _discover any services_ on the Docker host and let Traefik reconfigure itself automatically when containers get created (or shut down) so HTTP traffic can be routed accordingly.
+We also want to automatically _discover any services_ on the Docker host and let Træfik reconfigure itself automatically when containers get created (or shut down) so HTTP traffic can be routed accordingly.

 In addition, we want to use Let's Encrypt to automatically generate and renew SSL certificates per hostname.

@@ -19,7 +19,7 @@ In real-life, you'll want to use your own domain and have the DNS configured acc
 Docker containers can only communicate with each other over TCP when they share at least one network.
 This makes sense from a topological point of view in the context of networking, since Docker under the hood creates IPTable rules so containers can't reach other containers _unless you'd want to_.

-In this example, we're going to use a single network called `web` where all containers that are handling HTTP traffic (including Traefik) will reside in.
+In this example, we're going to use a single network called `web` where all containers that are handling HTTP traffic (including Træfik) will reside in.

 On the Docker host, run the following command:

@@ -27,7 +27,7 @@ On the Docker host, run the following command:
 docker network create web
 ```

-Now, let's create a directory on the server where we will configure the rest of Traefik:
+Now, let's create a directory on the server where we will configure the rest of Træfik:

 ```shell
 mkdir -p /opt/traefik
@@ -41,7 +41,7 @@ touch /opt/traefik/acme.json && chmod 600 /opt/traefik/acme.json
 touch /opt/traefik/traefik.toml
 ```

-The `docker-compose.yml` file will provide us with a simple, consistent and more importantly, a deterministic way to create Traefik.
+The `docker-compose.yml` file will provide us with a simple, consistent and more importantly, a deterministic way to create Træfik.

 The contents of the file is as follows:

@@ -59,8 +59,8 @@ services:
      - web
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-      - /srv/traefik/traefik.toml:/traefik.toml
-      - /srv/traefik/acme.json:/acme.json
+      - /opt/traefik/traefik.toml:/traefik.toml
+      - /opt/traefik/acme.json:/acme.json
    container_name: traefik

 networks:
@@ -69,12 +69,12 @@ networks:
 ```

 As you can see, we're mounting the `traefik.toml` file as well as the (empty) `acme.json` file in the container.  
-Also, we're mounting the `/var/run/docker.sock` Docker socket in the container as well, so Traefik can listen to Docker events and reconfigure it's own internal configuration when containers are created (or shut down).  
+Also, we're mounting the `/var/run/docker.sock` Docker socket in the container as well, so Træfik can listen to Docker events and reconfigure it's own internal configuration when containers are created (or shut down).  
 Also, we're making sure the container is automatically restarted by the Docker engine in case of problems (or: if the server is rebooted).
 We're publishing the default HTTP ports `80` and `443` on the host, and making sure the container is placed within the `web` network we've created earlier on.  
 Finally, we're giving this container a static name called `traefik`.

-Let's take a look at a simple `traefik.toml` configuration as well before we'll create the Traefik container:
+Let's take a look at a simple `traefik.toml` configuration as well before we'll create the Træfik container:

 ```toml
 debug = false
@@ -109,17 +109,17 @@ OnHostRule = true
 This is the minimum configuration required to do the following:

 - Log `ERROR`-level messages (or more severe) to the console, but silence `DEBUG`-level messagse
- Check for new versions of Traefik periodically
+- Check for new versions of Træfik periodically
 - Create two entry points, namely an `HTTP` endpoint on port `80`, and an `HTTPS` endpoint on port `443` where all incoming traffic on port `80` will immediately get redirected to `HTTPS`.
- Enable the Docker configuration backend and listen for container events on the Docker unix socket we've mounted earlier. However, **new containers will not be exposed by Traefik by default, we'll get into this in a bit!**
+- Enable the Docker configuration backend and listen for container events on the Docker unix socket we've mounted earlier. However, **new containers will not be exposed by Træfik by default, we'll get into this in a bit!**
 - Enable automatic request and configuration of SSL certificates using Let's Encrypt.
    These certificates will be stored in the `acme.json` file, which you can back-up yourself and store off-premises.

-Alright, let's boot the container. From the `/opt/traefik` directory, run `docker-compose up -d` which will create and start the Traefik container.
+Alright, let's boot the container. From the `/opt/traefik` directory, run `docker-compose up -d` which will create and start the Træfik container.

 ## Exposing Web Services to the Outside World

-Now that we've fully configured and started Traefik, it's time to get our applications running!
+Now that we've fully configured and started Træfik, it's time to get our applications running!

 Let's take a simple example of a micro-service project consisting of various services, where some will be exposed to the outside world and some will not. 

@@ -148,6 +148,10 @@ services:
      - "traefik.frontend.rule=Host:app.my-awesome-app.org"
      - "traefik.enable=true"
      - "traefik.port=9000"
+      - "traefik.default.protocol=http"
+      - "traefik.admin.frontend.rule=Host:admin-app.my-awesome-app.org"
+      - "traefik.admin.protocol=https"
+      - "traefik.admin.port=9443"

  db:
    image: my-docker-registry.com/back-end/5.7
@@ -190,10 +194,10 @@ Since the `traefik` container we've created and started earlier is also attached

 ### Labels

-As mentioned earlier, we don't want containers exposed automatically by Traefik.
+As mentioned earlier, we don't want containers exposed automatically by Træfik.

 The reason behind this is simple: we want to have control over this process ourselves.
-Thanks to Docker labels, we can tell Traefik how to create it's internal routing configuration.
+Thanks to Docker labels, we can tell Træfik how to create it's internal routing configuration.

 Let's take a look at the labels themselves for the `app` service, which is a HTTP webservice listing on port 9000:

@@ -203,31 +207,56 @@ Let's take a look at the labels themselves for the `app` service, which is a HTT
 - "traefik.frontend.rule=Host:app.my-awesome-app.org"
 - "traefik.enable=true"
 - "traefik.port=9000"
+- "traefik.default.protocol=http"
+- "traefik.admin.frontend.rule=Host:admin-app.my-awesome-app.org"
+- "traefik.admin.protocol=https"
+- "traefik.admin.port=9443"
 ```

+We use both `container labels` and `service labels`.
+
+#### Container labels
+
 First, we specify the `backend` name which corresponds to the actual service we're routing **to**.

-We also tell Traefik to use the `web` network to route HTTP traffic to this container.  
-With the `frontend.rule` label, we tell Traefik that we want to route to this container if the incoming HTTP request contains the `Host` `app.my-awesome-app.org`.
-Essentially, this is the actual rule used for Layer-7 load balancing.  
-With the `traefik.enable` label, we tell Traefik to include this container in it's internal configuration.
+We also tell Træfik to use the `web` network to route HTTP traffic to this container. 
+With the `traefik.enable` label, we tell Træfik to include this container in it's internal configuration.

-Finally but not unimportantly, we tell Traefik to route **to** port `9000`, since that is the actual TCP/IP port the container actually listens on.
+With the `frontend.rule` label, we tell Træfik that we want to route to this container if the incoming HTTP request contains the `Host` `app.my-awesome-app.org`.
+Essentially, this is the actual rule used for Layer-7 load balancing. 
+
+Finally but not unimportantly, we tell Træfik to route **to** port `9000`, since that is the actual TCP/IP port the container actually listens on.
+
+### Service labels
+
+`Service labels` allow managing many routes for the same container.
+
+When both `container labels` and `service labels` are defined, `container labels` are just used as default values for missing `service labels` but no frontend/backend are going to be defined only with these labels.
+Obviously, labels `traefik.frontend.rule` and `traefik.port` described above, will only be used to complete information set in `service labels` during the container frontends/bakends creation.
+
+In the example, two service names are defined : `default` and `admin`.
+They allow creating two frontends and two backends.
+
+- `default` has only one `service label` : `traefik.default.protocol`.
+Træfik will use values set in `traefik.frontend.rule` and `traefik.port` to create the `default` frontend and backend.
+The frontend listens to incoming HTTP requests which contain the `Host` `app.my-awesome-app.org` and redirect them in `HTTP` to the port `9000` of the backend.
+- `admin` has all the `services labels` needed to create the `admin` frontend and backend (`traefik.admin.frontend.rule`, `traefik.admin.protocol`, `traefik.admin.port`).
+Træfik will create a frontend to listen to incoming HTTP requests which contain the `Host` `admin-app.my-awesome-app.org` and redirect them in `HTTPS` to the port `9443` of the backend.

 #### Gotchas and tips

 - Always specify the correct port where the container expects HTTP traffic using `traefik.port` label.  
-    If a container exposes multiple ports, Traefik may forward traffic to the wrong port.
+    If a container exposes multiple ports, Træfik may forward traffic to the wrong port.
    Even if a container only exposes one port, you should always write configuration defensively and explicitly.
- Should you choose to enable the `exposedbydefault` flag in the `traefik.toml` configuration, be aware that all containers that are placed in the same network as Traefik will automatically be reachable from the outside world, for everyone and everyone to see.
+- Should you choose to enable the `exposedbydefault` flag in the `traefik.toml` configuration, be aware that all containers that are placed in the same network as Træfik will automatically be reachable from the outside world, for everyone and everyone to see.
    Usually, this is a bad idea.
- With the `traefik.frontend.auth.basic` label, it's possible for Traefik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.
- Traefik has built-in support to automatically export [Prometheus](https://prometheus.io) metrics
- Traefik supports websockets out of the box. In the example above, the `events`-service could be a NodeJS-based application which allows clients to connect using websocket protocol.
+- With the `traefik.frontend.auth.basic` label, it's possible for Træfik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.
+- Træfik has built-in support to automatically export [Prometheus](https://prometheus.io) metrics
+- Træfik supports websockets out of the box. In the example above, the `events`-service could be a NodeJS-based application which allows clients to connect using websocket protocol.
    Thanks to the fact that HTTPS in our example is enforced, these websockets are automatically secure as well (WSS)

 ### Final thoughts

-Using Traefik as a Layer-7 load balancer in combination with both Docker and Let's Encrypt provides you with an extremely flexible, powerful and self-configuring solution for your projects.
+Using Træfik as a Layer-7 load balancer in combination with both Docker and Let's Encrypt provides you with an extremely flexible, powerful and self-configuring solution for your projects.

 With Let's Encrypt, your endpoints are automatically secured with production-ready SSL certificates that are renewed automatically as well.
--- a/docs/user-guide/examples.md
+++ b/docs/user-guide/examples.md
@@ -137,7 +137,7 @@ This configuration allows generating a Let's Encrypt certificate during the firs
    * TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DDoS attacks.
    * Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits

-    That's why, it's better to use the `onHostRule` optin if possible.
+    That's why, it's better to use the `onHostRule` option if possible.

 ### DNS challenge

@@ -170,7 +170,7 @@ entryPoint = "https"
 DNS challenge needs environment variables to be executed.
 This variables have to be set on the machine/container which host Traefik.

-These variables has described [in this section](/configuration/acme/#dnsprovider).
+These variables are described [in this section](/configuration/acme/#dnsprovider).

 ### OnHostRule option and provided certificates

@@ -198,7 +198,7 @@ Traefik will only try to generate a Let's encrypt certificate if the domain cann

 #### Prerequisites

-Before to use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely to [this section](/user-guide/kv-config/#store-configuration-in-key-value-store) in the way to know how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.
+Before you use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely at [this section](/user-guide/kv-config/#store-configuration-in-key-value-store), which will describe how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.

 #### Configuration

--- a/docs/user-guide/kubernetes.md
+++ b/docs/user-guide/kubernetes.md
@@ -79,7 +79,7 @@ It is possible to use Træfik with a [Deployment](https://kubernetes.io/docs/con

 The Deployment objects looks like this:

-```yml
+```yaml
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -118,6 +118,7 @@ kind: Service
 apiVersion: v1
 metadata:
  name: traefik-ingress-service
+  namespace: kube-system
 spec:
  selector:
    k8s-app: traefik-ingress-lb
@@ -182,6 +183,7 @@ kind: Service
 apiVersion: v1
 metadata:
  name: traefik-ingress-service
+  namespace: kube-system
 spec:
  selector:
    k8s-app: traefik-ingress-lb
@@ -325,6 +327,72 @@ echo "$(minikube ip) traefik-ui.minikube" | sudo tee -a /etc/hosts

 We should now be able to visit [traefik-ui.minikube](http://traefik-ui.minikube) in the browser and view the Træfik Web UI.

+## Basic Authentication
+
+It's possible to add additional authentication annotations in the Ingress rule.
+The source of the authentication is a secret that contains usernames and passwords inside the key auth.
+To read about basic auth limitations see the [Kubernetes Ingress](/configuration/backends/kubernetes) configuration page.
+
+#### Creating the Secret
+
+A. Use `htpasswd` to create a file containing the username and the base64-encoded password:
+
+```shell
+htpasswd -c ./auth myusername
+```
+
+You will be prompted for a password which you will have to enter twice.
+`htpasswd` will create a file with the following:
+
+```shell
+cat auth
+```
+```
+myusername:$apr1$78Jyn/1K$ERHKVRPPlzAX8eBtLuvRZ0
+```
+
+B. Now use `kubectl` to create a secret in the monitoring namespace using the file created by `htpasswd`.
+
+```shell
+kubectl create secret generic mysecret --from-file auth --namespace=monitoring
+```
+
+!!! note
+    Secret must be in same namespace as the ingress rule.
+
+C. Create the ingress using the following annotations to specify basic auth and that the username and password is stored in `mysecret`.
+
+- `ingress.kubernetes.io/auth-type: "basic"`
+- `ingress.kubernetes.io/auth-secret: "mysecret"`
+
+Following is a full ingress example based on Prometheus:
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: prometheus-dashboard
+ namespace: monitoring
+ annotations:
+   kubernetes.io/ingress.class: traefik
+   ingress.kubernetes.io/auth-type: "basic"
+   ingress.kubernetes.io/auth-secret: "mysecret"
+spec:
+ rules:
+ - host: dashboard.prometheus.example.com
+   http:
+     paths:
+     - backend:
+         serviceName: prometheus
+         servicePort: 9090
+```
+
+You can apply the example ingress as following:
+
+```shell
+kubectl create -f prometheus-ingress.yaml -n monitoring
+```
+
 ## Name based routing

 In this example we are going to setup websites for 3 of the United Kingdoms best loved cheeses, Cheddar, Stilton and Wensleydale.
--- a/docs/user-guide/kv-config.md
+++ b/docs/user-guide/kv-config.md
@@ -148,6 +148,37 @@ This variable must be initialized with the ACL token value.

 If Traefik is launched into a Docker container, the variable `CONSUL_HTTP_TOKEN` can be initialized with the `-e` Docker option : `-e "CONSUL_HTTP_TOKEN=[consul-acl-token-value]"`

+If a Consul ACL is used to restrict Træfik read/write access, one of the following configurations is needed.
+
+- HCL format :
+
+```
+    key "traefik" {
+        policy = "write"
+    },
+    
+    session "" {
+        policy = "write"
+    }
+```
+
+- JSON format :
+
+```json
+{
+    "key": {
+        "traefik": {
+          "policy": "write"
+        }
+    },
+    "session": {
+        "": {
+        "policy": "write"
+        }
+    }
+}
+```
+
 ### TLS support

 To connect to a Consul endpoint using SSL, simply specify `https://` in the `consul.endpoint` property
--- a/glide.lock
+++ b/glide.lock
@@ -1,4 +1,4 @@
-hash: de7e6a0069090a5811c003db434da19fe31efcf0c9429d3ccb676295708f0d2b
+hash: bbdbbc9d428937dbaf85e92a3747ebe547f1cc110fbb536c94b5efb3dde6e5ab
 updated: 2017-10-24T14:08:11.364720581+02:00
 imports:
 - name: cloud.google.com/go
@@ -383,7 +383,9 @@ imports:
  repo: https://github.com/ijc25/Gotty.git
  vcs: git
 - name: github.com/NYTimes/gziphandler
-  version: 97ae7fbaf81620fe97840685304a78a306a39c64
+  version: 26a3f68265200656f31940bc15b191f7d10b5bbd
+  repo: https://github.com/containous/gziphandler.git
+  vcs: git
 - name: github.com/ogier/pflag
  version: 45c278ab3607870051a2ea9040bb85fcb8557481
 - name: github.com/opencontainers/go-digest
--- a/glide.yaml
+++ b/glide.yaml
@@ -79,6 +79,9 @@ import:
  vcs: git
 - package: github.com/abbot/go-http-auth
 - package: github.com/NYTimes/gziphandler
+  version: fork-containous
+  repo: https://github.com/containous/gziphandler.git
+  vcs: git
 - package: github.com/docker/leadership
 - package: github.com/satori/go.uuid
  version: ^1.1.0
--- a/integration/consul_catalog_test.go
+++ b/integration/consul_catalog_test.go
@@ -36,7 +36,7 @@ func (s *ConsulCatalogSuite) SetUpSuite(c *check.C) {
 }

 func (s *ConsulCatalogSuite) waitToElectConsulLeader() error {
-	return try.Do(3*time.Second, func() error {
+	return try.Do(15*time.Second, func() error {
 		leader, err := s.consulClient.Status().Leader()

 		if err != nil || len(leader) == 0 {
@@ -344,8 +344,82 @@ func (s *ConsulCatalogSuite) TestBasicAuthSimpleService(c *check.C) {
 	c.Assert(err, checker.IsNil)
 }

-func (s *ConsulCatalogSuite) TestRetryWithConsulServer(c *check.C) {
+func (s *ConsulCatalogSuite) TestRefreshConfigTagChange(c *check.C) {
+	cmd, display := s.traefikCmd(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--consulCatalog",
+		"--consulCatalog.exposedByDefault=false",
+		"--consulCatalog.watch=true",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost")
+	defer display(c)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()

+	nginx := s.composeProject.Container(c, "nginx1")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"name=nginx1", "traefik.enable=false", "traefik.backend.circuitbreaker=NetworkErrorRatio() > 0.5"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers/consul_catalog/backends", 5*time.Second, try.BodyContains("nginx1"))
+	c.Assert(err, checker.NotNil)
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"name=nginx1", "traefik.enable=true", "traefik.backend.circuitbreaker=ResponseCodeRatio(500, 600, 0, 600) > 0.5"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+
+	err = try.Request(req, 20*time.Second, try.StatusCodeIs(http.StatusOK), try.HasBody())
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/providers/consul_catalog/backends", 60*time.Second, try.BodyContains("nginx1"))
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *ConsulCatalogSuite) TestCircuitBreaker(c *check.C) {
+	cmd, display := s.traefikCmd(
+		withConfigFile("fixtures/consul_catalog/simple.toml"),
+		"--retry",
+		"--retry.attempts=1",
+		"--forwardingTimeouts.dialTimeout=5s",
+		"--forwardingTimeouts.responseHeaderTimeout=10s",
+		"--consulCatalog",
+		"--consulCatalog.exposedByDefault=false",
+		"--consulCatalog.watch=true",
+		"--consulCatalog.endpoint="+s.consulIP+":8500",
+		"--consulCatalog.domain=consul.localhost")
+	defer display(c)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	nginx := s.composeProject.Container(c, "nginx1")
+	nginx2 := s.composeProject.Container(c, "nginx2")
+	nginx3 := s.composeProject.Container(c, "nginx3")
+
+	err = s.registerService("test", nginx.NetworkSettings.IPAddress, 80, []string{"name=nginx1", "traefik.enable=true", "traefik.backend.circuitbreaker=NetworkErrorRatio() > 0.5"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx.NetworkSettings.IPAddress)
+	err = s.registerService("test", nginx2.NetworkSettings.IPAddress, 42, []string{"name=nginx2", "traefik.enable=true", "traefik.backend.circuitbreaker=NetworkErrorRatio() > 0.5"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx2.NetworkSettings.IPAddress)
+	err = s.registerService("test", nginx3.NetworkSettings.IPAddress, 42, []string{"name=nginx3", "traefik.enable=true", "traefik.backend.circuitbreaker=NetworkErrorRatio() > 0.5"})
+	c.Assert(err, checker.IsNil, check.Commentf("Error registering service"))
+	defer s.deregisterService("test", nginx3.NetworkSettings.IPAddress)
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "test.consul.localhost"
+
+	err = try.Request(req, 20*time.Second, try.StatusCodeIs(http.StatusServiceUnavailable), try.HasBody())
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *ConsulCatalogSuite) TestRetryWithConsulServer(c *check.C) {
 	//Scale consul to 0 to be able to start traefik before and test retry
 	s.composeProject.Scale(c, "consul", 0)

--- a/integration/docker_test.go
+++ b/integration/docker_test.go
@@ -129,6 +129,11 @@ func (s *DockerSuite) TestDockerContainersWithLabels(c *check.C) {
 	}
 	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blabla")

+	// Start another container by replacing a '.' by a '-'
+	labels = map[string]string{
+		types.LabelFrontendRule: "Host:my-super.host",
+	}
+	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blablabla")
 	// Start traefik
 	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
@@ -138,12 +143,20 @@ func (s *DockerSuite) TestDockerContainersWithLabels(c *check.C) {

 	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/version", nil)
 	c.Assert(err, checker.IsNil)
-	req.Host = "my.super.host"
+	req.Host = "my-super.host"

 	// FIXME Need to wait than 500 milliseconds more (for swarm or traefik to boot up ?)
 	resp, err := try.ResponseUntilStatusCode(req, 1500*time.Millisecond, http.StatusOK)
 	c.Assert(err, checker.IsNil)

+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/version", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "my.super.host"
+
+	// FIXME Need to wait than 500 milliseconds more (for swarm or traefik to boot up ?)
+	resp, err = try.ResponseUntilStatusCode(req, 1500*time.Millisecond, http.StatusOK)
+	c.Assert(err, checker.IsNil)
+
 	body, err := ioutil.ReadAll(resp.Body)
 	c.Assert(err, checker.IsNil)

@@ -179,3 +192,40 @@ func (s *DockerSuite) TestDockerContainersWithOneMissingLabels(c *check.C) {
 	err = try.Request(req, 1500*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
 }
+
+// TestDockerContainersWithServiceLabels allows cheking the labels behavior
+// Use service label if defined and compete information with container labels.
+func (s *DockerSuite) TestDockerContainersWithServiceLabels(c *check.C) {
+	file := s.adaptFileForHost(c, "fixtures/docker/simple.toml")
+	defer os.Remove(file)
+	// Start a container with some labels
+	labels := map[string]string{
+		types.LabelPrefix + "servicename.frontend.rule": "Host:my.super.host",
+		types.LabelFrontendRule:                         "Host:my.wrong.host",
+		types.LabelPort:                                 "2375",
+	}
+	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blabla")
+
+	// Start traefik
+	cmd, display := s.traefikCmd(withConfigFile(file))
+	defer display(c)
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/version", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "my.super.host"
+
+	// FIXME Need to wait than 500 milliseconds more (for swarm or traefik to boot up ?)
+	resp, err := try.ResponseUntilStatusCode(req, 1500*time.Millisecond, http.StatusOK)
+	c.Assert(err, checker.IsNil)
+
+	body, err := ioutil.ReadAll(resp.Body)
+	c.Assert(err, checker.IsNil)
+
+	var version map[string]interface{}
+
+	c.Assert(json.Unmarshal(body, &version), checker.IsNil)
+	c.Assert(version["Version"], checker.Equals, "swarm/1.0.0")
+}
--- a/integration/resources/compose/consul_catalog.yml
+++ b/integration/resources/compose/consul_catalog.yml
@@ -1,6 +1,6 @@
 consul:
-  image: progrium/consul
-  command: -server -bootstrap -log-level debug -ui-dir /ui
+  image: consul
+  command: agent -server -bootstrap-expect 1 -client 0.0.0.0 -log-level debug -ui
  ports:
    - "8400:8400"
    - "8500:8500"
@@ -15,3 +15,5 @@ nginx1:
  image: nginx:alpine
 nginx2:
  image: nginx:alpine
+nginx3:
+  image: nginx:alpine
--- a/middlewares/compress.go
+++ b/middlewares/compress.go
@@ -3,6 +3,7 @@ package middlewares
 import (
 	"compress/gzip"
 	"net/http"
+	"strings"

 	"github.com/NYTimes/gziphandler"
 	"github.com/containous/traefik/log"
@@ -13,7 +14,12 @@ type Compress struct{}

 // ServerHTTP is a function used by Negroni
 func (c *Compress) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
-	gzipHandler(next).ServeHTTP(rw, r)
+	contentType := r.Header.Get("Content-Type")
+	if strings.HasPrefix(contentType, "application/grpc") {
+		next.ServeHTTP(rw, r)
+	} else {
+		gzipHandler(next).ServeHTTP(rw, r)
+	}
 }

 func gzipHandler(h http.Handler) http.Handler {
--- a/middlewares/compress_test.go
+++ b/middlewares/compress_test.go
@@ -16,6 +16,7 @@ import (
 const (
 	acceptEncodingHeader  = "Accept-Encoding"
 	contentEncodingHeader = "Content-Encoding"
+	contentTypeHeader     = "Content-Type"
 	varyHeader            = "Vary"
 	gzipValue             = "gzip"
 )
@@ -81,6 +82,26 @@ func TestShouldNotCompressWhenNoAcceptEncodingHeader(t *testing.T) {
 	assert.EqualValues(t, rw.Body.Bytes(), fakeBody)
 }

+func TestShouldNotCompressWhenGRPC(t *testing.T) {
+	handler := &Compress{}
+
+	req := testhelpers.MustNewRequest(http.MethodGet, "http://localhost", nil)
+	req.Header.Add(acceptEncodingHeader, gzipValue)
+	req.Header.Add(contentTypeHeader, "application/grpc")
+
+	baseBody := generateBytes(gziphandler.DefaultMinSize)
+	next := func(rw http.ResponseWriter, r *http.Request) {
+		rw.Write(baseBody)
+	}
+
+	rw := httptest.NewRecorder()
+	handler.ServeHTTP(rw, req, next)
+
+	assert.Empty(t, rw.Header().Get(acceptEncodingHeader))
+	assert.Empty(t, rw.Header().Get(contentEncodingHeader))
+	assert.EqualValues(t, rw.Body.Bytes(), baseBody)
+}
+
 func TestIntegrationShouldNotCompress(t *testing.T) {
 	fakeCompressedBody := generateBytes(100000)
 	comp := &Compress{}
@@ -137,6 +158,31 @@ func TestIntegrationShouldNotCompress(t *testing.T) {
 	}
 }

+func TestShouldWriteHeaderWhenFlush(t *testing.T) {
+	comp := &Compress{}
+	negro := negroni.New(comp)
+	negro.UseHandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		rw.Header().Add(contentEncodingHeader, gzipValue)
+		rw.Header().Add(varyHeader, acceptEncodingHeader)
+		rw.WriteHeader(http.StatusUnauthorized)
+		rw.(http.Flusher).Flush()
+		rw.Write([]byte("short"))
+	})
+	ts := httptest.NewServer(negro)
+	defer ts.Close()
+
+	req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
+	req.Header.Add(acceptEncodingHeader, gzipValue)
+
+	resp, err := http.DefaultClient.Do(req)
+	require.NoError(t, err)
+
+	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+
+	assert.Equal(t, gzipValue, resp.Header.Get(contentEncodingHeader))
+	assert.Equal(t, acceptEncodingHeader, resp.Header.Get(varyHeader))
+}
+
 func TestIntegrationShouldCompress(t *testing.T) {
 	fakeBody := generateBytes(100000)

--- a/middlewares/headers.go
+++ b/middlewares/headers.go
@@ -3,8 +3,9 @@ package middlewares
 //Middleware based on https://github.com/unrolled/secure

 import (
-	"github.com/containous/traefik/types"
 	"net/http"
+
+	"github.com/containous/traefik/types"
 )

 // HeaderOptions is a struct for specifying configuration options for the headers middleware.
--- a/middlewares/headers_test.go
+++ b/middlewares/headers_test.go
@@ -3,11 +3,12 @@ package middlewares
 //Middleware tests based on https://github.com/unrolled/secure

 import (
-	"github.com/containous/traefik/testhelpers"
-	"github.com/stretchr/testify/assert"
 	"net/http"
 	"net/http/httptest"
 	"testing"
+
+	"github.com/containous/traefik/testhelpers"
+	"github.com/stretchr/testify/assert"
 )

 var myHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
--- a/provider/consul/consul_catalog.go
+++ b/provider/consul/consul_catalog.go
@@ -77,9 +77,14 @@ func (a nodeSorter) Less(i int, j int) bool {
 	return lentr.Service.Port < rentr.Service.Port
 }

-func getChangedServiceKeys(currState map[string]Service, prevState map[string]Service) ([]string, []string) {
-	currKeySet := fun.Set(fun.Keys(currState).([]string)).(map[string]bool)
-	prevKeySet := fun.Set(fun.Keys(prevState).([]string)).(map[string]bool)
+func hasChanged(current map[string]Service, previous map[string]Service) bool {
+	addedServiceKeys, removedServiceKeys := getChangedServiceKeys(current, previous)
+	return len(removedServiceKeys) > 0 || len(addedServiceKeys) > 0 || hasNodeOrTagsChanged(current, previous)
+}
+
+func getChangedServiceKeys(current map[string]Service, previous map[string]Service) ([]string, []string) {
+	currKeySet := fun.Set(fun.Keys(current).([]string)).(map[string]bool)
+	prevKeySet := fun.Set(fun.Keys(previous).([]string)).(map[string]bool)

 	addedKeys := fun.Difference(currKeySet, prevKeySet).(map[string]bool)
 	removedKeys := fun.Difference(prevKeySet, currKeySet).(map[string]bool)
@@ -87,20 +92,23 @@ func getChangedServiceKeys(currState map[string]Service, prevState map[string]Se
 	return fun.Keys(addedKeys).([]string), fun.Keys(removedKeys).([]string)
 }

-func getChangedServiceNodeKeys(currState map[string]Service, prevState map[string]Service) ([]string, []string) {
-	var addedNodeKeys []string
-	var removedNodeKeys []string
-	for key, value := range currState {
-		if prevValue, ok := prevState[key]; ok {
-			addedKeys, removedKeys := getChangedHealthyKeys(value.Nodes, prevValue.Nodes)
-			addedNodeKeys = append(addedKeys)
-			removedNodeKeys = append(removedKeys)
+func hasNodeOrTagsChanged(current map[string]Service, previous map[string]Service) bool {
+	var added []string
+	var removed []string
+	for key, value := range current {
+		if prevValue, ok := previous[key]; ok {
+			addedNodesKeys, removedNodesKeys := getChangedStringKeys(value.Nodes, prevValue.Nodes)
+			added = append(added, addedNodesKeys...)
+			removed = append(removed, removedNodesKeys...)
+			addedTagsKeys, removedTagsKeys := getChangedStringKeys(value.Tags, prevValue.Tags)
+			added = append(added, addedTagsKeys...)
+			removed = append(removed, removedTagsKeys...)
 		}
 	}
-	return addedNodeKeys, removedNodeKeys
+	return len(added) > 0 || len(removed) > 0
 }

-func getChangedHealthyKeys(currState []string, prevState []string) ([]string, []string) {
+func getChangedStringKeys(currState []string, prevState []string) ([]string, []string) {
 	currKeySet := fun.Set(currState).(map[string]bool)
 	prevKeySet := fun.Set(prevState).(map[string]bool)

@@ -163,7 +171,7 @@ func (p *CatalogProvider) watchHealthState(stopCh <-chan struct{}, watchCh chan<
 				// A critical note is that the return of a blocking request is no guarantee of a change.
 				// It is possible that there was an idempotent write that does not affect the result of the query.
 				// Thus it is required to do extra check for changes...
-				addedKeys, removedKeys := getChangedHealthyKeys(current, flashback)
+				addedKeys, removedKeys := getChangedStringKeys(current, flashback)

 				if len(addedKeys) > 0 {
 					log.WithField("DiscoveredServices", addedKeys).Debug("Health State change detected.")
@@ -242,12 +250,7 @@ func (p *CatalogProvider) watchCatalogServices(stopCh <-chan struct{}, watchCh c
 				// A critical note is that the return of a blocking request is no guarantee of a change.
 				// It is possible that there was an idempotent write that does not affect the result of the query.
 				// Thus it is required to do extra check for changes...
-				addedServiceKeys, removedServiceKeys := getChangedServiceKeys(current, flashback)
-
-				addedServiceNodeKeys, removedServiceNodeKeys := getChangedServiceNodeKeys(current, flashback)
-
-				if len(removedServiceKeys) > 0 || len(removedServiceNodeKeys) > 0 || len(addedServiceKeys) > 0 || len(addedServiceNodeKeys) > 0 {
-					log.WithField("MissingServices", removedServiceKeys).WithField("DiscoveredServices", addedServiceKeys).Debug("Catalog Services change detected.")
+				if hasChanged(current, flashback) {
 					watchCh <- data
 					flashback = current
 				}
@@ -255,6 +258,7 @@ func (p *CatalogProvider) watchCatalogServices(stopCh <-chan struct{}, watchCh c
 		}
 	})
 }
+
 func getServiceIds(services []*api.CatalogService) []string {
 	var serviceIds []string
 	for _, service := range services {
@@ -271,7 +275,6 @@ func (p *CatalogProvider) healthyNodes(service string) (catalogUpdate, error) {
 		log.WithError(err).Errorf("Failed to fetch details of %s", service)
 		return catalogUpdate{}, err
 	}
-
 	nodes := fun.Filter(func(node *api.ServiceEntry) bool {
 		return p.nodeFilter(service, node)
 	}, data).([]*api.ServiceEntry)
--- a/provider/consul/consul_catalog_test.go
+++ b/provider/consul/consul_catalog_test.go
@@ -1,7 +1,6 @@
 package consul

 import (
-	"reflect"
 	"sort"
 	"testing"
 	"text/template"
@@ -21,11 +20,13 @@ func TestConsulCatalogGetFrontendRule(t *testing.T) {
 	}
 	provider.setupFrontEndTemplate()

-	services := []struct {
+	testCases := []struct {
+		desc     string
 		service  serviceUpdate
 		expected string
 	}{
 		{
+			desc: "Should return default host foo.localhost",
 			service: serviceUpdate{
 				ServiceName: "foo",
 				Attributes:  []string{},
@@ -33,6 +34,7 @@ func TestConsulCatalogGetFrontendRule(t *testing.T) {
 			expected: "Host:foo.localhost",
 		},
 		{
+			desc: "Should return host *.example.com",
 			service: serviceUpdate{
 				ServiceName: "foo",
 				Attributes: []string{
@@ -42,6 +44,7 @@ func TestConsulCatalogGetFrontendRule(t *testing.T) {
 			expected: "Host:*.example.com",
 		},
 		{
+			desc: "Should return host foo.example.com",
 			service: serviceUpdate{
 				ServiceName: "foo",
 				Attributes: []string{
@@ -51,6 +54,7 @@ func TestConsulCatalogGetFrontendRule(t *testing.T) {
 			expected: "Host:foo.example.com",
 		},
 		{
+			desc: "Should return path prefix /bar",
 			service: serviceUpdate{
 				ServiceName: "foo",
 				Attributes: []string{
@@ -62,11 +66,14 @@ func TestConsulCatalogGetFrontendRule(t *testing.T) {
 		},
 	}

-	for _, e := range services {
-		actual := provider.getFrontendRule(e.service)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.getFrontendRule(test.service)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -76,13 +83,15 @@ func TestConsulCatalogGetTag(t *testing.T) {
 		Prefix: "traefik",
 	}

-	services := []struct {
+	testCases := []struct {
+		desc         string
 		tags         []string
 		key          string
 		defaultValue string
 		expected     string
 	}{
 		{
+			desc: "Should return value of foo.bar key",
 			tags: []string{
 				"foo.bar=random",
 				"traefik.backend.weight=42",
@@ -94,21 +103,17 @@ func TestConsulCatalogGetTag(t *testing.T) {
 		},
 	}

-	actual := provider.hasTag("management", []string{"management"})
-	if !actual {
-		t.Fatalf("expected %v, got %v", true, actual)
-	}
+	assert.Equal(t, true, provider.hasTag("management", []string{"management"}))
+	assert.Equal(t, true, provider.hasTag("management", []string{"management=yes"}))

-	actual = provider.hasTag("management", []string{"management=yes"})
-	if !actual {
-		t.Fatalf("expected %v, got %v", true, actual)
-	}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()

-	for _, e := range services {
-		actual := provider.getTag(e.key, e.tags, e.defaultValue)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+			actual := provider.getTag(test.key, test.tags, test.defaultValue)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -118,13 +123,15 @@ func TestConsulCatalogGetAttribute(t *testing.T) {
 		Prefix: "traefik",
 	}

-	services := []struct {
+	testCases := []struct {
+		desc         string
 		tags         []string
 		key          string
 		defaultValue string
 		expected     string
 	}{
 		{
+			desc: "Should return tag value 42",
 			tags: []string{
 				"foo.bar=ramdom",
 				"traefik.backend.weight=42",
@@ -134,6 +141,7 @@ func TestConsulCatalogGetAttribute(t *testing.T) {
 			expected:     "42",
 		},
 		{
+			desc: "Should return tag default value 0",
 			tags: []string{
 				"foo.bar=ramdom",
 				"traefik.backend.wei=42",
@@ -144,17 +152,16 @@ func TestConsulCatalogGetAttribute(t *testing.T) {
 		},
 	}

-	expected := provider.Prefix + ".foo"
-	actual := provider.getPrefixedName("foo")
-	if actual != expected {
-		t.Fatalf("expected %s, got %s", expected, actual)
-	}
+	assert.Equal(t, provider.Prefix+".foo", provider.getPrefixedName("foo"))

-	for _, e := range services {
-		actual := provider.getAttribute(e.key, e.tags, e.defaultValue)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.getAttribute(test.key, test.tags, test.defaultValue)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -164,13 +171,15 @@ func TestConsulCatalogGetAttributeWithEmptyPrefix(t *testing.T) {
 		Prefix: "",
 	}

-	services := []struct {
+	testCases := []struct {
+		desc         string
 		tags         []string
 		key          string
 		defaultValue string
 		expected     string
 	}{
 		{
+			desc: "Should return tag value 42",
 			tags: []string{
 				"foo.bar=ramdom",
 				"backend.weight=42",
@@ -180,6 +189,7 @@ func TestConsulCatalogGetAttributeWithEmptyPrefix(t *testing.T) {
 			expected:     "42",
 		},
 		{
+			desc: "Should return default value 0",
 			tags: []string{
 				"foo.bar=ramdom",
 				"backend.wei=42",
@@ -189,6 +199,7 @@ func TestConsulCatalogGetAttributeWithEmptyPrefix(t *testing.T) {
 			expected:     "0",
 		},
 		{
+			desc: "Should return for.bar key value random",
 			tags: []string{
 				"foo.bar=ramdom",
 				"backend.wei=42",
@@ -199,17 +210,16 @@ func TestConsulCatalogGetAttributeWithEmptyPrefix(t *testing.T) {
 		},
 	}

-	expected := "foo"
-	actual := provider.getPrefixedName("foo")
-	if actual != expected {
-		t.Fatalf("expected %s, got %s", expected, actual)
-	}
+	assert.Equal(t, "foo", provider.getPrefixedName("foo"))

-	for _, e := range services {
-		actual := provider.getAttribute(e.key, e.tags, e.defaultValue)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.getAttribute(test.key, test.tags, test.defaultValue)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -219,11 +229,13 @@ func TestConsulCatalogGetBackendAddress(t *testing.T) {
 		Prefix: "traefik",
 	}

-	services := []struct {
+	testCases := []struct {
+		desc     string
 		node     *api.ServiceEntry
 		expected string
 	}{
 		{
+			desc: "Should return the address of the service",
 			node: &api.ServiceEntry{
 				Node: &api.Node{
 					Address: "10.1.0.1",
@@ -235,6 +247,7 @@ func TestConsulCatalogGetBackendAddress(t *testing.T) {
 			expected: "10.2.0.1",
 		},
 		{
+			desc: "Should return the address of the node",
 			node: &api.ServiceEntry{
 				Node: &api.Node{
 					Address: "10.1.0.1",
@@ -247,11 +260,14 @@ func TestConsulCatalogGetBackendAddress(t *testing.T) {
 		},
 	}

-	for _, e := range services {
-		actual := provider.getBackendAddress(e.node)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.getBackendAddress(test.node)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -261,11 +277,13 @@ func TestConsulCatalogGetBackendName(t *testing.T) {
 		Prefix: "traefik",
 	}

-	services := []struct {
+	testCases := []struct {
+		desc     string
 		node     *api.ServiceEntry
 		expected string
 	}{
 		{
+			desc: "Should create backend name without tags",
 			node: &api.ServiceEntry{
 				Service: &api.AgentService{
 					Service: "api",
@@ -277,6 +295,7 @@ func TestConsulCatalogGetBackendName(t *testing.T) {
 			expected: "api--10-0-0-1--80--0",
 		},
 		{
+			desc: "Should create backend name with multiple tags",
 			node: &api.ServiceEntry{
 				Service: &api.AgentService{
 					Service: "api",
@@ -288,6 +307,7 @@ func TestConsulCatalogGetBackendName(t *testing.T) {
 			expected: "api--10-0-0-1--80--traefik-weight-42--traefik-enable-true--1",
 		},
 		{
+			desc: "Should create backend name with one tag",
 			node: &api.ServiceEntry{
 				Service: &api.AgentService{
 					Service: "api",
@@ -300,11 +320,15 @@ func TestConsulCatalogGetBackendName(t *testing.T) {
 		},
 	}

-	for i, e := range services {
-		actual := provider.getBackendName(e.node, i)
-		if actual != e.expected {
-			t.Fatalf("expected %s, got %s", e.expected, actual)
-		}
+	for i, test := range testCases {
+		test := test
+		i := i
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := provider.getBackendName(test.node, i)
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -317,17 +341,20 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 		frontEndRuleTemplate: template.New("consul catalog frontend rule"),
 	}

-	cases := []struct {
+	testCases := []struct {
+		desc              string
 		nodes             []catalogUpdate
 		expectedFrontends map[string]*types.Frontend
 		expectedBackends  map[string]*types.Backend
 	}{
 		{
+			desc:              "Should build config of nothing",
 			nodes:             []catalogUpdate{},
 			expectedFrontends: map[string]*types.Frontend{},
 			expectedBackends:  map[string]*types.Backend{},
 		},
 		{
+			desc: "Should build config with no frontend and backend",
 			nodes: []catalogUpdate{
 				{
 					Service: &serviceUpdate{
@@ -339,6 +366,7 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 			expectedBackends:  map[string]*types.Backend{},
 		},
 		{
+			desc: "Should build config who contains one frontend and one backend",
 			nodes: []catalogUpdate{
 				{
 					Service: &serviceUpdate{
@@ -408,28 +436,31 @@ func TestConsulCatalogBuildConfig(t *testing.T) {
 		},
 	}

-	for _, c := range cases {
-		actualConfig := provider.buildConfig(c.nodes)
-		if !reflect.DeepEqual(actualConfig.Backends, c.expectedBackends) {
-			t.Fatalf("expected %#v, got %#v", c.expectedBackends, actualConfig.Backends)
-		}
-		if !reflect.DeepEqual(actualConfig.Frontends, c.expectedFrontends) {
-			t.Fatalf("expected %#v, got %#v", c.expectedFrontends["frontend-test"].BasicAuth, actualConfig.Frontends["frontend-test"].BasicAuth)
-			t.Fatalf("expected %#v, got %#v", c.expectedFrontends, actualConfig.Frontends)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actualConfig := provider.buildConfig(test.nodes)
+			assert.Equal(t, test.expectedBackends, actualConfig.Backends)
+			assert.Equal(t, test.expectedFrontends, actualConfig.Frontends)
+		})
 	}
 }

 func TestConsulCatalogNodeSorter(t *testing.T) {
-	cases := []struct {
+	testCases := []struct {
+		desc     string
 		nodes    []*api.ServiceEntry
 		expected []*api.ServiceEntry
 	}{
 		{
+			desc:     "Should sort nothing",
 			nodes:    []*api.ServiceEntry{},
 			expected: []*api.ServiceEntry{},
 		},
 		{
+			desc: "Should sort by node address",
 			nodes: []*api.ServiceEntry{
 				{
 					Service: &api.AgentService{
@@ -458,6 +489,7 @@ func TestConsulCatalogNodeSorter(t *testing.T) {
 			},
 		},
 		{
+			desc: "Should sort by service name",
 			nodes: []*api.ServiceEntry{
 				{
 					Service: &api.AgentService{
@@ -552,6 +584,7 @@ func TestConsulCatalogNodeSorter(t *testing.T) {
 			},
 		},
 		{
+			desc: "Should sort by node address",
 			nodes: []*api.ServiceEntry{
 				{
 					Service: &api.AgentService{
@@ -603,12 +636,15 @@ func TestConsulCatalogNodeSorter(t *testing.T) {
 		},
 	}

-	for _, c := range cases {
-		sort.Sort(nodeSorter(c.nodes))
-		actual := c.nodes
-		if !reflect.DeepEqual(actual, c.expected) {
-			t.Fatalf("expected %q, got %q", c.expected, actual)
-		}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			sort.Sort(nodeSorter(test.nodes))
+			actual := test.nodes
+			assert.Equal(t, test.expected, actual)
+		})
 	}
 }

@@ -623,11 +659,13 @@ func TestConsulCatalogGetChangedKeys(t *testing.T) {
 		removedKeys []string
 	}

-	cases := []struct {
+	testCases := []struct {
+		desc   string
 		input  Input
 		output Output
 	}{
 		{
+			desc: "Should add 0 services and removed 0",
 			input: Input{
 				currState: map[string]Service{
 					"foo-service":    {Name: "v1"},
@@ -668,6 +706,7 @@ func TestConsulCatalogGetChangedKeys(t *testing.T) {
 			},
 		},
 		{
+			desc: "Should add 3 services and removed 0",
 			input: Input{
 				currState: map[string]Service{
 					"foo-service":    {Name: "v1"},
@@ -705,6 +744,7 @@ func TestConsulCatalogGetChangedKeys(t *testing.T) {
 			},
 		},
 		{
+			desc: "Should add 2 services and removed 2",
 			input: Input{
 				currState: map[string]Service{
 					"foo-service":    {Name: "v1"},
@@ -742,21 +782,20 @@ func TestConsulCatalogGetChangedKeys(t *testing.T) {
 		},
 	}

-	for _, c := range cases {
-		addedKeys, removedKeys := getChangedServiceKeys(c.input.currState, c.input.prevState)
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()

-		if !reflect.DeepEqual(fun.Set(addedKeys), fun.Set(c.output.addedKeys)) {
-			t.Fatalf("Added keys comparison results: got %q, want %q", addedKeys, c.output.addedKeys)
-		}
-
-		if !reflect.DeepEqual(fun.Set(removedKeys), fun.Set(c.output.removedKeys)) {
-			t.Fatalf("Removed keys comparison results: got %q, want %q", removedKeys, c.output.removedKeys)
-		}
+			addedKeys, removedKeys := getChangedServiceKeys(test.input.currState, test.input.prevState)
+			assert.Equal(t, fun.Set(test.output.addedKeys), fun.Set(addedKeys), "Added keys comparison results: got %q, want %q", addedKeys, test.output.addedKeys)
+			assert.Equal(t, fun.Set(test.output.removedKeys), fun.Set(removedKeys), "Removed keys comparison results: got %q, want %q", removedKeys, test.output.removedKeys)
+		})
 	}
 }

 func TestConsulCatalogFilterEnabled(t *testing.T) {
-	cases := []struct {
+	testCases := []struct {
 		desc             string
 		exposedByDefault bool
 		node             *api.ServiceEntry
@@ -842,24 +881,23 @@ func TestConsulCatalogFilterEnabled(t *testing.T) {
 		},
 	}

-	for _, c := range cases {
-		c := c
-		t.Run(c.desc, func(t *testing.T) {
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 			provider := &CatalogProvider{
 				Domain:           "localhost",
 				Prefix:           "traefik",
-				ExposedByDefault: c.exposedByDefault,
-			}
-			if provider.nodeFilter("test", c.node) != c.expected {
-				t.Errorf("got unexpected filtering = %t", !c.expected)
+				ExposedByDefault: test.exposedByDefault,
 			}
+			actual := provider.nodeFilter("test", test.node)
+			assert.Equal(t, test.expected, actual)
 		})
 	}
 }

 func TestConsulCatalogGetBasicAuth(t *testing.T) {
-	cases := []struct {
+	testCases := []struct {
 		desc     string
 		tags     []string
 		expected []string
@@ -878,17 +916,15 @@ func TestConsulCatalogGetBasicAuth(t *testing.T) {
 		},
 	}

-	for _, c := range cases {
-		c := c
-		t.Run(c.desc, func(t *testing.T) {
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 			provider := &CatalogProvider{
 				Prefix: "traefik",
 			}
-			actual := provider.getBasicAuth(c.tags)
-			if !reflect.DeepEqual(actual, c.expected) {
-				t.Errorf("actual %q, expected %q", actual, c.expected)
-			}
+			actual := provider.getBasicAuth(test.tags)
+			assert.Equal(t, test.expected, actual)
 		})
 	}
 }
@@ -930,7 +966,276 @@ func TestConsulCatalogHasStickinessLabel(t *testing.T) {
 			t.Parallel()

 			actual := provider.hasStickinessLabel(test.tags)
-			assert.Equal(t, actual, test.expected)
+			assert.Equal(t, test.expected, actual)
+		})
+	}
+}
+
+func TestConsulCatalogGetChangedStringKeys(t *testing.T) {
+	testCases := []struct {
+		desc            string
+		current         []string
+		previous        []string
+		expectedAdded   []string
+		expectedRemoved []string
+	}{
+		{
+			desc:            "1 element added, 0 removed",
+			current:         []string{"chou"},
+			previous:        []string{},
+			expectedAdded:   []string{"chou"},
+			expectedRemoved: []string{},
+		}, {
+			desc:            "0 element added, 0 removed",
+			current:         []string{"chou"},
+			previous:        []string{"chou"},
+			expectedAdded:   []string{},
+			expectedRemoved: []string{},
+		},
+		{
+			desc:            "0 element added, 1 removed",
+			current:         []string{},
+			previous:        []string{"chou"},
+			expectedAdded:   []string{},
+			expectedRemoved: []string{"chou"},
+		},
+		{
+			desc:            "1 element added, 1 removed",
+			current:         []string{"carotte"},
+			previous:        []string{"chou"},
+			expectedAdded:   []string{"carotte"},
+			expectedRemoved: []string{"chou"},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actualAdded, actualRemoved := getChangedStringKeys(test.current, test.previous)
+			assert.Equal(t, test.expectedAdded, actualAdded)
+			assert.Equal(t, test.expectedRemoved, actualRemoved)
+		})
+	}
+}
+
+func TestConsulCatalogHasNodeOrTagschanged(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		current  map[string]Service
+		previous map[string]Service
+		expected bool
+	}{
+		{
+			desc: "Change detected due to change of nodes",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node2"},
+					Tags:  []string{},
+				},
+			},
+			expected: true,
+		},
+		{
+			desc:    "No change missing current service",
+			current: make(map[string]Service),
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "No change on nodes",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "No change on nodes and tags",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "Change detected con tags",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo"},
+				},
+			},
+			expected: true,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := hasNodeOrTagsChanged(test.current, test.previous)
+			assert.Equal(t, test.expected, actual)
+		})
+	}
+}
+
+func TestConsulCatalogHasChanged(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		current  map[string]Service
+		previous map[string]Service
+		expected bool
+	}{
+		{
+			desc: "Change detected due to change new service",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			previous: make(map[string]Service),
+			expected: true,
+		},
+		{
+			desc:    "Change detected due to change service removed",
+			current: make(map[string]Service),
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			expected: true,
+		},
+		{
+			desc: "Change detected due to change of nodes",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node2"},
+					Tags:  []string{},
+				},
+			},
+			expected: true,
+		},
+		{
+			desc: "No change on nodes",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "No change on nodes and tags",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "Change detected on tags",
+			current: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo=bar"},
+				},
+			},
+			previous: map[string]Service{
+				"foo-service": {
+					Name:  "foo",
+					Nodes: []string{"node1"},
+					Tags:  []string{"foo"},
+				},
+			},
+			expected: true,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			actual := hasChanged(test.current, test.previous)
+			assert.Equal(t, test.expected, actual)
 		})
 	}
 }
--- a/provider/docker/docker.go
+++ b/provider/docker/docker.go
@@ -29,6 +29,7 @@ import (
 	"github.com/docker/docker/client"
 	"github.com/docker/go-connections/nat"
 	"github.com/docker/go-connections/sockets"
+	"github.com/pkg/errors"
 )

 const (
@@ -301,8 +302,8 @@ func (p *Provider) loadDockerConfig(containersInspected []dockerData) *types.Con
 	frontends := map[string][]dockerData{}
 	backends := map[string]dockerData{}
 	servers := map[string][]dockerData{}
-	for _, container := range filteredContainers {
-		frontendName := p.getFrontendName(container)
+	for idx, container := range filteredContainers {
+		frontendName := p.getFrontendName(container, idx)
 		frontends[frontendName] = append(frontends[frontendName], container)
 		backendName := p.getBackend(container)
 		backends[backendName] = container
@@ -517,9 +518,16 @@ func (p *Provider) getMaxConnExtractorFunc(container dockerData) string {
 }

 func (p *Provider) containerFilter(container dockerData) bool {
-	_, err := strconv.Atoi(container.Labels[types.LabelPort])
+	var err error
+	portLabel := "traefik.port label"
+	if p.hasServices(container) {
+		portLabel = "traefik.<serviceName>.port or " + portLabel + "s"
+		err = checkServiceLabelPort(container)
+	} else {
+		_, err = strconv.Atoi(container.Labels[types.LabelPort])
+	}
 	if len(container.NetworkSettings.Ports) == 0 && err != nil {
-		log.Debugf("Filtering container without port and no traefik.port label %s", container.Name)
+		log.Debugf("Filtering container without port and no %s %s : %s", portLabel, container.Name, err.Error())
 		return false
 	}

@@ -549,9 +557,46 @@ func (p *Provider) containerFilter(container dockerData) bool {
 	return true
 }

-func (p *Provider) getFrontendName(container dockerData) string {
+// checkServiceLabelPort checks if all service names have a port service label
+// or if port container label exists for default value
+func checkServiceLabelPort(container dockerData) error {
+	// If port container label is present, there is a default values for all ports, use it for the check
+	_, err := strconv.Atoi(container.Labels[types.LabelPort])
+	if err != nil {
+		serviceLabelPorts := make(map[string]struct{})
+		serviceLabels := make(map[string]struct{})
+		portRegexp := regexp.MustCompile(`^traefik\.(?P<service_name>.+?)\.port$`)
+		for label := range container.Labels {
+			// Get all port service labels
+			portLabel := portRegexp.FindStringSubmatch(label)
+			if portLabel != nil && len(portLabel) > 0 {
+				serviceLabelPorts[portLabel[0]] = struct{}{}
+			}
+			// Get only one instance of all service names from service labels
+			servicesLabelNames := servicesPropertiesRegexp.FindStringSubmatch(label)
+			if servicesLabelNames != nil && len(servicesLabelNames) > 0 {
+				serviceLabels[strings.Split(servicesLabelNames[0], ".")[1]] = struct{}{}
+			}
+		}
+		// If the number of service labels is different than the number of port services label
+		// there is an error
+		if len(serviceLabels) == len(serviceLabelPorts) {
+			for labelPort := range serviceLabelPorts {
+				_, err = strconv.Atoi(container.Labels[labelPort])
+				if err != nil {
+					break
+				}
+			}
+		} else {
+			err = errors.New("Port service labels missing, please use traefik.port as default value or define all port service labels")
+		}
+	}
+	return err
+}
+
+func (p *Provider) getFrontendName(container dockerData, idx int) string {
 	// Replace '.' with '-' in quoted keys because of this issue https://github.com/BurntSushi/toml/issues/78
-	return provider.Normalize(p.getFrontendRule(container))
+	return provider.Normalize(p.getFrontendRule(container) + "-" + strconv.Itoa(idx))
 }

 // GetFrontendRule returns the frontend rule for the specified container, using
@@ -594,10 +639,25 @@ func (p *Provider) getIPAddress(container dockerData) string {

 	// If net==host, quick n' dirty, we return 127.0.0.1
 	// This will work locally, but will fail with swarm.
-	if "host" == container.NetworkSettings.NetworkMode {
+	if container.NetworkSettings.NetworkMode.IsHost() {
 		return "127.0.0.1"
 	}

+	if container.NetworkSettings.NetworkMode.IsContainer() {
+		dockerClient, err := p.createClient()
+		if err != nil {
+			log.Warnf("Unable to get IP address for container %s, error: %s", container.Name, err)
+			return ""
+		}
+		ctx := context.Background()
+		containerInspected, err := dockerClient.ContainerInspect(ctx, container.NetworkSettings.NetworkMode.ConnectedContainer())
+		if err != nil {
+			log.Warnf("Unable to get IP address for container %s : Failed to inspect container ID %s, error: %s", container.Name, container.NetworkSettings.NetworkMode.ConnectedContainer(), err)
+			return ""
+		}
+		return p.getIPAddress(parseContainer(containerInspected))
+	}
+
 	if p.UseBindPortIP {
 		port := p.getPort(container)
 		for netport, portBindings := range container.NetworkSettings.Ports {
--- a/provider/docker/docker_test.go
+++ b/provider/docker/docker_test.go
@@ -20,38 +20,38 @@ func TestDockerGetFrontendName(t *testing.T) {
 	}{
 		{
 			container: containerJSON(name("foo")),
-			expected:  "Host-foo-docker-localhost",
+			expected:  "Host-foo-docker-localhost-0",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				types.LabelFrontendRule: "Headers:User-Agent,bat/0.1.0",
 			})),
-			expected: "Headers-User-Agent-bat-0-1-0",
+			expected: "Headers-User-Agent-bat-0-1-0-0",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				"com.docker.compose.project": "foo",
 				"com.docker.compose.service": "bar",
 			})),
-			expected: "Host-bar-foo-docker-localhost",
+			expected: "Host-bar-foo-docker-localhost-0",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				types.LabelFrontendRule: "Host:foo.bar",
 			})),
-			expected: "Host-foo-bar",
+			expected: "Host-foo-bar-0",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				types.LabelFrontendRule: "Path:/test",
 			})),
-			expected: "Path-test",
+			expected: "Path-test-0",
 		},
 		{
 			container: containerJSON(labels(map[string]string{
 				types.LabelFrontendRule: "PathPrefix:/test2",
 			})),
-			expected: "PathPrefix-test2",
+			expected: "PathPrefix-test2-0",
 		},
 	}

@@ -63,7 +63,7 @@ func TestDockerGetFrontendName(t *testing.T) {
 			provider := &Provider{
 				Domain: "docker.localhost",
 			}
-			actual := provider.getFrontendName(dockerData)
+			actual := provider.getFrontendName(dockerData, 0)
 			if actual != e.expected {
 				t.Errorf("expected %q, got %q", e.expected, actual)
 			}
@@ -884,13 +884,13 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-Host-test-docker-localhost": {
+				"frontend-Host-test-docker-localhost-0": {
 					Backend:        "backend-test",
 					PassHostHeader: true,
 					EntryPoints:    []string{},
 					BasicAuth:      []string{},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test-docker-localhost": {
+						"route-frontend-Host-test-docker-localhost-0": {
 							Rule: "Host:test.docker.localhost",
 						},
 					},
@@ -934,24 +934,24 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-Host-test1-docker-localhost": {
+				"frontend-Host-test1-docker-localhost-0": {
 					Backend:        "backend-foobar",
 					PassHostHeader: true,
 					EntryPoints:    []string{"http", "https"},
 					BasicAuth:      []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test1-docker-localhost": {
+						"route-frontend-Host-test1-docker-localhost-0": {
 							Rule: "Host:test1.docker.localhost",
 						},
 					},
 				},
-				"frontend-Host-test2-docker-localhost": {
+				"frontend-Host-test2-docker-localhost-1": {
 					Backend:        "backend-foobar",
 					PassHostHeader: true,
 					EntryPoints:    []string{},
 					BasicAuth:      []string{},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test2-docker-localhost": {
+						"route-frontend-Host-test2-docker-localhost-1": {
 							Rule: "Host:test2.docker.localhost",
 						},
 					},
@@ -992,13 +992,13 @@ func TestDockerLoadDockerConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-Host-test1-docker-localhost": {
+				"frontend-Host-test1-docker-localhost-0": {
 					Backend:        "backend-foobar",
 					PassHostHeader: true,
 					EntryPoints:    []string{"http", "https"},
 					BasicAuth:      []string{},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test1-docker-localhost": {
+						"route-frontend-Host-test1-docker-localhost-0": {
 							Rule: "Host:test1.docker.localhost",
 						},
 					},
@@ -1091,3 +1091,53 @@ func TestDockerHasStickinessLabel(t *testing.T) {
 		})
 	}
 }
+
+func TestDockerCheckPortLabels(t *testing.T) {
+	testCases := []struct {
+		container     docker.ContainerJSON
+		expectedError bool
+	}{
+		{
+			container: containerJSON(labels(map[string]string{
+				types.LabelPort: "80",
+			})),
+			expectedError: false,
+		},
+		{
+			container: containerJSON(labels(map[string]string{
+				types.LabelPrefix + "servicename.protocol": "http",
+				types.LabelPrefix + "servicename.port":     "80",
+			})),
+			expectedError: false,
+		},
+		{
+			container: containerJSON(labels(map[string]string{
+				types.LabelPrefix + "servicename.protocol": "http",
+				types.LabelPort:                            "80",
+			})),
+			expectedError: false,
+		},
+		{
+			container: containerJSON(labels(map[string]string{
+				types.LabelPrefix + "servicename.protocol": "http",
+			})),
+			expectedError: true,
+		},
+	}
+
+	for containerID, test := range testCases {
+		test := test
+		t.Run(strconv.Itoa(containerID), func(t *testing.T) {
+			t.Parallel()
+
+			dockerData := parseContainer(test.container)
+			err := checkServiceLabelPort(dockerData)
+
+			if test.expectedError && err == nil {
+				t.Error("expected an error but got nil")
+			} else if !test.expectedError && err != nil {
+				t.Errorf("expected no error, got %q", err)
+			}
+		})
+	}
+}
--- a/provider/docker/service_test.go
+++ b/provider/docker/service_test.go
@@ -356,7 +356,7 @@ func TestDockerLoadDockerServiceConfig(t *testing.T) {
 			expectedBackends: map[string]*types.Backend{
 				"backend-foo-service": {
 					Servers: map[string]types.Server{
-						"service": {
+						"service-0": {
 							URL:    "http://127.0.0.1:2503",
 							Weight: 0,
 						},
@@ -426,7 +426,7 @@ func TestDockerLoadDockerServiceConfig(t *testing.T) {
 			expectedBackends: map[string]*types.Backend{
 				"backend-foobar": {
 					Servers: map[string]types.Server{
-						"service": {
+						"service-0": {
 							URL:    "https://127.0.0.1:2503",
 							Weight: 80,
 						},
@@ -435,7 +435,7 @@ func TestDockerLoadDockerServiceConfig(t *testing.T) {
 				},
 				"backend-test2-anotherservice": {
 					Servers: map[string]types.Server{
-						"service": {
+						"service-0": {
 							URL:    "http://127.0.0.1:8079",
 							Weight: 33,
 						},
--- a/provider/docker/swarm_test.go
+++ b/provider/docker/swarm_test.go
@@ -23,28 +23,28 @@ func TestSwarmGetFrontendName(t *testing.T) {
 	}{
 		{
 			service:  swarmService(serviceName("foo")),
-			expected: "Host-foo-docker-localhost",
+			expected: "Host-foo-docker-localhost-0",
 			networks: map[string]*docker.NetworkResource{},
 		},
 		{
 			service: swarmService(serviceLabels(map[string]string{
 				types.LabelFrontendRule: "Headers:User-Agent,bat/0.1.0",
 			})),
-			expected: "Headers-User-Agent-bat-0-1-0",
+			expected: "Headers-User-Agent-bat-0-1-0-0",
 			networks: map[string]*docker.NetworkResource{},
 		},
 		{
 			service: swarmService(serviceLabels(map[string]string{
 				types.LabelFrontendRule: "Host:foo.bar",
 			})),
-			expected: "Host-foo-bar",
+			expected: "Host-foo-bar-0",
 			networks: map[string]*docker.NetworkResource{},
 		},
 		{
 			service: swarmService(serviceLabels(map[string]string{
 				types.LabelFrontendRule: "Path:/test",
 			})),
-			expected: "Path-test",
+			expected: "Path-test-0",
 			networks: map[string]*docker.NetworkResource{},
 		},
 		{
@@ -54,7 +54,7 @@ func TestSwarmGetFrontendName(t *testing.T) {
 					types.LabelFrontendRule: "PathPrefix:/test2",
 				}),
 			),
-			expected: "PathPrefix-test2",
+			expected: "PathPrefix-test2-0",
 			networks: map[string]*docker.NetworkResource{},
 		},
 	}
@@ -68,7 +68,7 @@ func TestSwarmGetFrontendName(t *testing.T) {
 				Domain:    "docker.localhost",
 				SwarmMode: true,
 			}
-			actual := provider.getFrontendName(dockerData)
+			actual := provider.getFrontendName(dockerData, 0)
 			if actual != e.expected {
 				t.Errorf("expected %q, got %q", e.expected, actual)
 			}
@@ -660,13 +660,13 @@ func TestSwarmLoadDockerConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-Host-test-docker-localhost": {
+				"frontend-Host-test-docker-localhost-0": {
 					Backend:        "backend-test",
 					PassHostHeader: true,
 					EntryPoints:    []string{},
 					BasicAuth:      []string{},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test-docker-localhost": {
+						"route-frontend-Host-test-docker-localhost-0": {
 							Rule: "Host:test.docker.localhost",
 						},
 					},
@@ -714,24 +714,24 @@ func TestSwarmLoadDockerConfig(t *testing.T) {
 				),
 			},
 			expectedFrontends: map[string]*types.Frontend{
-				"frontend-Host-test1-docker-localhost": {
+				"frontend-Host-test1-docker-localhost-0": {
 					Backend:        "backend-foobar",
 					PassHostHeader: true,
 					EntryPoints:    []string{"http", "https"},
 					BasicAuth:      []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test1-docker-localhost": {
+						"route-frontend-Host-test1-docker-localhost-0": {
 							Rule: "Host:test1.docker.localhost",
 						},
 					},
 				},
-				"frontend-Host-test2-docker-localhost": {
+				"frontend-Host-test2-docker-localhost-1": {
 					Backend:        "backend-foobar",
 					PassHostHeader: true,
 					EntryPoints:    []string{},
 					BasicAuth:      []string{},
 					Routes: map[string]types.Route{
-						"route-frontend-Host-test2-docker-localhost": {
+						"route-frontend-Host-test2-docker-localhost-1": {
 							Rule: "Host:test2.docker.localhost",
 						},
 					},
--- a/provider/kv/kv.go
+++ b/provider/kv/kv.go
@@ -102,7 +102,7 @@ func (p *Provider) watchKv(configurationChan chan<- types.ConfigMessage, prefix
 func (p *Provider) Provide(configurationChan chan<- types.ConfigMessage, pool *safe.Pool, constraints types.Constraints) error {
 	p.Constraints = append(p.Constraints, constraints...)
 	operation := func() error {
-		if _, err := p.kvclient.Exists("qmslkjdfmqlskdjfmqlksjazçueznbvbwzlkajzebvkwjdcqmlsfj"); err != nil {
+		if _, err := p.kvclient.Exists(p.Prefix + "/qmslkjdfmqlskdjfmqlksjazçueznbvbwzlkajzebvkwjdcqmlsfj"); err != nil {
 			return fmt.Errorf("Failed to test KV store connection: %v", err)
 		}
 		if p.Watch {
--- a/provider/marathon/marathon_test.go
+++ b/provider/marathon/marathon_test.go
@@ -93,7 +93,9 @@ func TestMarathonLoadConfigNonAPIErrors(t *testing.T) {
 					},
 				},
 			},
-			expectedBackends: nil,
+			expectedBackends: map[string]*types.Backend{
+				"backend-app": {},
+			},
 		},
 		{
 			desc: "load balancer / circuit breaker labels",
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,4 @@
 mkdocs==0.16.3
 pymdown-extensions>=1.4
 mkdocs-bootswatch>=0.4.0
-mkdocs-material>=1.8.1
+mkdocs-material==1.12.2
--- a/script/crossbinary-default
+++ b/script/crossbinary-default
@@ -24,13 +24,17 @@ GIT_REPO_URL='github.com/containous/traefik/version'
 GO_BUILD_CMD="go build -ldflags"
 GO_BUILD_OPT="-s -w -X ${GIT_REPO_URL}.Version=${VERSION} -X ${GIT_REPO_URL}.Codename=${CODENAME} -X ${GIT_REPO_URL}.BuildDate=${DATE}"

-# Build 386 amd64 binaries
+# Build amd64 binaries
 OS_PLATFORM_ARG=(linux windows darwin)
 OS_ARCH_ARG=(amd64)
 for OS in ${OS_PLATFORM_ARG[@]}; do
+  BIN_EXT=''
+  if [ "$OS" == "windows" ]; then
+    BIN_EXT='.exe'
+  fi
  for ARCH in ${OS_ARCH_ARG[@]}; do
    echo "Building binary for ${OS}/${ARCH}..."
-    GOARCH=${ARCH} GOOS=${OS} CGO_ENABLED=0 ${GO_BUILD_CMD} "${GO_BUILD_OPT}" -o "dist/traefik_${OS}-${ARCH}" ./cmd/traefik/
+    GOARCH=${ARCH} GOOS=${OS} CGO_ENABLED=0 ${GO_BUILD_CMD} "${GO_BUILD_OPT}" -o "dist/traefik_${OS}-${ARCH}${BIN_EXT}" ./cmd/traefik/
  done
 done

--- a/script/crossbinary-others
+++ b/script/crossbinary-others
@@ -28,9 +28,13 @@ GO_BUILD_OPT="-s -w -X ${GIT_REPO_URL}.Version=${VERSION} -X ${GIT_REPO_URL}.Cod
 OS_PLATFORM_ARG=(linux windows darwin)
 OS_ARCH_ARG=(386)
 for OS in ${OS_PLATFORM_ARG[@]}; do
+  BIN_EXT=''
+  if [ "$OS" == "windows" ]; then
+    BIN_EXT='.exe'
+  fi
  for ARCH in ${OS_ARCH_ARG[@]}; do
-    echo "Building binary for $OS/$ARCH..."
-    GOARCH=${ARCH} GOOS=${OS} CGO_ENABLED=0 ${GO_BUILD_CMD} "$GO_BUILD_OPT" -o "dist/traefik_$OS-$ARCH" ./cmd/traefik/
+    echo "Building binary for ${OS}/${ARCH}..."
+    GOARCH=${ARCH} GOOS=${OS} CGO_ENABLED=0 ${GO_BUILD_CMD} "${GO_BUILD_OPT}" -o "dist/traefik_${OS}-${ARCH}${BIN_EXT}" ./cmd/traefik/
  done
 done

--- a/templates/docker.tmpl
+++ b/templates/docker.tmpl
@@ -26,7 +26,7 @@
    {{if hasServices $server}}
      {{$services := getServiceNames $server}}
      {{range $serviceIndex, $serviceName := $services}}
-      [backends.backend-{{getServiceBackend $server $serviceName}}.servers.service]
+      [backends.backend-{{getServiceBackend $server $serviceName}}.servers.service-{{$serverName}}]
      url = "{{getServiceProtocol $server $serviceName}}://{{getIPAddress $server}}:{{getServicePort $server $serviceName}}"
      weight = {{getServiceWeight $server $serviceName}}
      {{end}}
--- a/templates/marathon.tmpl
+++ b/templates/marathon.tmpl
@@ -12,6 +12,7 @@

 {{range $app := $apps}}
 {{range $serviceIndex, $serviceName := getServiceNames $app}}
+[backends."backend{{getBackend $app $serviceName }}"]
 {{ if hasMaxConnLabels $app }}
      [backends."backend{{getBackend $app $serviceName }}".maxconn]
        amount = {{getMaxConnAmount $app }}
--- a/vendor/github.com/NYTimes/gziphandler/gzip.go
+++ b/vendor/github.com/NYTimes/gziphandler/gzip.go
@@ -150,7 +150,9 @@ func (w *GzipResponseWriter) startGzip() error {

 // WriteHeader just saves the response code until close or GZIP effective writes.
 func (w *GzipResponseWriter) WriteHeader(code int) {
-	w.code = code
+	if w.code == 0 {
+		w.code = code
+	}
 }

 // init graps a new gzip writer from the gzipWriterPool and writes the correct
@@ -190,10 +192,16 @@ func (w *GzipResponseWriter) Close() error {
 // http.ResponseWriter if it is an http.Flusher. This makes GzipResponseWriter
 // an http.Flusher.
 func (w *GzipResponseWriter) Flush() {
-	if w.gw != nil {
-		w.gw.Flush()
+	if w.gw == nil {
+		// Only flush once startGzip has been called.
+		//
+		// Flush is thus a no-op until the written body
+		// exceeds minSize.
+		return
 	}

+	w.gw.Flush()
+
 	if fw, ok := w.ResponseWriter.(http.Flusher); ok {
 		fw.Flush()
 	}
Author	SHA1	Message	Date
NicoMen	77b111702b	Prepare release v1.4.3	2017-11-14 12:06:03 +01:00
NicoMen	96a7cc483f	Add Traefik prefix to the KV key	2017-11-14 11:38:03 +01:00
Ludovic Fernandez	1e3506848a	Flush and errorcode	2017-11-14 11:16:03 +01:00
Michael	5ee2cae85c	Fix Traefik reload if Consul Catalog tags change	2017-11-13 12:14:02 +01:00
Ludovic Fernandez	5c119fe2d6	Exclude GRPC from compress	2017-11-10 14:12:02 +01:00
Ivan Rogov	2f62ec3632	Link corrected	2017-11-09 15:54:04 +01:00
Levi Blaney	56affb90ae	Add secret creation to docs for kubernetes backend	2017-11-09 10:52:03 +01:00
SALLEYRON Julien	9bd0fff319	Keep status when stream mode and compress	2017-11-09 00:48:03 +01:00
Jan Collijs	58a438167b	Minor fix for docker volume vs created directory	2017-11-08 15:12:03 +01:00
Tom Saleeba	bc8d68bd31	docs: fix some typos	2017-11-07 11:50:03 +01:00
Bernhard Millauer	70812c70fc	Postfix windows binaries with .exe	2017-11-03 17:02:14 +01:00
Ludovic Fernandez	0347537f43	Freeze version of mkdocs-material.	2017-11-02 14:38:03 +01:00
Ludovic Fernandez	db9b18f121	Prepare release v1.4.2	2017-11-02 12:28:03 +01:00
Jim Hribar	fc4d670c88	Minor grammar change	2017-11-02 10:38:03 +01:00
Alex Antonov	02035d4942	Missing Backend key in configuration when application has no tasks	2017-11-01 11:26:03 +01:00
Ludovic Fernandez	d3c7681bc5	New PR template	2017-10-30 16:38:03 +01:00
NicoMen	dc66db4abe	Make the traefik.port label optional when using service labels in Docker containers.	2017-10-30 15:10:05 +01:00
NicoMen	a0e1cf8376	Fix IP address when Docker container network mode is container	2017-10-30 14:36:04 +01:00
Daniel König	5292b84f4f	fixed dead link in kubernetes backend config docs	2017-10-30 14:04:03 +01:00
burningTyger	b27455a36f	entrypoints -> entryPoints	2017-10-30 13:20:03 +01:00
NicoMen	da7b6f0baf	Make frontend names differents for similar routes	2017-10-30 12:06:03 +01:00
Simon Elsbrock	9b5845f1cb	Fix datastore corruption on reload due to shrinking config size	2017-10-30 11:22:04 +01:00
Erwin de Keijzer	1b2cb53d4f	Fix the k8s docs example deployment yaml	2017-10-25 16:58:04 +02:00
Ludovic Fernandez	3158e51c62	Remove hardcoded runtime.GOMAXPROCS.	2017-10-25 16:16:02 +02:00
NicoMen	f0371da838	Add unique ID to Docker services replicas	2017-10-25 10:00:03 +02:00